Topic
  • 5 replies
  • Latest Post - ‏2014-03-13T10:27:33Z by HermannSW
PPotkay
PPotkay
140 Posts

Pinned topic User Agent's Pubkey-Auth Policy for sftp

‏2013-12-23T19:33:07Z |

I want to use the Command Line Interface while ssh'ed into the appliance to copy a file to a remote Red Hat Linux server via SFTP.

This is successfully working from the CLI in an interactive session:

copy export:///WinningLotteryNumbers.zip sftp://someuserid@MyServer.abc.prod//datapower/stuff/NothingOfInterestHere.zip

I get prompted for the password for someuserID, I type it in, and the file is successfully copied to MyServer (fully qualified DNS name is MyServer.abc.prod)

 

I want to get this to work without having to type in the password for that sftp, so I followed the instructions here to set up that DSA key pair.

http://www-01.ibm.com/support/docview.wss?uid=swg21273347

On MyServer while logged on as someuserid I ran the command ssh-keygen -t dsa
and it produced the id_dsa file. I copied that file up to the certs directory on my DP appliance, and I gave it a more meaningful name, id_dsa_MyServer_someuserid. (Was it wrong to give it a new name when I copied it up to the appliance? The original file has the original name on the Linux server)

I created a Crypto Key referencing the cert:///id_dsa_MyServer_someuserid file called MyServer_someuserid_CK.

I modified the default User Agent and gave it a PubKey-Auth Policy which references that new Crypto Key (MyServer_someuserid_CK), and I specified this for the URL matching Expression:

sftp://someuserid@MyServer.abc.prod//datapower/stuff/*

Applied and saved the configuration.

 

The good news is this PubKey-Auth Policy is getting a match on that URL string when I am in the CLI and try to sftp to that destination. I know it is seeing it because if I use something slightly different in the sftp command I execute, or if I modify the URL Matching Expression to have an extra character the behaviour of my CLI command changes.

The bad new - the behaviour of my CLI command to copy via sftp!

If this PubKey-Auth Policy is invoked, I get the generic error in the CLI that says the file can't be found. Its the same generic error I get if I remove that PubKey-Auth Policy and then purposely enter a bad password when prompted.

 

Looking at this from the RHEL server's perspective:

11.222.333.44 is the (changed for this posting) IP address of my DP appliance.

In /var/log/secure on the RHEL server

When I enter a bad password on the CLI while SSH'ed into the DataPower appliance.
Dec 23 13:34:28 MyServer sshd[21768]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=MyDPappliance.thisdomaind.com  user=someuserID
Dec 23 13:34:30 MyServer sshd[21768]: Failed password for someuserID from 11.222.333.44 port 18916 ssh2
Dec 23 13:34:30 MyServer sshd[21769]: Connection closed by 11.222.333.44

When I enter a good password on the CLI while SSH'ed into the DataPower appliance.
Dec 23 13:34:58 MyServer sshd[21776]: Accepted password for someuserID from 11.222.333.44 port 18921 ssh2
Dec 23 13:34:58 MyServer sshd[21776]: pam_unix(sshd:session): session opened for user someuserID by (uid=0)
Dec 23 13:34:58 MyServer sshd[21778]: subsystem request for sftp
Dec 23 13:34:59 MyServer sshd[21776]: pam_unix(sshd:session): session closed for user someuserID

When the Pubkey-Auth Policy is invoked on the DataPower appliance the only entry on the Linux server is:
Dec 23 13:37:32 MyServer sshd[21826]: Connection closed by 11.222.333.44

/var/log/btmp only shows something when I don't use the Pubkey-Auth Policy and I type a bad password. Nothing shows up in /var/log/btmp when the Pubkey-Auth Policy is invoked in the Datapower appliance side.

So I must have done something wrong with that id_dsa file. Was it OK to rename it when I copied it up to the appliance? Did I miss some other step?

It seems like the DP appliance is attempting to make a connection to the RHEL server, and then the DP appliance is the one that kills the connection, based on that single line entry in /var/log/secure on the RHEL server when the connection is attempted using the PubKey-Auth Policy

 

-Peter

  • PPotkay
    PPotkay
    140 Posts

    Re: User Agent's Pubkey-Auth Policy for sftp

    ‏2013-12-24T02:51:02Z  

    Despite a couple more hours of Googling and trying thinsg I haven't gotten it to work yet with the PubKey-Auth Policy. However if I delete that PubKey-Auth Policy and added a Basic Auth Policy to the default User Agent it works. I can copy files via the CLI using SFTP and I am no longer prompted for a password.

    I guess this works. It seems simple enough, why not just go with this instead of the PubKey-Auth Policy - what am I missing? It seems too easy.

    The Basic Auth Policy is not showing the password in plain text for the ID. I assume the password is not floating around somewhere in plain text using this method but I guess I really don't know for sure one way or the other.

    Whether using Basic Auth Policy, or if I get the PubKey-Auth Policy working,  I'm not thrilled with modifying the default User Agent in the default domain. I created a new User Agent called MyUserAgent and set the Basic Auth Policy there but that didn't work. I don't understand how to get the CLI to use the new MyUserAgent instead of the default User Agent.

    So for now I got it working using a Basic Auth Policy in the default User Agent. I'll go back to trying to get the PubKey-Auth Policy method working. Any pointers are appreciated on how to get the PubKey-Auth Policy method to work, or how to not have to rely on the default User Agent.

