Setting up Stratus STCP SSH to use public key authentication

Blue Bar separator

To use public/private key authentication instead of a password to login into the Stratus module the first thing you need to do is create a public/private key pair on the client workstation that you will be using. Your ssh application should have a tool to do this or at least a tool to import keys. If you will be using the Stratus module as the client or to create keys for your client to import go here.

The second thing you need to do is make sure that the access on your home directory is set correctly. It should be
      modify YOUR-USER-NAME.*
      status *.*
or
      modify YOUR-USER-NAME.*
      null *.*
The key is that only you have modify access to your home directory

Third is to create a .ssh (that is DOT-s-s-h) directory under your home directory. The directory should have the following access
      modify YOUR-USER-NAME.*
      null *.YOUR-GROUP
      null *.*

The default access list should be
      write YOUR-USER-NAME.*
      read *.*

Fourth, in the .ssh directory create the authorized_keys file.

The personal_ssh_setup command macro will create the .ssh directory and the authorized_keys file and make sure that all the ACLs are set correctly.

It is very important that the ACLs on the authorized_keys file, the .ssh directory and your home directory are set correctly. If they are wrong sshd will not accept the key in the authorized_keys file and will ask for a password.

Fifth is to populate the authorized_keys file with the public key from your client. The public key file may (probably will) contain extra text but the only thing that should be copied into the authorized_keys file is the key text. The line containing the key must begin with either ssh-dss for a DSA key or ssh-rsa for a RSA key. A comment can be placed at the end of the key. All of the text from the begining ssh to the end of the comment must be on 1 line.

For example, this is the Identity.pub file created by SecureCRT on my Windows workstation. Note that it is one very long line that has been wrapped by the window that I displayed it in. 

---- BEGIN SSH2 PUBLIC KEY ----
Subject: noah
Comment: "noah@PARADISEVALLEY"
AAAAB3NzaC1kc3MAAACBAL2GWV0zYvWrCGKflZCw8kQ1oaORjncJkjOvTOm9pUOjJLPr
hmnBfwcNVrOprHMkvWZlsCR0Q5v5KjWtEiRrz2OmUKSFHFXP5Ue8AzpSnkL/kkJOZOmc
TMvsyNNqaRQw+AidR807Ux2qH2BliFryvFnJV1K0RLAJ6hf5FGOIIiRtAAAAFQCKeQew
iukHMpHlCep0t7CWiLGsZQAAAIAuagG5z3q652pxffzIulvnjuspljhJgS/a+qpsuy0q
mAO10AWvrUV5xdzGYCttJccAOve7DTTSU5+h/gbsnd6yhAiuatvEUXO7jJm9Ff87zzuD
ZTktLKLsYyzVav+h+F6bgxI+yB/5Rbd0JAW1IRuLbQ8/XCEJ9vqKqQ5V+O8DKQAAAIAd
OBukfJTwU0IXKwXEB3RUHxde4bgFTeavCXsnOY+8FCgEX27tnseLwnrFyLGz+c1k1Hss
6/ZVOeA+lN19uN91bD1LHEcWaaBSPW5grVsdSONjwDTFyX2by00IbG9MoLmVDjjrodDN
bHhjE92+xRCsv2ZAyc3I77OBv0K1Q96kkw==
---- END SSH2 PUBLIC KEY ----

This is the entry in the authorized_keys file. Note that this is 1 very long line. VOS has wrapped the line and added the "+" characters. 

ssh-dss AAAAB3NzaC1kc3MAAACBAL2GWV0zYvWrCGKflZCw8kQ1oaORjncJkjOvTOm9pUOjJLPrhmnB
+fwcNVrOprHMkvWZlsCR0Q5v5KjWtEiRrz2OmUKSFHFXP5Ue8AzpSnkL/kkJOZOmcTMvsyNNqaRQw+Ai
+dR807Ux2qH2BliFryvFnJV1K0RLAJ6hf5FGOIIiRtAAAAFQCKeQewiukHMpHlCep0t7CWiLGsZQAAAI
+AuagG5z3q652pxffzIulvnjuspljhJgS/a+qpsuy0qmAO10AWvrUV5xdzGYCttJccAOve7DTTSU5+h/
+gbsnd6yhAiuatvEUXO7jJm9Ff87zzuDZTktLKLsYyzVav+h+F6bgxI+yB/5Rbd0JAW1IRuLbQ8/XCEJ
+9vqKqQ5V+O8DKQAAAIAdOBukfJTwU0IXKwXEB3RUHxde4bgFTeavCXsnOY+8FCgEX27tnseLwnrFyLG
+z+c1k1Hss6/ZVOeA+lN19uN91bD1LHEcWaaBSPW5grVsdSONjwDTFyX2by00IbG9MoLmVDjjrodDNbH
+hjE92+xRCsv2ZAyc3I77OBv0K1Q96kkw== SecureCRT noah@PARADISEVALLEY"

That is it, you should now be able to use your client to log into the Stratus module using public key authentication. The >system>openssl>etc>sshd_config file is setup to use public/private key authentication by default so changes are not needed to any system configuration files.

