|
     |
Public-key authentication is based on the use of digital signatures and provides very good authentication security.
To use public keys in user authentication, you must first create a key pair on the client. One of the created key files is your public key, and the other is your secret private key.
The security level of the key pair depends on the complexity (or bit length) of the key. Larger keys are more secure, but generating and using them takes a longer time.
![[Note]](images/note.gif) | Note |
|---|---|
The default RSA key size (3072 bits) provides 128-bit security and default ECDSA key size (384 bits) provides 192-bit security. We do not recommend generating RSA or DSA keys smaller than 2048 bits even for interoperability with 3rd party implementations. |
| Note |
|---|---|
We recommend you to replace your SSH keys with new ones at a minimum frequency of every two years. |
The server must know the user's public key, so you need to upload the public key to the server, but the private key must remain only in your possession.
When you start logging in to a remote server, the client sends a signature to the server, and the server checks for matching public keys. If the key is protected with a passphrase, the client requests you to enter the passphrase.
Remember that your private key is used to authenticate you. Keep your private key in a secure place and make sure that no one else has access to it. If anyone else can access your private key, they can attempt to log in to the remote host computer pretending to be you. Define a passphrase to protect your private key, whenever possible.
![[Caution]](images/caution.gif) | Caution |
|---|---|
Generate keys only on your personal computer that no one else can access! Do not store your private key on a computer that is shared with other users. |
When you start using public-key authentication, do the following:
Generate a key pair. You can generate your own key files with the help of a built-in Public-Key Authentication Wizard (see Creating Keys with Public-Key Authentication Wizard), or using the command line tool ssh-keygen-g3 (see Creating and Uploading Keys with the Command Line Tools).
You can also import existing keys on the Keys and Certificates page of the Tectia Connections Configuration GUI.
Upload your public key to the remote host computer (running Tectia Server) automatically (see Uploading Public Keys Automatically).
| Note |
|---|---|
Tectia Server supports also user public keys generated with OpenSSH. Tectia Server can be configured to
check the OpenSSH |
These instructions assume that the client user is allowed to log in to the remote host, where Tectia Server is running, using password authentication.
On Linux, you can use the
Tectia Public-Key Authentication Wizard to generate a key pair. The wizard
will generate two key files, your private key and your public key, and store them in the
$HOME/.ssh2 directory on your local computer. The public key
has .pub as the file extension, and the private key file has the same
base file name as the public key but no file extension.
Public key pairs can also be generated with the command line tool ssh-keygen-g3. For instructions, see Creating and Uploading Keys with the Command Line Tools.
Go to the /opt/tectia/bin directory by entering:
$ cd /opt/tectia/bin/
Start the Tectia Connections Configuration GUI with the following command:
$ ssh-tectia-configuration
Go to User Authentication and select the Keys and Certificates page. Click New key.
The Public-Key Authentication Wizard starts.
Define the key properties and the required passphrase to protect your key pair.
Type a unique name for the key file. The wizard suggests a name consisting of your user name and the host name.
Write a short comment that describes the key pair. For example, describe the connection the key is used for. The wizard suggests a comment consisting of the key length and type, your user name and the host name, and the current date and time. This field is not obligatory, but it helps to identify the key later.
Type a phrase that is difficult to guess. Use ideally at least 20 characters, both letters and numbers. Any punctuation characters can be used as well. While the passphrase or private key is never sent over the network, a dictionary attack can be used against a private key if it is accessible locally. For ease of use, an authentication agent is recommended instead of leaving the passphrase empty. By default ssh-broker-g3 functions as an authentication agent.
| Note |
|---|---|
In FIPS mode, due to a FIPS regulation which forbids exporting unencrypted private keys out of the FIPS module, it is not possible to generate user keys without a passphrase. |
If the key pair will be used for automated jobs, you can leave the passphrase field empty to generate the key without a passphrase.
You will be requested to enter the passphrase always when using the keys to authenticate yourself. The passphrase works in a way similar to a password and gives some protection for your private key.
Memorize the passphrase carefully, and do not write it down.
Type the passphrase again. This ensures that you have not made a typing error.
