HP StorageWorks 8/24 HP StorageWorks Fabric OS 6.1.x administrator guide (5697 - Page 89
SSH public key authentication
View all HP StorageWorks 8/24 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 89 highlights
Commands that require a secure login channel must originate from an SSH session. If you start an SSH session, and then use the login command to start a nested SSH session, commands that require a secure channel will be rejected. Fabric OS 6.1.x and later supports SSH protocol version 2.0 (ssh2). For more information on SSH, refer to the SSH IETF website: http://www.ietf.org/ids.by.wg/secsh.html For more information, refer to SSH, The Secure Shell: The Definitive Guide by Daniel J. Barrett, Richard Silverman and Robert G. Byrnes. SSH public key authentication OpenSSH public key authentication provides password-less logins known as SSH authentication that uses public and private key pairs for incoming and outgoing authentication. This feature allows only one allowed-user to be configured to utilize OpenSSH public key authentication. Using OpenSSH RSA and DSA, the authentication protocols are based on a pair of specially generated cryptographic keys, called the private key and the public key. The advantage of using these key-based authentication systems is that in many cases, it is possible to establish secure connections without having to manually type in a password. RSA and DSA asynchronous algorithms are FIPS-compliant. Allowed-user The default admin user has to set up the allowed-user with the admin role. By default, the admin is the configured allowed-user. However, while creating the key pair, the configured allowed-user can choose a passphrase with which the private key will be encrypted. Then the passphrase will always need to be entered when authenticating using a key pair. The allowed-user needs to have an admin role and can perform OpenSSH public key authentication, import and export keys, generation of a key pair for an outgoing connection, delete public and private keys. Once the allowed-user is changed, all the public keys related to old allowed-user will be lost. Authentication Incoming authentication is used when the remote host needs to authenticate to the switch. Outgoing authentication is used when the switch needs to authenticate to a server or remote host, more commonly used for the configUpload command. Both password and public key authentication can coexist on the switch. Authentication setup overview 1. Configure the allowed-user. Once the allowed-user is configured, the remaining setup steps will need to be completed by the allowed-user. 2. Generate the key pair for incoming or outgoing authentication. 3. Add public key into the switch (for incoming authentication). 4. Export the public key from the remote directory (for outgoing authentication). 5. Append the public key to the authorized_keys file on the host. 6. Test the setup. Configuring the allowed-user 1. Log in to the switch as the default admin. 2. Change the allowed-user's role to admin, if applicable. switch:admin> userconfig --change -r admin Where is the name of the user you want to perform SSH public key authentication, import, export, and delete keys. 3. Setup the allowed-user by typing the following command: switch:admin> sshutil allowuser Where is the name of the user you want to perform SSH public key authentication, import, export, and delete keys. Fabric OS 6.1.x administrator guide 89