Wednesday, December 19, 2007

Authentication

The first three chapters of this book focus on the various aspects of SSH servers
and SSH clients. I now shift the focus from the actual packages of SSH to the
detailed options and optimal uses of SSH. The first topic is authentication.
Authentication is the process of determining if an entity is actually who or
what it claims to be. The entity can be a person, a server, an application, a service,
or even a process. In most networks, authentication is commonly used
with usernames and passwords. In this type of authentication, the password is
the only object that guarantees that the entity is actually what it claims to be.
While users can choose and change their own passwords for successful
authentication, the fact that passwords are often stolen, shared, sticky-noted (a
manual technique of writing passwords on a Post-It note and sticking it to a
monitor), or simply forgotten makes the use of passwords for authentication a
less-than-ideal solution.
Since passwords may not be the best solution for sensitive information or for
hostile environments, SSH offers the use of a more stringent authentication
process. The use of public keys or digital certifications can be the required
method of authentication across any SSH environment that uses sensitive information
or transcends hostile networks, such as the Internet or internal networks.
Furthermore, since authorization is highly dependant on authentication, the
authentication process needs to be as strong as possible, since most authorization
processes do not perform a second layer of error checking for validity.
This chapter’s focus is common authentication methods used in SSH, primarily
passwords, host-based authentication, and public keys. The chapter
summarizes some of the other authentication options available via SSH, such
as server authentication, where the client authenticates the server, and generaloption
authentication settings. The order of the discussions is as follows:
■■ General options
■■ Passwords
■■ Host-based authentication
■■ Server authentication
■■ Public keys
General Options
SSH offers several general authentication options depending on the type of
SSH server deployed. The options range from valid password attempts to the
use of blank passwords. The following paragraphs describe the SSH servers
and the authentication options they provide.
SSH Communications’ SSH server (Windows)
SSH Communications’ SSH server offers a few options for authentication.
Open the SSH Server configuration screen (Start ➪ Programs ➪ SSH Secure
Shell Server ➪Configuration) and highlight the User Authentication section of
the screen. See Figure 4.1 for the authentication screen.
Tables 4.1 through 4.3 describe the general authentication options for SSH
Communications’ SSH server.
Table 4.1 describes the general user-authentication options. Parameters
such as login grace time, number of retries, and delay between retries can be
configured.
Table 4.2 describes the user-authentication password options under the
password section. Parameters such as password authentication, empty password
permissions, and keyboard interactive can be configured.
Table 4.3 describes the user authentication public key options under the
public key section. Parameters such as public key authentication, key directory,
and authorization file can be configured.
Table 4.1 User-Authentication Options
OPTION DESCRIPTION
Login grace time Sets the amount of time the user has to complete
the authentication process. Specifically, from the
time the user initiates the connection to the time
the user enters a username/password or privatekey
password
Retries – Number of Retries Stipulates the number of times a user can attempt
to log in
Retries – Delay between tries Specifies the duration between retries
Table 4.2 User-Authentication Password Options
OPTION DESCRIPTION
Password authentication Allows, requires, or denies password
authentication
Permit empty passwords Enables blank passwords to be used for accounts
Keyboard interactive Permits keyboard-interactive authentication with
password authentication
Table 4.3 User-Authentication Public-Key Options
OPTION DESCRIPTION
Public-key authentication Allows, requires, or denies public-key
authentication.
Table 4.3 (continued)
OPTION DESCRIPTION
User-key directory Specifies the directory where the user’s public key
will be stored. The default is %D\.ssh2, which is
the users’ home directory in the .ssh2 folder (for
example, /home//.ssh2 on Unix and
Documents and Settings\\.ssh2 on
Windows).
Authorization file Stores a valid list of public keys that will be
authorized for public-key authentication. The
default is the authorization file, which is stored in
the users’ home directory (for example,
/home//.ssh2 on Unix and
Documents and Settings\\.ssh2 on
Windows).
SSH Communications’ SSH Server (Unix)
The SSH server for Unix offers authentication options similar to the Windows
platform. One difference is that the Windows Server configuration screen is
simply a GUI that points to the SSH configuration file, which is sshd2_config;
the Unix version of the SSH Communications’ server does not use a GUI but
directly uses the configuration file itself. To view the authentication options,
enter the following commands.