Note that multiple keys can be added to the file; this allows you to use public key authentication from multiple clients. You can separate each key with a blank line if you want. 

ssh-dss AAAAB3NzaC1kc3MAAACBAL2GWV0zYvWrCGKflZCw8kQ1oaORjncJkjOvTOm9pUOjJLPrhmnB
+fwcNVrOprHMkvWZlsCR0Q5v5KjWtEiRrz2OmUKSFHFXP5Ue8AzpSnkL/kkJOZOmcTMvsyNNqaRQw+Ai
+dR807Ux2qH2BliFryvFnJV1K0RLAJ6hf5FGOIIiRtAAAAFQCKeQewiukHMpHlCep0t7CWiLGsZQAAAI
+AuagG5z3q652pxffzIulvnjuspljhJgS/a+qpsuy0qmAO10AWvrUV5xdzGYCttJccAOve7DTTSU5+h/
+gbsnd6yhAiuatvEUXO7jJm9Ff87zzuDZTktLKLsYyzVav+h+F6bgxI+yB/5Rbd0JAW1IRuLbQ8/XCEJ
+9vqKqQ5V+O8DKQAAAIAdOBukfJTwU0IXKwXEB3RUHxde4bgFTeavCXsnOY+8FCgEX27tnseLwnrFyLG
+z+c1k1Hss6/ZVOeA+lN19uN91bD1LHEcWaaBSPW5grVsdSONjwDTFyX2by00IbG9MoLmVDjjrodDNbH
+hjE92+xRCsv2ZAyc3I77OBv0K1Q96kkw== SecureCRT noah@PARADISEVALLEY"

ssh-dss AAAAB3NzaC1kc3MAAACBAM+z5O2+V7iDALb+tQm7rMaBQ+3U6FbcxhmQ4u7WgSKeeOKG35ou
+OBiXFzmEfC/oUn/frCpTQxKtmmXmX/VQYTl3/c4vlpE6owFvncPPEt9+z2Nf0vH4wjhl/qu2jYnUS/n
+4gTXaJD14gEJ39RzXzrgBTqYJ8A4iAbJ4r+Og6ouvAAAAFQDLHircsTgaP9UK6s6WFENRQ6iA0wAAAI
+AuaWAtAfRTBEHpqXDrw1HYk2fDoAYxLoXve1f23cq+415F17s9Rqr6Xu1mPhc9ahX+6LDaXwq2XxiXF
+xTSGUpkUJIhadT8K8ZO1thBrQG0deQJN+xDsueCJoeGQpII6ouANck9YO+YxXlH7Ere8la41NS7iOnN
+nHolMIFjvEwAtAAAAIEAu2zUhX3mOcMMP+0LDFBI8XWhQbLj9AGe3/4k7G9jeOqGThjnLtk40fLAgF5
+v5uOx/PKFudEj4JnVIRIncbI9MRobU0V43RVNvuxS+0hmaHk3TfuFOwC++aoyrW9jnbdy01JyQ+QiKr
+QtbU6bBbtookaR6s6nj60leg15URrrMW4= Noah_Davids@athenastcp


To create a public/private key pair on the Stratus module for use with the Stratus ssh client

In your .ssh directory run the ssh-keygen command: 

>system>openssl>bin>ssh-keygen -t dsa -N '' -f ssh_test_dsa                     
Generating public/private dsa key pair.
Your identification has been saved in ssh_test_dsa.
Your public key has been saved in ssh_test_dsa.pub.
The key fingerprint is:
cd:9f:6e:5e:57:bd:19:c8:20:d4:12:52:9e:0b:20:47 Noah_Davids@athenavs
ready  14:49:20

This creates 2 files ssh_test_dsa and ssh_test_dsa.pub. The .pub file is already in the appropriate format, i.e no extraneous comments so it can just be FTPed to the target system and added however is appropriate to that system. To create an RSA key use the argument "-t rsa" instead of "-t dsa".

Which key type should you use? As of this writting there is a fair about of debate. As far as I can tell the prevailing opinion is that both algorithms are secure BUT RSA uses a longer key by default. The down side of that is that it requires more processing power to use.

The >system>openssl>etc>ssh_config file is setup to use public/private key authentication by default but the default file names that it looks for are identity, id_rsa, and id_dsa, all in the .ssh directory under your home dir. To use a different file you can either copy >system>openssl>etc>ssh_config to your .ssh directory, add an IdentifyFile option to it and then on the ssh command line indicate it should use your copy of the ssh_config file. 

d ssh_config -match IdentityFile

%phx_vos#m15_mas>SysAdmin>Noah_Davids>.ssh>ssh_config  08-03-07 11:45:33 mst

#   IdentityFile ~/.ssh/identity
#   IdentityFile ~/.ssh/id_rsa
#   IdentityFile ~/.ssh/id_dsa                                                  
IdentityFile ~/.ssh/ssh_test_dsa

>system>openssl>bin>ssh -F (home_dir)>.ssh>ssh_config nd@164.152.77.34

or on the shh command line indicate the file name containing the private key that it should use . 

