Configuring SSH Authentication with RSA Key Files

Prerequisites

  1. Console access / LOM Card access to the Gaia server.

  2. Administrator access to the Gaia server, or an equivalent user with the required permission.

Procedure

Notes:

  • For the initial setup, it is necessary to do each step only one time.

  • To configure more SSH users, it is necessary to do only steps 1 through 6.

  1. Create a pair of SSH keys.

    You can use these tools:

    • On a Windows OS computer - the PuTTYgen tool.

    • On the Gaia server (or on a Linux OS computer) - the "ssh-keygen" command.

      Important:

      • To use the "ssh-keygen" command on the Gaia server:

        1. Connect to the command line and log in to the Expert mode.

        2. Save the pair of the key files in some directory.

      • Save the private SSH key file on your SSH client computer.

      • You configure the public SSH key on the Gaia server later.

  2. Configure a new user on the Gaia server for the SSH connection and assign the administrator role.

    You can create and configure a new user in Gaia Portal or Gaia Clish / Gaia gClish.

    • In Gaia Portal:

      Note - On Scalable Platforms (ElasticXL, Maestro, and Chassis), you must connect to the Gaia Portal of the applicable Security Group.

      Create a new user with these settings:

      • Default shell: /bin/bash

      • Assigned Role: adminRole (you can create another more limited role)

      In our example, the username is: filecopy

      See:

    • In Gaia Clish / Gaia gClish:

      Note - On Scalable Platforms (ElasticXL, Maestro, and Chassis), you must run the applicable commands in Gaia gClish of the applicable Security Group.

      1. Create a new user.

        See Managing User Accounts in Gaia Clish.

        Example:

        MyGW> add user filecopy uid 103 homedir /home/filecopy
        WARNING Must set password and a role before user can login.
        - Use 'set user USER password' to set password.
        - Use 'add rba user USER roles ROLE' to set a role.
        MyGW>
        MyGW> set user filecopy password
        New password:
        Verify new password:
             
        MyGW>
      2. Assign the administrator role to the new user.

        See Configuring Roles in Gaia Clish.

        Note - You can create another more limited role.

        Example:

        MyGW> add rba user filecopy roles adminRole

      3. Configure the default shell /bin/bash for the new user.

        See Configuring Roles in Gaia Clish.

        Example:

        MyGW> set user filecopy shell /bin/bash

      4. Save the configuration:

        MyGW> save config

  3. Connect with an SSH client to the Gaia server.

  4. Log in with the new user.

    In our example, the username is: filecopy

    The default shell for this user is the Expert mode.

  5. Configure the required directory ".ssh" in the home directory:

    1. Create the directory ".ssh":

      • On a Security Gateway / Cluster Member / Management Server / Log Server:

        mkdir -v ~/.ssh

      • On a Scalable Platform Security Group:

        g_all mkdir -v ~/.ssh

    2. Assign the required permissions to the new directory ".ssh":

      • On a Security Gateway / Cluster Member / Management Server / Log Server:

        chmod -v u=rwx,g=,o= ~/.ssh

      • On a Scalable Platform Security Group:

        g_all chmod -v u=rwx,g=,o= ~/.ssh

  6. Configure the required file "authorized_keys":

    1. Create the required file "authorized_keys":

      • On a Security Gateway / Cluster Member / Management Server / Log Server:

        touch ~/.ssh/authorized_keys

      • On a Scalable Platform Security Group:

        g_all touch ~/.ssh/authorized_keys

    2. Assign the required permissions to the new file "authorized_keys":

      • On a Security Gateway / Cluster Member / Management Server / Log Server:

        chmod -v u=rw,g=,o= ~/.ssh/authorized_keys

      • On a Scalable Platform Security Group:

        g_all chmod -v u=rw,g=,o= ~/.ssh/authorized_keys

    3. Edit the "authorized_keys" file:

      vi ~/.ssh/authorized_keys

    4. Paste the SSH key you created earlier into this file.

      • Always copy the public key exactly as generated, without extra spaces or line breaks.

      • For RSA, the string must start with: ssh-rsa

    5. Save the changes in the file and exit the editor.

    6. On a Scalable Platform Security Group, copy the modified file to all Security Group Members:

      asg_cp2blades ~/.ssh/authorized_keys

  7. Enable the SSH Password Authentication:

    1. Go from the Expert mode to Gaia Clish / Gaia gClish:

      • On a Security Gateway / Cluster Member / Management Server / Log Server:

        clish

      • On a Scalable Platform Security Group:

        gclish

    2. Enable the SSH Password Authentication:

      For more information, see Configuring Supported SSH Ciphers, MACs, and KexAlgorithms.

      set ssh server password-authentication yes

    3. Save the configuration (on a Security Gateway / Cluster Member / Management Server / Log Server):

      save config

  8. Connect to the Gaia server through a console port / LOM Card.

  9. Log in with the new user.

    In our example, the username is: filecopy

    The default shell for this user is the Expert mode.

  10. Restart the SSHD service:

    • On a Security Gateway / Cluster Member / Management Server / Log Server:

      service sshd restart

    • On a Scalable Platform Security Group:

      g_all service sshd restart

  11. Close the current SSH connection for the new user.

  12. Connect with an SSH client to the Gaia server.

  13. Log in with the new user using the private SSH key.

    In our example, the username is: filecopy

    Example:

    login as: filecopy
    This system is for authorized use only.
    Authenticating with public key "rsa-key-20230207"
    Last login: Sun Jul  2 15:08:58 2023 from 172.20.213.71
    [Expert@MyGW:0]#