#cd /etc/ssh2
#more sshd2_config
Options in the authentication section are listed in Table 4.4, along with a
description of each option.
Table 4.4 Authentication
OPTION DESCRIPTION
BannerMessageFile Denotes the location of the file that contains the
banner message, such as “The only way to win is
not to play.” Default path is
/etc/ssh2/ssh_banner_message.
PasswordGuesses Specifies the number of attempts a user has in
order to enter the correct password.
Table 4.4 (continued)
OPTION DESCRIPTION
AllowedAuthentication Indicates the types of authentication methods that
are allowed by the SSH server. Options include
hostbased, publickey, password, and PAM.
RequiredAuthentication Names the types of authentication methods
required by the SSH server. Options include
hostbased, publickey, password, and PAM.
HostbasedAuthForce Forces a DNS match for authentication. Possible
ClientHostnameDNSMatch choices are yes and no.
SshPAMClientPath States the location of the PAM client, if a PAM
client is used
VShell SSH Server
VanDyke Software’s VShell SSH server offers a few options for authentication.
Open the VShell configuration screen (Start ➪ Programs ➪ VShell ➪ VShell)
and highlight the Authentication section of the screen. (See Figure 4.2.)
Table 4.5 describes the general authentication options for VShell.
Table 4.5 Authentication Options for VShell
OPTION DESCRIPTION
Limit failed attempts to Restricts the number of failed attempts a user can
have before the session is disconnected.
Time authentication after Sets the amount of time the user has to complete
the authentication process. Specifically, from the
time the user initiates the connection to the time
the user enters a username/password or privatekey
password.
Required authentication Requires a password for authentication.
methods—Password
Required authentication Requires a public key for authentication.
methods—Public Key
Required authentication Sets the number of times a user can log in with
methods—Public Key Uploads only a password in order to upload a public key.
The feature is very useful if public-key
authentication is the only method for
authentication, giving the user a method to upload
a public key.
Public-key folder Specifies the location where the users’ public keys
will be stored. The default is Program Files\VShell\
Publickey\.
OpenSSH (Unix and Windows)
OpenSSH server offers similar authentication options to those of VShell and
SSH Communications’ SSH server. To view the authentication options, enter
the following commands:
#cd /etc/ssh
#more sshd_config
or
c:\cd “Program Files”\OpenSSH\ssh
c:\notepad sshd_config
The options for the authentication section for OpenSSH are described in
Table 4.6.
Table 4.6 Authentication Options for OpenSSH
OPTION DESCRIPTION
LoginGraceTime Specifies the amount of time the user has to
complete the authentication process. Specifically,
from the time the user initiates the connection to
the time the user enters a username/password or
private key password.
PermitRootLogin Allows (yes) or disallows (no) the root user to log
in to the SSH session. Best practice is to restrict
root access and have authorized users ‘su’ to root.
StrictModes Enables (yes) or disables (no) the checking of a
user’s permission in his or her home directory and
rhosts files before accepting authentication. This
should be set to yes to protect against worldwriteable
files in home directories.
RSA Authentication Allows RSA authentication.
Publickey Authentication Allows public-key authentication; possible values
are yes and no.
AuthorizedKeysFile Names the path to the authorized key-validation
file on the SSH server. The default is
.ssh/authorized_keys, which is the users’ home
directory in the .ssh folder (for example,
/home//.ssh/authorized_keys on
Program Files\OpenSSH\.ssh on Windows).
Rhost Authentication Permits rhosts authentication for RSH
RhostsRSA Authentication Allows rhosts authentication from RSA host keys
Hostbased Authentication Authorizes host-based authentication
Password Authentication Enables (yes) or disables (no) password
authentication
PermitEmptyPasswords Allows (yes) or disallows (no) the use of blank
passwords
Passwords
Password authentication is the basic method of authentication for SSH. SSH
servers support authentication for both Windows and Unix platforms. SSH
servers on Unix platforms have two methods for password authentication:
■■ /etc/passwd or /etc/shadow
■■ PAM (Pluggable Authentication Module)
Similarly, password authentication on Windows supports the use of the
SAM (Security Accounts Manager) database file, located at %System-
Root%\winnt\system32\config, or the NTDS.DIT database file, located at
%SystemRoot%\NTDS\ntds.dit.
