Terminal Emulation & Transformation Community
  • Home
  • Blogs
  • FORUM
  • About
  • Contact
  • Resources

VT Public-key Authentication using Secure Shell in Host On- Demand

4/8/2021

0 Comments

 
Picture
The Secure Shell (SSH) is a protocol for conducting a secure session over a non-secure network. Host On-Demand supports SSH for VT Display sessions and File Transfer (sftp) sessions.

Public-Key Authentication

Public-key authentication is a way of logging into an SSH/SFTP account using a cryptographic key rather than a password. If you use very strong SSH/SFTP passwords, your accounts are already safe from brute force attacks. However, using public-key authentication provides many benefits when working with multiple developers. For example, with SSH keys you can:
  • Allow multiple developers to log in as the same system user without having to share a single password between them.
  • Revoke a single developer's access without revoking access to other developers.
  • Make it easier for a single developer to log in to many accounts without needing to manage many different passwords.
Typical authentication flow when Public-Key authentication is enabled
Picture
In Host On-Demand we have 3 types of authentication in VT Display
  • Password Authentication
  • Keyboard-interactive Authentication
  • Public-key Authentication

By default, keyboard-interactive and password authentications are always enabled. The reason is that keyboard-interactive and password authentications are used when public-key authentication fails or when public-key authentication is not enabled.
 
How to enable Public-key Authentication for VT Display using SSH
Host On-Demand supports creating a connection to a public-key Authentication enabled host. For enabling this feature, the Host On-Demand Administrator needs to set the "Enable" to YES by clicking on the radio button next to it in the SSH panel while configuring the session and provide a KeyStore File Path, KeyStore File Password, Public-key Alias, and Public-key Alias Password.
Picture
Steps to follow in configuring a VT Display session for SSH client authentication using a public-key
 
Here is a preview of the steps to follow in configuring a VT Display session for SSH client authentication using a public-key:
 
  1. Use the keytool (a program distributed with Host On-Demand) to generate a public-private key pair. (This tool stores both keys of the pair as an entry in a file called a keystore.)
  2. Use the Export Public-key utility (integrated into the SSH configuration window of the VT Display session configuration) to extract the public-key from the keystore into a separate file.
  3. Configure the SSH server with the public-key.
  4. Copy the keystore containing the public-private key pair to the workstation for the SSH client.
  5. Configure the SSH configuration window for client authentication using a public-key.
 
1.Steps to create a Java key store certificate using the Java Keytool
Use the keytool to generate a public-private key pair. (This tool stores both keys of the pair as an entry in a file called keystore.)
  1. Open Java bin directory in the command prompt.
  2. To generate a certificate, use below command.
       C:\Program Files\Java\jre1.8.0_221\bin>keytool -genkey -alias mykey -keyalg RSA                  -keystore   "C:\Users\Admin\.ssh\vtclient.jks"
Picture
3. Enter keystore password and key password for <mykey> are user-defined while creating a certificate.
4. Certificate Location for example” C:\Users\Admin\.ssh\vtclient.jks”

2.How to Extract the public-key from the KeyStore
Use the Export Public-key utility (integrated into the SSH configuration window of the VT Display session configuration) to extract the public-key from the keystore into a separate file.

  • Provide a KeyStore File path by using the Select File option and enter KeyStore Password and Public-key Alias Password.
  • Extract the public-key by using the Export Public-key option.
Picture
 The Destination input field contains the path and file name of the output file that is to contain the exported public-key. In the image below the path is C:\Users\**** and the file name is id_dsa.pub.
Picture
The Use OpenSSH Format checkbox determines the format of the extracted public-key.
  • If the checkbox is checked then the format is OpenSSH format.
  • If the checkbox is not checked then the format is the SSH Public-key File Format.
 
Check with your system administrator to determine which format your SSH server requires. If necessary, generate a public-key in each of the 2 formats, then try each on the host to see which format works with the SSH client.
 
  • Open id_dsa.pub and check the Public-key format as shown below:
  • Restart the SSH service in the server using the command sudo systemctl restart sshd.service    
5. Configure the SSH configuration window for client authentication using a public-key.
The final step is to configure the SSH configuration window for client authentication using a public-key. To perform this step, type the appropriate values into the input fields of the Public-key Authentication group in the SSH configuration window.

Picture
Using the Communication option, click the Select Security option, here we can check the Authentication type as shown below:
Picture
For more information, check the below link.
 
https://www.ibm.com/support/knowledgecenter/en/SSS9FA_12.0.0/com.ibm.hod.doc/tutorials/ssh/ssh-pk00.html

Author
CMP Sowmya
Software Engineer – HCL Software

 
0 Comments



Leave a Reply.

    Archives

    May 2020
    October 2019
    July 2019
    June 2019
    May 2019
    March 2019
    November 2018
    October 2018
    September 2018
    August 2018
    July 2018
    June 2018
    May 2018
    April 2018
    March 2018
    February 2018
    January 2018
    December 2017
    October 2017
    September 2017

    Categories

    All
    HACP
    HACPEE
    HATS
    HOD
    PCOMM

    RSS Feed

Proudly powered by Weebly
  • Home
  • Blogs
  • FORUM
  • About
  • Contact
  • Resources