Creating a certificate for SSH protocol
Before you install the Storage Resource agents by using the SSH protocol, you can optionally create a certificate.
Creating a certificate for SSH protocol (non-Windows)
The Storage Resource agent only supports either DES-EDE3-CBC encryption or no encryption for the private key used in SSH protocol communication between the server and agent. The default encryption used in the ssh-keygen command on UNIX is always DES-EDE3-CBC but with Windows Cygwin, it is using AES-128-CBC encryption if a passphrase is specified. If there is no passphrase, the private key is generated without encryption.
To create a certificate for SSH protocol, complete the following steps:
- Telnet to the remote machine using the root user ID.
- To create an SSH certificate on AIX®,
you must first install the following packages (if not already installed):
openssl.base.openssh.base.client openssh.base.server
- Go to the directory where you want to create the
certificate:
cd ~/.ssh
- Enter ssh-keygen -t rsa. Accept the default names (for example, id_rsa).
- Enter the passphrase.
- Two files are created:
- id_rsa
- The private key.
- id_rsa.pub
- The public key.
- Create an
authorized_key
file in the same location asid_rsa.pub
by entering the following command:cat id_rsa.pub >> authorized_keys
- Copy the
id_rsa
(private key) to your server machine. For example, to copy theid_rsa
file to :\keys\id_rsa on the IBM Spectrum Control server (user responses are in boldface type):# ssh-keygen Generating public/private rsa key pair. Enter file in which to save the key (//.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: You identification has been save in //.ssh/id_rsa. Your public key has been save in //.ssh/id_rsa.pub. The key fingerprint is: xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx root@server # cat id_rsa >> authorized_keys # ls -l total 24 -rw-r–r– 1 root system 1743 Oct 15 09:40 authorized_keys -rw--– 1 root system 1743 Oct 15 09:39 id_rsa -rw-r–r– 1 root system 399 Oct 15 09:39 id_rsa.pub #
Note: You must copy the file in binary mode. - To connect to the remote system by using the private key, enter the following information in the
Remote Agent Machines window of the GUI, when you install the Storage Resource agent:
- User
- Certificate Location (c:\keys\id_rsa)
- Passphrase
Setting up an SSH daemon on Windows
On Windows you must run the ssh-host-config command.
You must be in a Cygwin window or be an X term user to create the sshd
service. In most cases, you click the cygwin.bat
file to start the Bash
shell.
- Install Cygwin.
- Set up your sshd service in Cygwin.
- Create the certificate.
- Installing Cygwin
- To install Cygwin, go to http://cygwin.com. This
page contains a link that displays help for the setup program and a link to download the setup
program. Read the help before running the setup program. Then download the Cygwin program by
clicking the Install Cygwin now link. Start the setup program on your computer by running the
setup.exe program. Select the appropriate download option (Install from Internet,
Download from Internet, or Install from Local Directory ) as described in the help
files.
If you are upgrading from an older version of Cygwin to a newer version, you need to remove the sshd service before installing the new version of Cygwin.
Accept the default installation options as they are presented to you (Root Directory, Install For, Default Text File Type, and so on). Select a download mirror that is geographically close to your location. Some sites require an FTP account before you can install Cygwin. You can either request an account or simply select another mirror.
During the installation process, a Select Packages list is displayed. Expand the plus sign (+) next to the Admin category and select cygrunsrv and the Bin check box. Expand the plus sign (+) next to the Net category and select openssh. Expand the plus sign (+) next to the Util category and select diffutils. Click Next to resume the setup program. The time required to download the packages depends on how busy the mirror is, and on the speed of your internet connection. With openssh and cygrunsrv, the downloaded files require approximately 70 MB of disk space. Allow 20 minutes to 30 minutes for the download and installation to complete.
- Setting up your sshd service in Cygwin
-
Here is an example of the sequence of steps and responses. The responses to the prompts are in boldfaced type.