Despite the database files that SSH supports, the location and type of operating
system is irrelevant to the actual setup and usage of passwords. It should
be noted that password authentication is enabled by default on most, if not all,
SSH servers. However, it is important to know how to disable/enable password
authentication in order to possibly disable it in favor of stronger authentication,
such as public-key authentication.
To enable password authentication, the process is quite simple. For a SSH
server installation on a Unix environment, there exists a configuration file
called sshd2_config (Commercial SSH) and sshd_config (OpenSSH). Both configuration
files are quite similar. Sshd_config is usually located in /etc/ssh,
and sshd2_config is located /etc/sshd2. Enter the following command to
show the contents of the OpenSSH configuration file:
#cd /etc/ssh
#more sshd_config
An abbreviated portion of the output is listed as follows:
# Authentication:
#LoginGraceTime 600
#PermitRootLogin yes
#StrictModes yes
# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
Under the Authentication section, denoted by #Authentication, many settings
are given that can be used for the SSH server. The option you are most
concerned with is the PasswordAuthentication setting. This setting needs to be
set to Yes in order for password authentication to be valid, which is the default.
Furthermore, if password authentication should be disabled in favor of other
authentication methods, this setting should be set to No and uncommented,
which means deleting the # from the beginning of the line. An example
follows:
# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication no
#PermitEmptyPasswords no
Enter the following command to show the contents of the SSH configuration
file for Commercial SSH:
#cd /etc/ssh2
#more sshd2_config
An abbreviated portion of the output follows:
## Authentication
## publickey and password allowed by default
# AllowedAuthentications publickey,password
# AllowedAuthentications hostbased,publickey,password
# AllowedAuthentications hostbased,publickey,keyboard-
# RequiredAuthentications publickey,password
# LoginGraceTime 600
# AuthInteractiveFailureTimeout 2
Under the Authentication section, denoted by ##Authentication, are many
settings that can be set for the SSH server. The option you are most concerned
with is the AllowedAuthentications setting. This setting by default accepts
both password and public keys. In order for password authentication to be
valid, password must be written on this line, even though that is the default
setting. Furthermore, if password authentication is not required or desired,
simply remove password from all the AllowedAuthentications lines, which
disables the use of passwords for authentication. As with OpenSSH, be sure to
uncomment the line, which means deleting the # at the beginning. Refer to the
following example to disable password for authentication:
## Authentication
## publickey and password allowed by default
AllowedAuthentications publickey
# AllowedAuthentications hostbased,publickey,password
# AllowedAuthentications hostbased,publickey,keyboard-
# RequiredAuthentications publickey,password
# LoginGraceTime 600
# AuthInteractiveFailureTimeout 2
The process of enabling password authentication on Windows-based operating
systems is equally simple; however, the process is different for OpenSSH
than Commercial SSH or VanDyke’s VShell SSH server. For OpenSSH installations
on Windows environments, there exists a configuration file called
sshd_config located at Program Files\OpenSSH\ssh\. Enter the following
commands to show the contents of the OpenSSH configuration file:
C:\cd “Program Files”\OpenSSH\ssh\
C:\type sshd_config
The following is an abbreviated portion of the output:
PermitRootLogin yes
PasswordAuthentication yes
Similar to OpenSSH on Unix, yes must be present on the Password Authentication
line in order for passwords to be used; however, password authentication
is enabled by default. In order to disable the use of password, no must be
present. The following example disables password authentication:
PermitRootLogin yes
PasswordAuthentication no
Enabling password authentication with VanDyke Software’s VShell is also
quite easy. Using the configuration tool (Start ➪ Programs ➪ VShell ➪ VShell),
there is an Authentication section for the Authentication options. Under the
Authentication section, you will see many options that can be set. One of the
options is Required authentication methods. Under this option are two checkboxes:
one for Password and one for Public Key. Simply click the checkbox for
Password and hit the Apply button in the lower right-hand corner. Password
authentication has now been enabled for all SSH users on the server. If password
authentication is not required or desired, simply uncheck the Password
checkbox and select the Public Key checkbox, which means public-key configuration
must take place (discussed in the following section). Figure 4.3 shows
VShell’s Authentication menu.
