Public Key Authentication for Reflection SSH UNIX Client and Server for UNIX or Windows

  • 7022099
  • 03-Feb-2005
  • 02-Mar-2018

Environment

Reflection for Secure IT UNIX Client version 7.0 or higher
Reflection for Secure IT UNIX Server version 7.0 or higher
Reflection for Secure IT Windows Server version 7.0 or higher

Situation

This technical note provides instructions on how to configure public key authentication when connecting from a Reflection SSH UNIX client to a Reflection SSH server for UNIX or Windows. You will use the Key Generation utility to generate a key pair and upload the public key to the server. Troubleshooting tips are also included.

Resolution

Public Key Authentication Overview

Public key authentication is one way a server can authenticate a user. It requires a private and public key pair; the private key is located on the client, and the public key must be uploaded to the Reflection SSH server.

In addition to the keys, specific files must exist in the user's directory on both the SSH client and server. If the files don’t exist, you must create them. By default, these files are stored in the .ssh2 directory.

The process of generating keys and creating files is outlined below. Troubleshooting tips are also included.

Using the Key Generation Utility

Use the Reflection Key Generation utility to generate a keypair.

  1. Open a terminal window on the UNIX system with the Reflection SSH UNIX client.
  2. Use the following command to create a key pair:
ssh-keygen

Note: To get a list of available switches, use the command ssh-keygen -h, or check the man pages for more details.

The key generation utility will run for a few moments. Once the utility has generated the key pair, you are prompted to enter a passphrase and then confirm it. If you want to create a passphrase-less key, press the Enter key twice without entering a passphrase.

After entering a passphrase, the location and names of the private and public keys are displayed. For example:

Private key saved to /home/username/.ssh2/id_rsa_2048_a
Public key saved to /home/username/.ssh2/id_rsa_2048_a.pub

Creating the Identification File on the Client

Follow these steps to create the identification file on the client:

  1. Change directories to the .ssh2 directory in your home directory.
  2. Use the following command to create a file named identification with the IdKey information as its contents:
echo IdKey <keyname> >> identification

Replace <keyname> with the name of the private key you generated using the key generation utility, for example

echo IdKey id_rsa_2048_a >> identification
  1. Configure this file for user-only write access:
chmod 600 identification

Uploading the Public Key to the Server

  1. Use the following command to connect to the Reflection SSH server using password authentication:
sftp user@host
  1. If you are connecting to the Reflection SSH UNIX server:
    • Change the directory to /$HOME/.ssh2:
cd /home/joe/.ssh2

If you are connecting to the Reflection SSH Windows server:

    • Change to the User key directory defined in Configuration > Authentication > Public Key in the Reflection for Secure IT Server console. The default is %D/.ssh2, where %D string points to the user profile folder:
On Windows Server 2012: \Users\<username>
On Windows Server 2008: \Users\<username>
On Windows Server 2003: \Documents and Settings\<username>

Enter the command:

cd C:\Users\joe\.ssh2

Note: If the .ssh2 directory does not exist in the /$HOME directory on UNIX, or in the user profile folder on Windows, you must create it:

mkdir .ssh2
  1. Transfer the public key file you just created from the SSH UNIX client to the SSH server by using this command:
put <keyname>.pub

Replace <keyname>.pub with the name of the public key you created, for example, put id_rsa_2048_a.pub.

  1. Use the quit command to close the sftp connection.

Creating the Authorization File on the Server

  1. Use the following command to establish a terminal session using password authentication to connect to the Reflection SSH server.
ssh user@host
  1. In the SSH terminal window, change to the .ssh2 directory where you have uploaded the public key.
  2. Enter the following command to create (or append to) the authorization file:
echo Key [keyname.pub]>>authorization

Replace [keyname.pub] with the name of the public key you created using the key generation utility above, for example, echo Key id_rsa_2048_a.pub>>authorization

  1. Confirm that the authorization file is correct.

On a Windows server, enter the command: type authorization

On a UNIX/Linux server, enter the command: cat authorization

  1. Disconnect your SSH connection.

You should now be able to connect with SSH, SFTP, or SCP from the UNIX system running the client to the system running the Reflection SSH server without being prompted for a password.

Troubleshooting

If you have trouble connecting, check the troubleshooting suggestions listed below.

Check File and Directory Permissions on UNIX

On the UNIX client, verify that the private key is readable (600) and the identification file has write-access only to the user (600 or 644)

On the UNIX server, verify that /$HOME/.ssh2 directory is set to (700 or 755) and the authorization file is set to (600 or 644).

Note: The StrictModes setting affects the level of protection required for files and directories used for public key authentication. To ensure maximum security, this setting is now enabled by default. Some file permissions are enforced even when this setting is disabled.

For details, see File and Directory Permissions for Public Key Authentication in the Reflection for Secure IT documentation, https://support.microfocus.com/manuals/sshdocs.html.

For understanding UNIX permissions, see KB 7021756.

Verify that Public Key Authentication Is Enabled

Public key authentication must be enabled on both the client and the server.

On the Reflection SSH UNIX client:

Check the .ssh2 directory in the user's home directory for an ssh2_config file. If it exists, verify that the following entry is in the Authentication section:

AllowedAuthentications=publickey

If it does not exist, check the /etc/ssh2 directory for the ssh2_config file. Verify that the following entry is in the Authentication section:

AllowedAuthentications=publickey

On the Reflection SSH UNIX server:

The server configuration file, sshd2_config, generally located in /etc/ssh2/, should include the following entries:

AllowedAuthentications=publickey

On the Reflection SSH Windows server:

Follow these steps to verify that public key authentication is enabled on the server:

  1. Click Start > Programs > Attachmate Reflection > Reflection SSH Server Configuration.
  2. Click Configuration tab, and go to Authentication > Public Key in the left pane.
  3. Verify that "Public key authentication" is set to Allow. Allow is the default.

If you have created Subconfiguration, check the Public Key pane within the subconfiguration window from the server console.

Verify that the Public Key Was Uploaded Properly and the Authorization File Exists

By default, the public key should be uploaded to the server in either of these locations:

UNIX: /$HOME/.ssh2
Windows: <userid>\.ssh2

Note: Based on site requirements, server administrators can change the location of the User key directory. An account with administrator rights can verify the folder’s location:

UNIX: In the sshd2_config file, under the UserConfigDirectory keyword.
Windows: Under Public key > Public key storage > User key directory.

Verify that you transferred the public key <keyname>.pub to the server, and the authorization file exists in this directory and contains a Key entry pointing to the public key file. The file name must match exactly. For example:

Key id_rsa_2048_a.pub

Working with Multiple Hosts and Key Pairs—An Example

If you are working with multiple hosts and key pairs, each key requires a separate entry line in the appropriate file, identification or authorization. The following example shows the required entries for Host A to connect to Hosts C or D, or for Host B to connect to Host C:

Host A identification file (client)
Host B identification file (client)
IdKey id_dsa_1024_a
IdKey id_dsa_2048_a
IdKey id_dsa_1024_b
 
Host C authorization file (server)
Host D authorization file (server)
Key id_dsa_1024_a.pub
Key id_dsa_1024_b.pub
Key id_dsa_2048_a.pub

Additional Information

Legacy KB ID

This article was originally published as Attachmate Technical Note 1926.