Defining SSH authentication for CLI sessions

How to define SSH authentication for CLI sessions.

About this task

You can configure SSH authentication to establish a CLI session in the following ways. For each approach, the login details are illustrative.
No method selected
The user is prompted for both username and password. With the ssh command, the invocation is in the ssh host format.
ssh example.com
login: user
Password: ******
Password selected
The user is prompted for the password. For this method, the username must be part of the invocation. With the ssh command, the invocation is in the ssh username@host format.
ssh user@example.com
Password: ******
CA-signed user certificate
The user is not prompted for input. The identity is extracted from the certificate. When authentication is defined to contact an LDAP server, you can define either setup.
  • Search LDAP for DN
  • LDAP prefix and LDAP suffix to add to the extracted identity.
This setup is not full authentication. This setup changes only the identity. If not match found, credential-mapping fails.
The connection is successful when the invocation provides a signed SSH user certificate that is verified by the certificate authority (CA) public key file in the cert: directory. With the ssh command, the invocation must include the -i file parameter.
ssh -i my_key user@example.com

When both CA-signed user certificate and Password selected, processing attempts to first authenticate with the provided signed SSH user certificate. If unsuccessful, prompts for the password.

When the method includes CA-signed user certificate, you must specify the CA public key file for SSH authentication with SSH user certificates. This public key file contains the public key for one or more certificate authorities.
Note: Only certificates with SHA1 signature are supported. By default, OpenSSH version 8 generates certificates with SHA2 signature. Based on OpenSSH version that you use to create keys, you need to specify different values for the -t argument of the ssh-keygen command.
  • For OpenSSH version 7, use -t rsa to specify the type.
  • For OpenSSH version 8, use -t ssh-rsa to specify the type.

Procedure

  1. In the search field, enter rbm.
  2. From the search results, click RBM settings.
  3. Click the SSH authentication - CLI sessions tab.
  4. For SSH authentication method, select which methods to authenticate SSH users.
  5. When CA-signed user certificate is selected, select the CA public key file in the cert: directory.
  6. Click Apply to save changes to the running configuration.
  7. Click Save to save changes to the persisted configuration.