Similarly, enabling password authentication for SSH Communications’ SSH
server on Windows platforms is quite easy. Using the configuration menu
(Start ➪ Programs ➪ SSH Secure Shell Server ➪ Configuration), there is a
User Authentication section for the Authentication options. Under the User
Authentication section, you will see many options that can be set. One of the
options is Password authentication. Under this option are three choices in
the drop-down menu. In order to permit password authentication, simply
set the drop-down menu to Allow and select Apply on the lower-half of the
menu. Password authentication has now been enabled for all SSH users on
the server. If password authentication is not required or desired, simply
select Deny from the drop-down menu and hit Apply. Be sure to configure
public-key configuration in order for authentication to occur (discussed in the
following section). Figure 4.4 shows the SSH User Authentication menu.
Host-Based Authentication
Host-based authentication is another method of authentication in a SSH environment.
Each entity in a SSH architecture, either an SSH server or SSH client,
can contain a host key for identification. The host key is used to uniquely distinguish
the client or server from any other entity. Furthermore, the host key is
unique only to the operating system and cannot be easily duplicated from one
machine to the next. Host-key-based authentication is used to replace IP
address authentication used in RSH (remote shell) authentication. Since an
IP address can be easily spoofed, using an IP address as a method of authentication
is extremely insecure. Furthermore, host keys cannot be easily spoofed
and can be used to uniquely authenticate a SSH server or a SSH client. Hostbased
authentication is best suited for scripted environments, where username/
password combinations cannot be used or are too cumbersome for the
required business use (for example, nightly encrypted backups). Table 4.7
shows the locations of the host keys in SSH servers.
Once the host keys have been located and identified, the public host keys,
denoted by the .pub extension, should be copied to the remote server. For
example, if a machine called AUM wants to connect to another machine called
OM with host-based authentication, the public key host key should be copied
to the OM SSH server. This will allow the OM SSH server to accept authentication
from the AUM machine based on the host key itself, without any need
for a password. The following steps should be conducted in order to set up
host-based authentication with the AUM server and OM server.
1. Host AUM should generate a host key. (Depending on the type of operating
system and environment, the syntax may be different.) The following
is a list of the syntax depending on the environment:
ssh-keygen –P Aum (OpenSSH)
ssh-keygen2 –P Aum (SSH Communications)
2. This will create the private host key and the public host key. The public
host-key file is Aum.pub and the private host-key file is Aum.
3. Copy Aum.pub to the knownhost folder in /etc/ssh2 for SSH Communications’
SSH server and /etc/ssh/ssh_known_hosts for OpenSSH
SSH’s server. For SSH Communications, copy Aum.pub to
/etc/ssh2/knownhosts; however, rename Aum.pub to the fully qualified
DNS name in the following form: hostname.domain.ssh-dss.pub.
(A fully qualified domain name is a full DNS name of a machine on a
given network.) For example, if machine AUM belongs to the eNapkin
domain, its name should be changed to Aum.eNapkin.ssh-dss.pub. For
OpenSSH, just add the key to the authorized key file, as the following
shows:
#cd .ssh
#cat Aum.pub >> authorized_keys
4. On the OM server, create a file called named .shosts. Place Aum
.eNapkin.com and the username, such as root. The following
is an example:
Aum.eNapkin.com root
Table 4.7 Types of SSH Software and the Locations of the Host Keys
SSH SOFTWARE HOST KEY LOCATION
SSH Communications’ server (Unix) /etc/ssh2
SSH Communications’ server (Windows) Program Files\SSH Secure Shell Server
VShell SSH server Program Files\VShell\hostkey
OpenSSH server /etc/ssh
5. Configure the OM SSH server to accept host-based authentication by
editing the configuration file. Edit sshd2_config to enable host keys for
authentication for SSH Communications’ SSH server:
## Authentication
## publickey and password allowed by default
AllowedAuthentications publickey, hostbased
6. To enable host-based authentication for OpenSSH, edit the sshd_config
file and change the line to yes:
HostbasedAuthentication yes
7. Test the configuration by resetting the SSH server and typing the following
syntax:
ssh root@OM
Server Authentication
In addition to traditional host-based authentication for user access, a SSH
client can confirm the identification of a SSH server with host-key information.