- Run the ssh-host-config command. Note: With Cygwin, you might experience permission problems when running the ssh-host-config command. If you have permission problems, run these commands:
chmod +r /etc/passwd chmod +r /etc/group chmod 777 /var
$ ssh-host-config *** Info: Generating missing SSH host keys *** Query: Overwrite existing /etc/ssh_config file? (yes/no) yes *** Info: Creating default /etc/ssh_config file *** Query: Overwrite existing /etc/sshd_config file? (yes/no) yes *** Info: Creating default /etc/sshd_config file *** Info: StrictModes is set to 'yes' by default. *** Info: This is the recommended setting, but it requires that the POSIX *** Info: permissions of the user's home directory, the user's .ssh *** Info: directory, and the user's ssh key files are tight so that *** Info: only the user has write permissions. *** Info: On the other hand, StrictModes don't work well with default *** Info: Windows permissions of a home directory mounted with the *** Info: 'noacl' option, and they don't work at all if the home *** Info: directory is on a FAT or FAT32 partition. *** Query: Should StrictModes be used? (yes/no) no *** Info: Updating /etc/sshd_config file *** Query: Do you want to install sshd as a service? *** Query: (Say "no" if it is already installed as a service) (yes/no) yes *** Query: Enter the value of CYGWIN for the daemon: [] ntsec *** Info: On Windows Server 2003, Windows Vista, and above, the *** Info: SYSTEM account cannot setuid to other users -- a capability *** Info: sshd requires. You need to have or to create a privileged *** Info: account. This script will help you do so. *** Info: It's not possible to use the LocalSystem account for services *** Info: that can change the user id without an explicit password *** Info: (such as passwordless logins [e.g. public key authentication] *** Info: via sshd) when having to create the user token from scratch. *** Info: For more information on this requirement, see *** Info: https://cygwin.com/cygwin-ug-net/ntsec.html#ntsec-nopasswd1 *** Info: If you want to enable that functionality, it's required to create *** Info: a new account with special privileges (unless such an account *** Info: already exists). This account is then used to run these special *** Info: servers. *** Info: Note that creating a new user requires that the current account *** Info: have Administrator privileges itself. *** Info: No privileged account could be found. *** Info: This script plans to use 'cyg_server'. *** Info: 'cyg_server' will only be used by registered services. *** Query: Do you want to use a different name? (yes/no) no *** Query: Create new privileged user account 'local_address\cyg_server' *** Query: (Cygwin name: 'cyg_server')? (yes/no) yes *** Info: Please enter a password for new user cyg_server. Please be sure *** Info: that this password matches the password rules given on your system. *** Info: Entering no password will exit the configuration. *** Query: Please enter the password:password *** Query: Reenter:password *** Info: User 'cyg_server' has been created with password 'password'. *** Info: If you change the password, please remember also to change the *** Info: password for the installed services which use (or will soon use) *** Info: the 'cyg_server' account. *** Info: The sshd service has been installed under the 'cyg_server' *** Info: account. To start the service now, call `net start sshd' or *** Info: `cygrunsrv -S sshd'. Otherwise, it will start automatically *** Info: after the next reboot. *** Info: Host configuration finished. Have fun!
- Start the sshd service:
- Open a command prompt window.
- Enter net start sshd or in a Bash prompt, enter cygrunsrv -S sshd.
- Verify that the daemon is running.
- Enter ps -a. Examine the output to see if /usr/sbin/sshd is contained in the list of running processes.
To stop the service from a Windows command prompt, enter net stop sshd. Alternatively, you can change to the C:\cygwin\bin directory (or open a Bash shell) and enter cygrunsrv -E sshd.
- When you have started the sshd service, test it by entering the following
command from a Bash shell
prompt:
If localhost does not work, use the short host name. If you receive a message indicating that the authenticity of localhost cannot be established, answer Yes to the question "Are you sure you want to continue connecting?" When prompted for your account password on localhost, enter the password you use when logging in to the computer.ssh localhost or ssh host_name
- Set the TEMP environment variable. For information about setting the environment variable, see
http://www.cygwin.com/cygwin-ug-net/setup-env.html.Here is an example of setting the environment variable:
- Click .
- Under System variables, find out the value of TEMP. For example, "C:\WINNT\TEMP"
- Set the TEMP environment variable to point to the Cygwin format of TEMP in the
~/.bashrc
file. For example run the following command:export TEMP=/cygdrive/c/WINNT/temp
Uncomment and modify this line in the~/.bashrc
file from the default:# export TEMP=/tmp to export TEMP=/cygdrive/c/WINNT/temp
The Cygwin sshd service must be added as a service that starts automatically. To verify this step, click . Look for CYGWIN sshd in the name list. Verify that it is started and configured to start automatically.
- Run the ssh-host-config command.
- Creating the certificate
- Run this command:
cd ~/.ssh
Generate the public and private keys with a passphrase. The passphrase is required.
From the Bash shell prompt, here is an example of the input and output (user responses are in boldface type):Administrator ~/.ssh $ openssl genrsa -des3 -out key 1024 Generating RSA private key, 1024 bit long modulus ..........................................++++++ .........................................................................++++++ e is 65537 (0x10001) Enter pass phrase for key:passphrase Verifying - Enter pass phrase for key:passphrase Administrator ~/.ssh $ chmod 600 ~/.ssh/key $ ssh-keygen Generating public/private rsa key pair. Enter file in which to save the key (/home/Administrator/.ssh/id_rsa): key_pairs Enter passphrase (empty for no passphrase):passphrase Enter same passphrase again:passphrase Your identification has been saved in key_pairs. Your public key has been saved in key_pairs.pub. The key fingerprint is: SHA256:ew0Octa24Qw917tRqPcn9hETlRakksKcTgGrPkh4UZs Sheila@IBM243-PC0CJ5EF The key's randomart image is: +---[RSA 2048]----+ | . ... .o+| | . o + o . .o.| | . E . * o ... | | . . . oo. .. ..| | . o .. S.B . oo.| | o o + O B . oo| | . o . * o +. | | . . .o+o| | ..o+| +----[SHA256]-----+ Administrator ~/.ssh $ cat id_rsa.pub >> authorized_keys $
- Copy the
id_rsa
(private key) to the IBM Spectrum Control server. - To connect to the remote system by using the private key, enter the following information in the
GUI, when you install the Storage Resource agent:
- User
- Certificate Location (c:\keys\id_rsa)
- Passphrase