Enabling RSA key-based authentication on UNIX and Linux® operating systems

You can use RSA key-based authentication as an alternative to simple password authentication.

About this task

Depending upon the ssh-keygen availability on the machine where Security Directory Integrator is installed, perform this task on either of the following machines.
  • If ssh-keygen is not installed or unavailable on the machine where Security Directory Integrator is installed, perform this task on the managed resource.
  • If ssh-keygen is installed or available, prefer to perform this task on the machine where Security Directory Integrator is installed.


  1. Use the ssh-keygen tool to create a key pair.
    1. Log in as the administrator user defined on the service form.
    2. Start the ssh-keygen tool. Issue the following command.
      mydesktop$# ssh-keygen -t rsa
    3. At the following prompt, accept the default or enter the file path where you want to save the key pair and press Enter.
      Generating public/private dsa key pair.
      Enter the file in which to save the key (home/root/.ssh/id_rsa):
    4. At the following prompt, accept the default or enter the passphrase and press Enter.
      Enter the passphrase (empty for no passphrase): passphrase
    5. At the following prompt, confirm your passphrase selection and press Enter.
      Enter the same passphrase again: passphrase
      This example is a sample of the system response:
      Your identification was saved in /home/root/.ssh/id_rsa.
      Your public key was saved in /home/root/.ssh/id_rsa.pub. 
      The key fingerprint is this value:
      2c:3f:a4:be:46:23:47:19:f7:dc:74:9b:69:24:4a:44 root@ps701
      Note: Although the ssh-keygen tool accepts a blank passphrase, the passphrase is required on the service form.
  2. Validate that the keys were generated.
    1. Issue the following commands.
      mydesktop$ cd $HOME/.ssh
       mydesktop$ ls -l
      A sample system response is:
      -rw------- 1 root   root   883 Jan 21 11:52 id_rsa
      -rw-r--r-- 1 root   root   223 Jan 21 11:52 id_rsa.pub
    2. Issue the following command.
      mydesktop$ cat id_rsa
      A sample system response is:
        -----BEGIN RSA PRIVATE KEY-----
      Proc-Type: 4,ENCRYPTED
      DEK-Info: DES-EDE3-CBC,7F4CF1E209817BA0
      -----END RSA PRIVATE KEY-----
    3. Issue the following command.
      mydesktop$ cat id_rsa.pub
      A sample system response is this message:
      vTE6nE= root@ps0701
  3. Enable key-based authentication in the /etc/ssh directory on the SSH server.
    1. Ensure that the following lines exist in the sshd_config file:
      # Should we allow Identity (SSH version 1) authentication?
      	RSAAuthentication yes
      	# Should we allow Pubkey (SSH version 2) authentication?
      	PubkeyAuthentication yes
      	# Where do we look for authorized public keys?
      # If it doesn't start with a slash, then it is
      # relative to the user's home directory
      AuthorizedKeysFile .ssh/authorized_keys
    2. Restart the SSH server.
  4. Copy the rsa.pub file to the SSH server.
  5. If you have an existing authorized_keys file, edit it to remove any no-pty restrictions.
  6. Add the public key to the authorized_keys file, from the /.ssh directory.
    Issue the following command.
    ssh-server$ cat ../id_rsa.pub >> authorized_keys
    Note: This command concatenates the RSA public key to the authorized_keys file.
    For example, $HOME/.ssh/authorized_keys. If this file does not exist, the command creates it.
  7. Copy the id_rsa private key file to the client workstation where Security Directory Integrator is running.
  8. Set the private key ownership value. If the Security Directory Integrator server is either Unix or Linux, use chmod to set the private key permissions value to 600.
    • Complete these steps. When you log in to the server from the client computer, you are prompted for a passphrase for the key instead of a user password.
    • If the installed ssh uses the AES-128-CBC cipher, RXA cannot fetch the private key from the file. RSA key-based authentication does not work. To support RSA key-based authentication, take one of the following actions:
      • Install an ssh that uses the DES-EDE3-CBC cipher.
      • Install the RXA package in your environment. RXA supports the AES-128-CBC cipher.

        RXA is included in the base release of Security Directory Integrator version 7.1.1, and is also available in Security Directory Integrator version 7.0 fix pack 8 and Security Directory Integrator version 7.1 fix pack 7.