When a SSH client first attempts to authenticate to a SSH server, the SSH
server sends its public host key to the client in order to identify itself. The
client can then accept and save the host key locally in order to authenticate or
verify the connection the next time the SSH client attempts to log in. The host
key accepted by the client is added to the host-key database that the SSH client
stores locally on the client machine. Each time the SSH client attempts to log in
to the SSH server, the client will compare the SSH server’s host key with the
host key in the SSH client’s host-key database to make sure it matches. If the
keys do not match, the SSH client can choose not to log in to the SSH server,
due to possible tampering with the SSH server or possibly a man-in-themiddle
attack.
Table 4.8 The Type of SSH Software and the Location of the Host Keys
SSH SOFTWARE HOST KEY LOCATION
SSH Communications’ client (Unix) /root/.ssh2/hostkeys
SSH Communications’ client (Windows) Documents and Settings\Administrator\
Application Data\SSH\HostKeys
SecureCRT C:\DocumentsandSettings\Administrator\
Application Data\Van Dyke Technologies\
SecureCRT\HostKeyDatabase
OpenSSH client /etc/ssh/hostkeys
The server-authentication process protects against pure IP-address based
verifications, where a SSH client would trust a SSH server based solely on its
IP address. Since IPv4 networks are susceptible to IP address spoofing,
reliance on IP addresses for identification is not secure. Public host keys for
SSH servers offer an excellent method for a SSH client to verify and authenticate
the SSH server that they will be communicating with. Table 4.8 shows the
location of the host-key database for SSH clients.
SecureCRT and SSH Communications’ SSH clients both show the host-key
database on their respective client GUI, as shown in Figures 4.5 and 4.6.
Figure 4.5 shows the host-key database for SecureCRT. This is the repository
for the SSH client for all host keys obtained after a connection is made to a SSH
server. This host-key database will be referenced each time the SSH client connects
to the same SSH server to make sure the host keys match.
client. Similar to SecureCRT, this is the repository for the SSH client for all host
keys obtained after a connection is made to a SSH server. This host-key database
will be referenced each time the SSH client connects to the same SSH
server to make sure the host keys match.
Public Keys
Public-key authentication is one of the best authentication methods provided
by SSH. Unlike password authentication, public-key authentication requires
each user to contain a public-key file in order to authenticate. The fact that
many corporate networks rely on user passwords, no matter how strong or
weak, to protect sensitive and propriety information leaves many networks
vulnerable to simple attacks. The following sidebar provides several reasons
why using passwords on sensitive systems may not be the best decision in
order to attain an acceptable level of security:
Now that you have seen some of the security issues with passwords, you
will learn about using public keys for authentication and why the use of keybased
authentication can virtually eliminate many of the issues described previously.
The following sidebar lists the strengths that public-key authentication
offers in a typical network environment, both internally to the network and
externally.
Key-based authentication in a SSH environment uses public and private
keys. The following is a summary of the steps required to generate a key pair
for SSH:
1. An authorized user must generate a public and private key pair.
2. The user has the option of password protecting the private key, which is
recommended in almost all environments.
3. The user’s public key needs to be securely uploaded to the SSH server,
usually stored in the user’s home directory. For example, the user
Kusum would have a public key stored in /home/Kusum/.ssh/ or
Documents and Settings\Kusum\.ssh of the SSH server.
4. Authorization, Identification, and authorized_keys files need to be
populated.
5. Public-key authentication needs to be configured on the SSH server,
which is enabled by default on many SSH installations.
That is it!
