This module describes how to authenticate a public key that connects to an SSH server.
Setting up an SSH server
To use a public key authentication, it is necessary to set a public key authentication to a SSH server.
- Log on to a remote target host as root.
- Open the /etc/ssh/sshd_config file.
- Set the value of PubkeyAuthentication to "yes". If the PubkeyAuthentication line is commented out, remove the comment out hash sign (#).
- Run the following command and restart the sshd service.
systemctl restart sshd
Note: These commands can change with different versions of the OS. See the OS documentation for additional information.
Creating a key (for the first time)
Create a public key and a private key. Best practice is to create the keys on an OS where Ops Center Automator is installed.
The following key types and key lengths are supported for public key authentication. Note that PEM format and OpenSSH format are supported for private key format.
| Key type | Key length (bits) |
|---|---|
| RSA | 1024 to 16384 |
| DSA | 1024 |
| ECDSA | 256, 384, 521 |
| ED25519 | 256 |
As a reference, the following procedure creates a key.
- Run the ssh-keygen command. For example,
- If creating an RSA key: ssh-keygen -t rsa
- If creating a DSA key: ssh-keygen -t dsa
- If creating an ECDSA key: ssh-keygen -t ECDSA
- If creating an ED25519 key: ssh-keygen -t ed25519
Note: These commands can change with different versions of the OS. See the OS documentation for additional information. - Decide the location and name of a private key.
Specify a path and filename that does not contain multibyte characters. As for a default, ~/.ssh/id_rsa is set (if creating RSA key). A private key is set as the filename specified to a selected path. A public key is set to the same directory as a private key with the file extension ".pub" attached to the name of the private key.
- Enter a pass phrase.
You will be asked to enter the pass phrase and to press the Enter key. You will be then asked to enter the pass phrase again. If you choose not to set a pass phrase to a private key, press only the Enter key to bypass the pass phrase.
Arrange a private key to Ops Center Automator
- Arrange a private key at an arbitrary place on the OS where Ops Center Automator is installed.
- Specify the absolute path of the private key to ssh.privateKeyFile in the properties file (config_user.properties). When specifying the path, do not specify symbolic links or junction points.
- Restart the services by running the hcmds64srv command.
Arranging a public key to a remote target host
- Redirect the output of the cat command and add the contents of the generated public key file to the public key file (authorized_keys) used for an authentication. (Example: cat id_rsa.pub >> authorized_keys)
- Run the chmod command and change the attribute of authorized_keys to 600 (give write and read privilege only to the owner). If the attribute is not 600, an authentication might fail at the time of plug-in execution.
The arrangement place of authorized_keys is directly under ~/.ssh by default. With regard to ~/.ssh, change the attribute to 700 (give write, read, and execute privilege only to the owner).
Configuring a shared property
- Log on to the Ops Center Automator application.
- Select [Administration] > [Shared Properties Settings].
- Open the Pass phrase of the private key (for SSH public key authentication).
- Enter the pass phrase as a value.
The value is the pass phrase of the private key (for SSH public key authentication).