Click the Advanced Options if you want to define the type and/or length of the key to be generated to be different from the defaults. By default, Tectia Client generates a pair of 3072-bit RSA keys.
In the Key Properties area, you can define the following:
Select the type of the key to be generated. Available options are Ed25519, RSA, ECDSA and DSA.
| Note |
|---|---|
In FIPS mode (conforming to FIPS 186-5) RSA, ECDSA and Ed25519 are supported. DSA has been deprecated. |
Select the length (complexity) of the key to be generated. Available options are:
DSA/RSA keys: 2048, 3072, 4096, 5120, 6144, 7168, 8192 bits
ECDSA keys: 256, 384, 521 bits
Ed25519 keys: 256 bits
Larger keys of the same key type are more secure, but also slower to generate. A 256-bit ECDSA key and a 3072-bit RSA key provide equivalent security.
Click Next to proceed to uploading the key. The wizard continues with Step 3 in Uploading Public Keys Automatically.
Uploading existing public keys to new remote servers is instructed in Uploading Public Keys Automatically.
Public keys can be automatically uploaded to servers that have the SFTP subsystem enabled, and by default, SFTP is enabled on Tectia Servers. The Public-Key Authentication Wizard automatically uploads each new public key to a remote host of your choice. All existing keys are also listed on the Keys and Certificates page of the Tectia Connections Configuration GUI, and you can select a key to upload it to a remote server at any time.
The public key will be uploaded to the default user home directory ($HOME/.ssh2 on Unix) on the remote server.
| Note |
|---|---|
The key user is required to have |
To access the Public-Key Authentication Wizard, click User Authentication → Keys and Certificates on the tree view.
Select a key from the Key and Certificate List and click Upload.
The Upload Public Key view of the wizard appears.
Define the remote host where you want to upload the key:
Select this option to define the remote Host name and your User name there. The default Secure Shell Port number is 22.
Select a Connection profile from the drop-down list that specifies the desired remote host and user name.
Click Upload to transfer the key to the selected server. If you are already connected to the remote server host, the key upload starts immediately. If you are not connected, you will be prompted to authenticate on the server (by default with password).
In addition to the Tectia Connections Configuration GUI available on Linux, you can use the command line tools for creating and uploading keys.
To create a public key pair, run ssh-keygen-g3 on the command line on Tectia Client:
Client$ ssh-keygen-g3 Generating 3072-bit rsa key pair 15 o.oOo.oOOo.o Key generated. 3072-bit rsa, ClientUser@Client, Mon Aug 15 2022 12:08:07 +0200 Passphrase : Again : Private key saved to /home/ClientUser/.ssh2/id_rsa_3072_a Public key saved to /home/ClientUser/.ssh2/id_rsa_3072_a.pub
ssh-keygen-g3 asks for a passphrase for the new key. Enter a sufficiently long (20 characters or so) sequence of any characters (spaces are OK).
The new authentication key pair consists of two separate files. One of the keys is your private key which must never be made available to anyone but yourself. The private key can only be used together with the passphrase.
The key pair is by default stored in your $HOME/.ssh2 directory
(created by ssh-keygen-g3 if it does not exist previously).
In the example above, the private key file is id_rsa_3072_a. The
other file id_rsa_3072_a.pub is your public key, which can be
distributed to other computers.
By default, ssh-keygen-g3 creates a 3072-bit RSA key pair. DSA, ECDSA
or Ed25519 keys can be generated by specifying the -t option with
ssh-keygen-g3. Key length can be specified with the -b
option. For automated jobs, the key can be generated without a passphrase with the
-P option:
$ ssh-keygen-g3 -t ecdsa -b 384 -P
To enable public-key authentication with your key pair:
Check that your keys are stored in the default location: the
$HOME/.ssh2 directory.
Connect to Server using your password.
Use the Secure Shell file copy client scpg3 to upload your
public key to the server, to your default authorized_keys
directory, the $HOME/.ssh2/authorized_keys directory:
$ scpg3 id_rsa_3072_a.pub ServerUser@Server:.ssh2/authorized_keys/
The server will then use the uploaded public key to authenticate you when you log in after this.
| |
