Configuring SSH Authentication with RSA Key Files

Prerequisites

• Console access / LOM Card access to the Gaia server.

• Administrator access to the Gaia server, or an equivalent user with the required permission.

Notes: For the initial setup, it is necessary to do each step only one time. To configure more SSH users, it is necessary to do only steps 1 through 6.

Procedure

1. Create a pair of SSH keys.

   You can use these tools:

   • On a Windows OS computer - the PuTTYgen tool.

   • On the Gaia server (or on a Linux OS computer) - the "ssh-keygen" command.

     Important: To use the "ssh-keygen" command on the Gaia server: Connect to the command line and log in to the Expert mode. Save the pair of the key files in some directory. Save the private SSH key file on your SSH client computer. You configure the public SSH key on the Gaia server later.

2. Configure a new user on the Gaia server for the SSH connection and assign the administrator role.

   You can create and configure a new user in Gaia Portal or Gaia Clish.

   Note - On Scalable Platforms (Maestro and Chassis), you must connect to the applicable Security Group.

   • In Gaia Portal:

     Create a new user with these settings:

     • Default shell: /bin/bash

     • Assigned Role: adminRole (you can create another more limited role)

     In our example, the username is: filecopy

     See:

     • Managing User Accounts in Gaia Portal.

     • Configuring Roles in Gaia Portal.

   • In Gaia Clish:

     1. Create a new user.

        See Managing User Accounts in Gaia Clish.

        Example:

        MyGW> add user filecopy uid 103 homedir /home/filecopy WARNING Must set password and a role before user can login. - Use 'set user USER password' to set password. - Use 'add rba user USER roles ROLE' to set a role. MyGW> set user filecopy password New password: Verify new password: MyGW>

     2. Assign the administrator role to the new user.

        See Configuring Roles in Gaia Clish.

        Note - You can create another more limited role.

        Example:

        MyGW> add rba user filecopy roles adminRole

     3. Configure the default shell /bin/bash for the new user.

        See Configuring Roles in Gaia Clish.

        Example:

        MyGW> set user filecopy shell /bin/bash

     4. Save the configuration:

        MyGW> save config

3. Connect with an SSH client to the Gaia server.

4. Log in with the new user.

   In our example, the username is: filecopy

   The default shell for this user is the Expert mode.

5. Configure the required directory ".ssh" in the home directory:

   1. Create the directory ".ssh":

      • On a Security Gateway / Cluster Member / Management Server / Log Server:

        mkdir -v ~/.ssh

      • On a Scalable Platform Security Group:

        g_all mkdir -v ~/.ssh

   2. Assign the required permissions to the new directory ".ssh":

      • On a Security Gateway / Cluster Member / Management Server / Log Server:

        chmod -v u=rwx,g=,o= ~/.ssh

      • On a Scalable Platform Security Group:

        g_all chmod -v u=rwx,g=,o= ~/.ssh

6. Configure the required file "authorized_keys":

   1. Create the required file "authorized_keys":

      • On a Security Gateway / Cluster Member / Management Server / Log Server:

        touch ~/.ssh/authorized_keys

      • On a Scalable Platform Security Group:

        g_all touch ~/.ssh/authorized_keys

   2. Assign the required permissions to the new file "authorized_keys":

      • On a Security Gateway / Cluster Member / Management Server / Log Server:

        chmod -v u=rw,g=,o= ~/.ssh/authorized_keys

      • On a Scalable Platform Security Group:

        g_all chmod -v u=rw,g=,o= ~/.ssh/authorized_keys

   3. Edit the "authorized_keys" file:

      vi ~/.ssh/authorized_keys

   4. Paste the SSH key you created earlier into this file.

   5. Save the changes in the file and exit the editor.

7. Enable the SSH Password Authentication:

   1. Go from the Expert mode to Gaia Clish / Gaia gClish:

      • On a Security Gateway / Cluster Member / Management Server / Log Server:

        clish

      • On a Scalable Platform Security Group:

        gclish

   2. Enable the SSH Password Authentication:

      For more information, see Configuring Supported SSH Ciphers, MACs, and KexAlgorithms.

      set ssh server password-authentication yes

   3. Save the configuration (on a Security Gateway / Cluster Member / Management Server / Log Server):

      save config

8. Connect to the Gaia server through a console port / LOM Card.

9. Log in with the new user.

   In our example, the username is: filecopy

   The default shell for this user is the Expert mode.

10. Restart the SSHD service:

    • On a Security Gateway / Cluster Member / Management Server / Log Server:

      service sshd restart

    • On a Scalable Platform Security Group:

      g_all service sshd restart

11. Close the current SSH connection for the new user.

12. Connect with an SSH client to the Gaia server.

13. Log in with the new user with the private SSH key.

    In our example, the username is: filecopy

    Example:

    login as: filecopy This system is for authorized use only. Authenticating with public key "rsa-key-20230207" Last login: Sun Jul 2 15:08:58 2023 from 172.20.213.71 [Expert@MyGW:0]#