Enabling RSA key-based authentication on UNIX and Linux® operating systems

You can use RSA key-based authentication as an alternative to simple password authentication.

About this task

Depending upon the ssh-keygen availability on the machine where Security Directory Integrator is installed, perform this task on either of the following machines.
  • If ssh-keygen is not installed or unavailable on the machine where Security Directory Integrator is installed, perform this task on the managed resource.
  • If ssh-keygen is installed or available, prefer to perform this task on the machine where Security Directory Integrator is installed.

Procedure

  1. Use the ssh-keygen tool to create a key pair.
    1. Log in as the administrator user defined on the service form.
    2. Start the ssh-keygen tool. Issue the following command. 
      mydesktop$# ssh-keygen -t rsa
    3. At the following prompt, accept the default or enter the file path where you want to save the key pair and press Enter. 
      Generating public/private dsa key pair.
Enter the file in which to save the key (home/root/.ssh/id_rsa):
    4. At the following prompt, accept the default or enter the passphrase and press Enter. 
      Enter the passphrase (empty for no passphrase): passphrase
    5. At the following prompt, confirm your passphrase selection and press Enter. 
      Enter the same passphrase again: passphrase
      This example is a sample of the system response: 
      Your identification was saved in /home/root/.ssh/id_rsa.
Your public key was saved in /home/root/.ssh/id_rsa.pub. 
The key fingerprint is this value:
2c:3f:a4:be:46:23:47:19:f7:dc:74:9b:69:24:4a:44 root@ps701
      Note: Although the ssh-keygen tool accepts a blank passphrase, the passphrase is required on the service form.
  2. Validate that the keys were generated.
    1. Issue the following commands. 
      mydesktop$ cd $HOME/.ssh
  
 mydesktop$ ls -l
      A sample system response is:
      -rw------- 1 root   root   883 Jan 21 11:52 id_rsa
-rw-r--r-- 1 root   root   223 Jan 21 11:52 id_rsa.pub
    2. Issue the following command. 
      mydesktop$ cat id_rsa
      A sample system response is: 
        -----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,7F4CF1E209817BA0

GuIQh4EdIp2DY1KfgB3eHic1InCG5VC9/dumHd7AqEnlo241fRuIo8zgO87GV+tk
cvKd/pPCGhmyCZy/are0wZt3KLYWUyoN7i+8H2Khk8LmaspD6Tx309VHTfCyoJsu
jtuR5c4HbcRtOYhMByHEqllEst1azzlIrO75Qj5cUG01K1MbdTeXq1xUGjo97s+V
gEOokMQ+JmaJD9lrbiMz4wjWRtREjHfc1VYTA+ZE1W3HT3PfrjCnHm9RKKFaA6kM
fPInefQgdzhCa0mCz+HOKJfkpfPh8ufGM9Jfb99VjZdI77LHeNN4VqeQ/VyPH7pn
wp7GbEJ8g6iX4BWUWpXUVStfYNQTV8Dis7ayZtr3g/o+AKnh/dGnk1SHHNFgUUFf/
+E0EXMokHSqqOzwf4t8xp4upnnS/7ag5MIVcU5/iWGW4sDEw7xfB25zD4lbvVK5
kSZeWLgm79wMipKP90iEELPqO6cS2yPXd+ADfHs7FWPQW0UYGFeMnHa/
tlglO5Pxo7ek2iR57mazmx33cofIX6E/ZI9XLysp5TR6Npq1x8KCv2Dk2x3QSH8F54EQmQ2+
5uDsPA9Hg1B+agkBh/1g3tfevT01cCtUkQGl2ubhrNGB2SiiyKgw9Ks0AL3TO0ul
D69D18r6Y6s3pHQ9LYAs6EIq3/5dqNYW8eLQ5eINUIlHBp9ep8+quyqSfB3qPCBW
Db+qI09pYhkTrGBD8l5eQqs1T1h2gJsY2yyYV/Cp2m4fI+uHItCgSlkPROnj27Xh
p6HAPaFA0zWOz1lmVNYhTbJZlbbwYyf/OKmYuOklSuQ=
-----END RSA PRIVATE KEY-----
    3. Issue the following command. 
      mydesktop$ cat id_rsa.pub
      A sample system response is this message: 
      ssh-rsaAAB3NzaC1yc2EAAAABIwAAAIEA9xjGJ+8DLrxSQfVxXYUx4lc9copCG4HwD3TLO5i
fezBQx0e9UnIWNFi4Xan3S8mYd6L+TfCJkVZ+YplLAe367/vhc1nDzfNRPJ95YnATefj
YEa48lElu7uq1uofM+sZ/b0p7fIWvIRRbuEDWHHUmneoX8U/ptKFZzRpb/
vTE6nE= root@ps0701
  3. Enable key-based authentication in the /etc/ssh directory on the SSH server.
    1. Ensure that the following lines exist in the sshd_config file: 
      # Should we allow Identity (SSH version 1) authentication?
	RSAAuthentication yes
  
	# Should we allow Pubkey (SSH version 2) authentication?
	PubkeyAuthentication yes
        
	# Where do we look for authorized public keys?
# If it doesn't start with a slash, then it is
# relative to the user's home directory
AuthorizedKeysFile .ssh/authorized_keys
    2. Restart the SSH server.
  4. Copy the rsa.pub file to the SSH server.
  5. If you have an existing authorized_keys file, edit it to remove any no-pty restrictions.
  6. Add the public key to the authorized_keys file, from the /.ssh directory.
    Issue the following command.
    ssh-server$ cat ../id_rsa.pub >> authorized_keys
    Note: This command concatenates the RSA public key to the authorized_keys file.
    For example, $HOME/.ssh/authorized_keys. If this file does not exist, the command creates it.
  7. Copy the id_rsa private key file to the client workstation where Security Directory Integrator is running.
  8. Set the private key ownership value. If the Security Directory Integrator server is either Unix or Linux, use chmod to set the private key permissions value to 600.
    Note:
    • Complete these steps. When you log in to the server from the client computer, you are prompted for a passphrase for the key instead of a user password.
    • If the installed ssh uses the AES-128-CBC cipher, RXA cannot fetch the private key from the file. RSA key-based authentication does not work. To support RSA key-based authentication, take one of the following actions:
      • Install an ssh that uses the DES-EDE3-CBC cipher.
      • Install the RXA 2.3.0.9 package in your environment. RXA 2.3.0.9 supports the AES-128-CBC cipher.

        RXA 2.3.0.9 is included in the base release of Security Directory Integrator version 7.1.1, and is also available in Security Directory Integrator version 7.0 fix pack 8 and Security Directory Integrator version 7.1 fix pack 7.