>system>openssl>bin>ssh -i (home_dir)>.ssh>ssh_test_dsa nd@164.152.77.34

The latter option seems simpler to me.

personal_ssh_setcp.cm

As stated at the start of this article, this macro will make sure that the access list on your home dir is correct, create the .ssh directory, set the access list and the default access list for it and the create the authorized_keys files in the .ssh directory. It will also create dsa and rsa keys in case you want to use the ssh client or import the keys into another client. 

& personal_ssh_setup begings here                                               
&
& personal_ssh_setup.cm
& version 1.0 08-03-10
& version 1.1 09-03-23 correct a problem setting the *.group access
&                      on the .ssh file
& version 1.2 10-11-26 added disclaimer
& Noah Davids Stratus CAC noah.davids@stratus.com
&
& This macro will set up the directories and files needed to use
& public/private key authentication with SSH. It will also set the access
& list and default_access lists needed.
&
& NOTE that you still need to populate the authorized_keys file with the
& public keys of the clients that you will be using
&
& This macro may make changes to the access list on your home dir. It will
& ask before doing so and will allow you to skip that step. If it finds the
& .ssh directory or authorized_keys file it will ask before deleting and
& recreating them. It will however always recreate the default access list
& on the .ssh directory and set the access list on the .ssh directory and
& on the authorized_keys file.
&
& This software is provided on an "AS IS" basis, WITHOUT ANY WARRANTY OR ANY
& SUPPORT OF ANY KIND. The AUTHOR SPECIFICALLY DISCLAIMS ANY IMPLIED WARRANTIES
& OF MERCHANTABILITY OR FITNESS FOR ANY PARTICULAR PURPOSE.  This disclaimer
& applies, despite any verbal representations of any kind provided by the
& author or anyone else.
&
&set_string CURRENT_DIR (current_dir)
change_current_dir (home_dir)
&
&
display_line ************** WARNING **************
display_line ************** WARNING **************
display_line This will modify the access to your home dir so that only
display_line (substr (user_name) 1 (calc (index (user_name) .) - 1)).* &+
has modify access and *.* has status.
display_line ************** WARNING **************
display_line ************** WARNING **************
&set_string ANSWER (ask Continue? '(yes,y)=yes (no,n)=no')
&if &ANSWER& = no
&then &do
   display_access (current_dir) -all
   display_line
   display_line Make sure that in the above access ONLY &+
      (substr (user_name) 1 (calc (index (user_name) .) - 1)).* &+
         has modify_access.
   display_line
   display_line
   &end
&else &do
   remove_access (current_dir) -all
   give_access modify (current_dir) -user &+
        (substr (user_name) 1 (calc (index (user_name) .) - 1))
   give_access status (current_dir) -user *.*
   &end
&
&
&if (exists .ssh)
&then &do
   &set_string ANSWER &+
           (ask '.ssh already exists, delete it?' '(yes,y)=yes (no,n)=no')
   &if &ANSWER& = yes
   &then &do
      delete_dir .ssh -no_ask
      create_dir .ssh
      &end
   &end
&else create_dir .ssh
remove_access .ssh -all
give_access modify .ssh -user &+
     (substr (user_name) 1 (calc (index (user_name) .) - 1))
give_access null .ssh -user &+
     *.(substr (user_name) (calc (index (user_name) .) + 1))
give_access null .ssh -user *.*
give_default_access write .ssh -user &+
     (substr (user_name) 1 (calc (index (user_name) .) - 1))
give_default_access read .ssh -user *.*
&
&
change_current_dir .ssh
&if (exists authorized_keys)
&then &do
   &set_string ANSWER &+
           (ask 'authorized_keys already exists, delete it?' &+
              '(yes,y)=yes (no,n)=no')
   &if &ANSWER& = yes
   &then &do
      delete_file authorized_keys -no_ask
      create_file authorized_keys
      &end
   &else &do
      remove_access authorized_keys -all
      give_access write authorized_keys -user &+
         (substr (user_name) 1 (calc (index (user_name) .) - 1))
      give_access read authorized_keys -user *.*
      &end
   &end  
&else create_file authorized_keys
&
&
(master_disk)>system>openssl>bin>ssh-keygen -t dsa -N '' -f id_dsa
(master_disk)>system>openssl>bin>ssh-keygen -t rsa -N '' -f id_rsa
&
&
change_current_dir &CURRENT_DIR&
&
& personal_ssh_setup.cm ends here


Blue Bar separator
This page was last modified on 10-11-26
mailbox Send comments and suggestions
to ndav1@cox.net