SSH

Uploading Public Keys Manually

All commands in this section are shown using sshg3 and scpg3 from the machine running Tectia ConnectSecure. Server-side configuration can also be done by logging in to the remote server and entering the commands locally.

To enable public-key authentication with your key pair:

  1. Place your keys in a directory where the Connection Broker can locate them.

    By default, the Connection Broker attempts to use each key found in the $HOME/.ssh2 directory on Unix, or in the %APPDATA%\SSH\UserKeys and %APPDATA%\SSH\UserCertificates directories on Windows.

    You can also add other directory locations for keys on the Keys and Certificates page of the Tectia Connections Configuration GUI. See Managing Keys and Certificates. On Unix, you can use the general/key-stores/key-store element in the ssh-broker-config.xml file. See the section called “Key Store Configuration Examples”.

  2. (Optional) Create an identification file.

    Using the identification file is not necessary if all your keys are stored in the default directory and you allow all of them to be used for public-key and/or certificate authentication. If the identification file does not exist, the Connection Broker attempts to use each key found in the default directory. If the identification file exists, the keys listed in it are attempted first.

    Create a file called identification, on Unix in your $HOME/.ssh2 directory, or on Windows in your %APPDATA%\SSH directory.

    Edit it with your favorite text editor to include the following line (replace id_rsa_2048_a with the file name of the private key):

    IdKey       id_rsa_2048_a

    The keys are assumed to be in the same directory with the identification file, but also an absolute or a relative path can be given. For example, on Windows:

    IdKey       UserKeys\id_rsa_2048_a

    The identification file can contain several key IDs. For more information on the syntax of the identification file, see $HOME/.ssh2/identification.

  3. Connect to Server using some other authentication method and create a .ssh2 (and .ssh2/authorized_keys), or a .ssh directory under your home directory if it does not exist already.

    Depending on the server version the remote host is running, run one of the following commands:

    • Tectia Server on Unix or z/OS:

      $ sshg3 ServerUser@tectia_server mkdir .ssh2

      If you do not want to use an authorization file on Tectia Server 5.x or later on Unix, create also the authorized_keys directory:

      $ sshg3 ServerUser@tectia_unix mkdir .ssh2/authorized_keys
    • Tectia Server on Windows:

      $ sshg3 ServerUser@tectia_win "cmd /c mkdir .ssh2"

      If you do not want to use an authorization file on Tectia Server 5.x or later on Windows, create also the authorized_keys directory:

      $ sshg3 ServerUser@tectia_win "cmd /c mkdir .ssh2\authorized_keys"
    • OpenSSH server on Unix or z/OS:

      $ sshg3 ServerUser@open_server mkdir .ssh
  4. Copy the public key to Server.

    Depending on the server version the remote host is running, do one of the following actions:

    • Tectia Server 5.x or later on Unix and Windows:

      Use SCP to upload your public key to the server, to your authorized_keys directory (by default $HOME/.ssh2/authorized_keys on Unix servers, or %USERPROFILE%\.ssh2\authorized_keys on Windows servers):

      $ scpg3 id_rsa_2048_a.pub ServerUser@tectia_server:.ssh2/authorized_keys/
    • Tectia Server 4.x on Unix and Windows:

      Use SCP to upload your public key to the server (by default to the $HOME/.ssh2 directory on Unix and to the %USERPROFILE%\.ssh2 directory on Windows servers):

      $ scpg3 id_rsa_2048_a.pub ServerUser@tectia4x_server:.ssh2/
    • Tectia Server for IBM z/OS:

      The public key must be converted to the EBCDIC format. This can be done by including the scpg3 dst-site command-line option, or the sftpg3 site commands in the file transfer command. For more information on the site parameters, see Site Command.

      Use SCP to upload your public key to the server (by default to the $HOME/.ssh2 directory):

      $ scpg3 --dst-site="C=ISO8859-1,D=IBM-1047,X=TEXT" id_rsa_2048_a.pub \
      ServerUser@tectia_zos:$HOME/.ssh2/
    • OpenSSH server on Unix:

      Use SCP to upload your public key to the server, to your $HOME/.ssh directory:

      $ scpg3 id_rsa_2048_a.pub ServerUser@open_unix:.ssh/
  5. Create an authorization or authorized_keys file on Server.

    Depending on the server version the remote host is running, do one of the following actions:

    • Tectia Server 5.x or later on Unix and Windows do not require an authorization file if the public keys are stored in the user's authorized_keys directory. However, an authorization file may be optionally used. See instructions for creating the file below in the Tectia Server 4.x information.

    • Tectia Server 4.x on Unix and Windows and Tectia Server for IBM z/OS require an authorization file stored in the user's .ssh2 directory. The authorization file specifies the public keys that are authorized for login.

      Add the key entry to the authorization file. On a Unix or z/OS server:

      $ sshg3 ServerUser@tectia_server "echo Key id_rsa_2048_a.pub >> \
      .ssh2/authorization"

      On a Windows server:

      $ sshg3 ServerUser@tectia4x_win "cmd /c echo Key id_rsa_2048_a.pub >> \
      .ssh2\authorization"

      An example authorization file is shown below (by default $HOME/.ssh2/authorization on Unix and z/OS servers, and %USERPROFILE%\.ssh2\authorization on Windows servers):

      Key     id_rsa_2048_a.pub

      This directs Tectia Server to use id_rsa_2048_a.pub as a valid public key when authorizing your login.

    • OpenSSH server requires that the public key is converted to the OpenSSH public-key file format and stored in the authorized_keys file in the user's .ssh directory.

      Convert the public key to the OpenSSH public-key file format on the server and append it to your $HOME/.ssh/authorized_keys file. This can be done with a remote command on an OpenSSH server as follows:

      $ sshg3 ServerUser@open_server "ssh-keygen -i -f id_rsa_2048_a.pub >> \
      .ssh/authorized_keys"
  6. Make sure that public-key authentication is enabled in the ssh-broker-config.xml file (it is enabled by default).

    <authentication-methods>
      <auth-publickey />
    ...
    </authentication-methods>
    

    Other authentication methods can be listed in the configuration file as well. Place the least interactive method first.

Assuming Server is configured to allow public-key authentication to your account, you should now be able to log in from Client to Server using public-key authentication.

Try to log in:

Client$ sshg3 Server

You should be prompted for the passphrase of the private key. After you have entered the passphrase, a Secure Shell connection will be established.