For key-based authentication to be implemented, each valid user must contain
a public and private key pair. The process of creating a public and private
key pair is the responsibility of the SSH client, not the SSH server. The public
and private keys are stored on the local machine—the user’s machine—and a
copy of the user’s public key is stored on the SSH server. To authenticate, the
user must contain both the public and private keys. The user must authenticate,
using a password, to his or her local private key, which decrypts the
private-key file and enables it. Once authentication is granted, the public key
is used to authenticate to the SSH server. The SSH server receives the public
key and determines if the public key matches the same public key that the
server holds for that particular user. If the match is correct, the user is then
authenticated. The data flow for public-key authentication is illustrated in
Figure 4.7.
As noted in Step 1, creating a public and private key pair is the responsibility
of the SSH client, not the SSH server. Since several different SSH clients
exist, I will address the process of creating a public and private key with each
of the following SSH clients:
■■ OpenSSH (Unix and Windows)
■■ SSH Communications (Unix and Windows Command Line)
■■ SSH Communications (Windows GUI)
■■ VanDyke SecureCRT
Furthermore, I will demonstrate how to convert specific SSH client keys to
fit a particular SSH server. For example, OpenSSH keys are not interpretable to
SSH Communications’ SSH servers by default. While it would be very nice if
all public and private keys could be used from one SSH server to the other, the
reality is that you need to modify your public and private keys in order to use
them across multiple environments. The SSH servers you will make your
client keys interoperable with are the following:
■■ SSH Communications
■■ OpenSSH
■■ VShell
NOTE In the following sections, the use of ssh, ssh-keygen, ssh.exe, and
ssh-keygen.exe refers to OpenSSH SSH clients. Furthermore, the use of ssh2,
ssh-keygen2, ssh2.exe, and ssh-keygen2.exe refers to SSH Communications’ SSH
clients. Lastly, the use of vsh.exe and vcp.exe refers to VanDyke Software SSH
clients.
Creating Keys with OpenSSH
To create keys with the OpenSSH client, complete the following steps on the
client machine.
1. Change directories to the location of the ssh-keygen binary:
cd /usr/bin
C:\cd “Program Files”\OpenSSH\bin
2. Create a DSA key pair:
#ssh-keygen -d
c:\Program Files\OpenSSH\ssh-keygen.exe -d
Generating public/private dsa key pair.
3. Enter the name of the key pair (I will call ours Shreya); then enter a
passphrase, and confirm the passphrase:
Enter file in which to save the key (/root//.ssh/id_dsa): Shreya
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
4. After you have confirmed the passphrase, both the public and private
keys should be generated. In this case, the names will be Shreya.pub for
the public-key file and Shreya for the private-key file. The key fingerprint
will be displayed on the shell or command prompt:
Your identification has been saved in Shreya.
Your public key has been saved in Shreya.pub.
The key fingerprint is:
ed:1e:67:22:79:d8:81:c9:b4:ee:0d:f5:55:0d:cf:5c
5. OpenSSH client keys have been generated!
After the creation process has been completed, copy the OpenSSH client key
to the SSH server, specifically to the .ssh folder in the users’ home directory
(for example, /home//.ssh/PublicKey.pub. The following section
demonstrates how to use an OpenSSH key on an OpenSSH server, a SSH
Communications’ SSH server, and a VanDyke VShell SSH server.
How to Use an OpenSSH Key on an OpenSSH Server
After the OpenSSH public key has been securely uploaded to the SSH server,
typically in the users’ home directory (/home/Shreya/.ssh/Shreya.pub or
Program Files\OpenSSH\.ssh\Shreay.pub), you also need to append the key
to the authorized key-list file, which is labeled authorized_keys in the users’
home directory (/home//.ssh/authorized_keys). Example syntax
is as follows on the server machine:
[Shreya@OpenSSH]$cat Shreya.pub >> /home//.ssh/authorized_keys
Furthermore, the permissions on the public-key and private-key pairs need
to be protected in order to be used. Set the following permission on the key
files generated on the client machine:
[Shreya@localhost]$chmod 600 Shreya
[Shreya@localhost]$chmod 600 Shreya.pub
Once you have made the key pairs, uploaded the public-key file to the
appropriate home directory, added the key to the authorized_keys file, and set
the correct permissions, you should be able to log in with the public key. Sample
syntax follows on the client machine:
[Shreya@localhost]$ssh -i Shreya
If you attach a passphrase to the private key, the following text should
appear:
Enter passphrase for key ‘Shreya’:
After entering your passphrase, you should be logged in to the SSH
connection:
[Shreya@OpenSSH Shreya]$
How to Use an OpenSSH Key on SSH Communications’
SSH Server
To use an OpenSSH key on SSH Communications’ SSH server, the key must be
converted to the SSH2 format, using the following commands.
