Defining SSH authentication for CLI sessions by using the Web UI

You can define how users are authenticated when using SSH for CLI sessions by using the Web UI.

About this task

You define which users can use an SSH connection to the appliance CLI by using role-based management (see Role based management). You can further control the methods that such users need to use to authenticate themselves to the CLI.

The following methods are available:
No method selected
The user is prompted for both the user name and password. For example:
ssh hostname

login: username
Password: ******
Password
If you specify the Password method, the user specifies their user name as part of invoking SSH. They are then prompted for their password. For example:
ssh user@hostname
Password: ******
Certificate

If you specify the certificate method, then the user is not prompted for any input and authentication uses a CA-signed user certificate.

If RBM is configured to authenticate users with an LDAP server then the distinguished name of the user is determined by using either a fixed prefix and suffix, or by using an LDAP search, as for password authentication. However, an LDAP bind is not performed to authenticate the user with the LDAP server because the user is authenticated by using their SSH certificate instead. The LDAP distinguished name is used as the authenticated identity when performing authorisation checks for consistency with password authentication.

The connection is successful when the invocation provides a signed SSH user certificate that is verified by the CA public key file in the cert: directory on the appliance. With the ssh command, the invocation must include the -i file parameter. For example:

ssh -i my_key user@hostname
Important: You should save the public key for each user certificate when it is issued by the CA. The user's public key must be provided to the appliance if their CA-signed user certificate needs to be revoked (see Managing the SSH revoked keys list for authenticating CLI sessions for web UI or ssh-revoked-keys for CLI.)

You can specify both the Password and certificate methods at the same time. If authentication using the certificate method fails, then the user is prompted for a password.

When you specify the certificate method, you must create certificates and keys on a client machine using the OpenSSH ssh-keygen command, and upload the CA public key used to sign the user certificates to the appliance. You must then identify that key on the appliance by using the ssh-ca-pubkey-file command.
Note: From 9.3.4, the appliance supports SSH certificates that have either an RSA SHA1 or SHA2 signature. Before 9.3.4, the appliance only supported RSA SHA1 signatures. To generate a SHA2 signature using OpenSSH version 8 or later, specify the -t rsa-sha2-256 or -t rsa-sha2-512 argument to the ssh-keygen commands. To generate a SHA1 signature using OpenSSH version 8 or later, specify -t ssh-rsa. To generate a SHA1 signature using OpenSSH version 7 or earlier, specify -t rsa.

Procedure

  1. Start the IBM® MQ Appliance web UI and click the Administration icon shows the administration icon.
  2. Select Access > RBM Settings.
  3. Click the SSH authentication - CLI sessions tab.
  4. For SSH authentication method, select the methods to use to authenticate SSH users.
  5. When the CA-signed user certificate method is selected, select the CA public key file in the cert: directory.
  6. Click Apply to save changes to the running configuration.