     

    -Peter

     

     

     

  • PPotkay
    PPotkay
    140 Posts

    Re: User Agent's Pubkey-Auth Policy for sftp

    ‏2013-12-24T04:32:47Z  

    I got the PubKey-Auth Policy to work. The issue was on the Linux server - there was no authorized_keys file in the .ssh directory. Once I created it and populated it with the public key it started working :-)

     

    Questions still open:

    A. What's the better solution - PubKey-Auth Policy or Basic Auth Policy?

    PubKey-Auth Policy: Copying this private key to multiple DataPower appliances instroduces the risk of that file getting into the wrong hands, and then they can ssh into my Linux server. I think I can mitigate this by specifying the list of acceptable DataPower IP addresses in the authorized_keys file.

    Basic Auth Policy: Simple, gets the job done. I suppose its just as easy to blab and share the password as it is to let the private key get loose.

    Is there some other consideration that would make one Policy much better than the other?

     

    B. rsa versus dsa for the keys. Googling the comparison of these 2 made my head spin, but rsa sems to be the preferred choice. This original technote that got me going down this path http://www-01.ibm.com/support/docview.wss?uid=swg21273347 says to use dsa. Can we / should we use rsa?

     

    C. Is there a way to have the Command Line Interface refer to a User Agent other than the 'default' User Agent? Or is it OK that I'm modifying the 'default' User agent to specify either a PubKey-Auth Policy or Basic Auth Policy? I am using a very specific URL Matching expression so its not likely to interfere with anything else.

     

    -Peter

     

  • PPotkay
    PPotkay
    140 Posts

    Re: User Agent's Pubkey-Auth Policy for sftp

    ‏2014-01-02T18:50:53Z  

    We decided to go with the Basic Auth Policy method to have the DataPower appliance authenticate itself to the Linux server for that sftp.

     

    I created the following Request For Enhancement. Here is the direct link to where you can view it and cast your vote if you think it's a good idea.

     

    http://www.ibm.com/developerworks/rfe/execute?use_case=viewRfe&CR_ID=43263

     

    Headline:

    Allow a dedicated User Agent for the Command Line Interface via ssh

     

    Description:

    Allow the DataPower Administrator to create a new User Agent, and then configure the Command Line Interface (CLI) to use that new User Agent.

     

    Use case:

    Logging into the appliance via ssh to execute CLI commands to sftp files from the appliance to a remote Linux server. To avoid being prompted for a password for that sftp, we have successfully altered the 'default' User Agent to use a Basic-Auth Policy or a PubKey-Auth Policy. This works, but we would prefer not having to alter the default User Agent. We would prefer to be able to create a new User Agent specific for this task.

  • 6QMG_Elayaraja_Kathirvel
    81 Posts

    Re: User Agent's Pubkey-Auth Policy for sftp

    ‏2014-03-12T23:43:57Z  
    • PPotkay
    • ‏2014-01-02T18:50:53Z

    We decided to go with the Basic Auth Policy method to have the DataPower appliance authenticate itself to the Linux server for that sftp.

     

    I created the following Request For Enhancement. Here is the direct link to where you can view it and cast your vote if you think it's a good idea.

     

    http://www.ibm.com/developerworks/rfe/execute?use_case=viewRfe&CR_ID=43263

     

    Headline:

    Allow a dedicated User Agent for the Command Line Interface via ssh

     

    Description:

    Allow the DataPower Administrator to create a new User Agent, and then configure the Command Line Interface (CLI) to use that new User Agent.

     

    Use case:

    Logging into the appliance via ssh to execute CLI commands to sftp files from the appliance to a remote Linux server. To avoid being prompted for a password for that sftp, we have successfully altered the 'default' User Agent to use a Basic-Auth Policy or a PubKey-Auth Policy. This works, but we would prefer not having to alter the default User Agent. We would prefer to be able to create a new User Agent specific for this task.

    Hi,

    Our Datapower is running 6.0.1.0 firmware. We have configured as per the link: http://www-01.ibm.com/support/docview.wss?uid=swg21273347 and In Pubkey-Auth Policy, the URL Matching Expression is : sftp://dpuser@unxsvr/*

    Trying to copy the files from unxsvr to DP as copy sftp://dpuser@unxsvr//tmp/1.txt temporary:///1.txt

    Its prompting to enter password.

    Changed the expression as * and it works (its NOT prompting to enter password)

    Can you please help on this?

     

     

  • HermannSW
    HermannSW
    6065 Posts

    Re: User Agent's Pubkey-Auth Policy for sftp

    ‏2014-03-13T10:27:33Z  

    Hi,

    Our Datapower is running 6.0.1.0 firmware. We have configured as per the link: http://www-01.ibm.com/support/docview.wss?uid=swg21273347 and In Pubkey-Auth Policy, the URL Matching Expression is : sftp://dpuser@unxsvr/*

    Trying to copy the files from unxsvr to DP as copy sftp://dpuser@unxsvr//tmp/1.txt temporary:///1.txt

    Its prompting to enter password.

    Changed the expression as * and it works (its NOT prompting to enter password)

    Can you please help on this?

     

     

    Please set (temporarily) log level to "Debug" and enable internal logging in default domain Troubleshooting page.

    Then specify the pattern that does not work, do a copy and inspect log on details on why the match did not work.