1. Convert your OpenSSH client key to the SSH Communications’ SSH
compatible format. To convert the keys, you must set a blank
passphrase for the private key (ssh-keygen -p -f Shreya). After the key
conversation is complete, make sure you go back and set a passphrase
for both the old OpenSSH key and the newly converted SSH2 key. Use
the following commands to convert the key on the client machine:
[Shreya@localhost]$ssh-keygen -e -f Shreya.pub > SSH2-Shreya.pub
[Shreya@localhost]$ssh-keygen –e –f Shreya > SSH2-Shreya
2. Once you have copied the public key to the SSH Communications’ SSH
server in the users’ home directory, specifically in the .ssh2 folder in the
users’ home directory (/home//.ssh2/publickey.pub on
Unix and Documents and Settings\\.ssh2\publickey.pub
on Windows), you need to add a public-key entry to the authorization
file, which is labeled Authorization, also in the users’ home directory on
the SSH server. The contents of the authorization file on the SSH server
should be Key, followed by the actual public-key name.
Key SSH2-Shreya.pub
3. After the authorization file has been created on the SSH server, an identification
file needs to be created on the SSH client, typically in the ssh2
folder in the users’ home directory (/home//.ssh2 for
Unix and Documents and Settings\\.ssh2\ for Windows).
This file is used by the SSH client to indicate which private keys to use
for authentication. Furthermore, unlike OpenSSH, this file is used with
the –i option to point to the correct private keys for authentication. For
example, while OpenSSH uses “–i ” syntax, SSH Communications’
uses “–i identification” for the syntax. The syntax to create
the identification file is as follows on the client:
echo “IdKey SSH2-Shreya” >> identification
4. After the identification file has been created on the SSH server, the permissions
on the public-key and private-key pairs need to be protected
in order to be used. Set the following permission on the SSH client for
the appropriate key files that were generated.
[Shreya@localhost]$chmod 600 SSH2-Shreya
[Shreya@localhost]$chmod 600 SSH2-Shreya.pub
5. Once you have made the key pairs, uploaded the public-key files to the
appropriate home directory, added the entry to the authorization file,
and added the entry to the identification file, you should now be able to
log in with the public key. Be sure to use the identification file with the
–i option, not the private-key file; otherwise you will receive a “No further
authentication methods available” error. The following is sample
syntax:
[Shreya@localhost]$ssh2 SSH-Server –i identification
How to Use an OpenSSH Key on a VShell SSH Server
Using an OpenSSH client key for a VShell SSH server is more straightforward
than the previous section. Since VShell SSH servers accept the OpenSSH key
format, it is not necessary to convert OpenSSH keys to any other format, which
saves valuable time and a lot of potential headache! Since you have an
OpenSSH client key, I will demonstrate how to use the OpenSSH key for
VShell SSH servers.
1. Copy the OpenSSH public-key file to the remote VShell SSH server,
specifically in public-key folder located at C:\ Program
Files\VShell\PublicKey\%USER%.
2. Make sure public-key authentication is enabled on the remote VShell
SSH server.
3. From the client machine, connect to the VShell SSH server with the following
syntax:
ssh -p 22 –i OpenSSHPrivatekey –l server>example authentication process is as follows:
ssh VshellServer –p 22 –i Shreya –l shreya
Enter passphrase for key ‘Shreya’:
Authenticated with partial success
Shreya@VshellServer’s password:
C:\
Notice that after the key is authenticated, VShell asks for a password on the
VShell server. This happens only if both the password and public-key checkboxes
are required on the VShell server. If public key was the only required
authentication method, a password prompt would not occur; however, this is
a great method of enforcing two-factor authentication, which should be
required for management purposes.

No comments: