Skip to Main Content

Using ssh private keys to authenticate to SGD application servers

Jan-OracleMay 3 2019 — edited Feb 26 2020

One of the new features of SGD since version 5.4 is the ability to use SSH keys for authenticating to 3rd-tier application servers.

The SGD clients (tcc and HTML5) only accept RSA keys and the format of the keys matters. Only PEM format keys are accepted.

Recent versions of OpenSSH on Linux and Mac OS X create OpenSSH format keys which the TCC doesn’t understand. Therefore provide the correct format when generating ssh keys with the ssh-keygen command

$ ssh-keygen -m PEM -f my_new_key

If you generated ssh keys in the OpenSSH format (the private key file starts with -----BEGIN OPENSSH PRIVATE KEY-----), there is a way to convert the key to PEM with the following command. In the example I generate an ssh key with the pass phrase "test" and then change the pass phrase and specify the format with -m PEM

$ ssh-keygen -f test -P "test"

Generating public/private rsa key pair.

Your identification has been saved in test.

Your public key has been saved in test.pub.

The key fingerprint is:

SHA256:e11NmiHr0mAX8SZWKhzV3hAkUAp4s+b+XP+TtWePZrU jhm@macpro.local

The key's randomart image is:

+---[RSA 2048]----+

|       .. o+=o+. |

|      . oo o *o  |

|       . o+ *.+o.|

|        o  o *.*.|

|       oS o o + .|

|        .o * .  o|

|       .. o =  .=|

|        .o o .oEo|

|         .o  ooo*|

+----[SHA256]-----+

$ head test

-----BEGIN OPENSSH PRIVATE KEY-----

b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jdHIAAAAGYmNyeXB0AAAAGAAAABAsZUINtg

DP6DmlQB0nf5WaAAAAEAAAAAEAAAEXAAAAB3NzaC1yc2EAAAADAQABAAABAQDCGVMKf0C0

ZodppYHR8C0Ps6XcNwQHblJFCfAQ1pk2lAs7YZ0XK7vbPL7CBYggrd2z2mt2TfgdCVt0Dk

6wkw1LH3tlve4NZW0GPMEvgaO9dBD3FZQFjUZFkzcIrqVrIwoyX88xVwOJx8ZF2TVrtX9p

vJatlE9DyPhJz2LuGV1SVCXUjVcR2Fb8X4YzI7e/OcJy0jaFnqnjUCTQojJIEWvVx8bPTI

N6dTA5De8R8mhUER0dbiDv4eHyzlc0d8JvKhtzSTbPUI2skAjZS36w++iFPYnaXmAyiUdl\

$ ssh-keygen -p -f test -m PEM -P "test" -N "test2"

Key has comment 'jhm@macpro.local'

Your identification has been saved with the new passphrase.

$ head test

-----BEGIN RSA PRIVATE KEY-----

Proc-Type: 4,ENCRYPTED

DEK-Info: AES-128-CBC,0056B24BBA34CA5B549EA03365FF1847

W8c0aa2cttecD3kB9Fn7sbnHQydYPQe2ZrSiIx4QlGU5LfsKnSrpl01IXeAoADOr

v3IBozxOrFaY2pbMzW4GBKG3gOO0Vwe6ie4hfEJTEog++PBv3P0oGudDOVL8ERDN

+LzVzLq3yrYXaa9U6BJy3nWyjkknnQTi2ZLIKUfSpmy70EHTH4/qToeK5G8yfJHz

gUYQTdcGPf6JmW1e3vpJZ8JsVsc+ar+PIv9+FJR2RwTpY9PtY6CEFM/yTnx7JSpd

xrqj24V3GZe8lTRsQowgpOil6Kiwl96CiYvA3b14dPpuYfuSehH7AKR2vIhKKkQD

U4zTs8d9HeIaXKoSy3d/pEIsCLY86myGTrT71mNKMFGFSDPx8vYlmAszTUXEZEZd

Overall the use of ssh keys can be controlled by a global variable. The following command turns off SSH key authentication system wide

# /opt/tarantella/bin/tarantella config edit --tarantella-config-execpeconfig-usesshkeys 0

Additionally there is a new application server attribute: sgdpermittedauthtypes. It can only be set from the command line and is an ordered list:

  • Default value: empty/missing
  • Other values: password sshkeys

It is used as a hint to the preferred authentication type on a server. Ultimate control set in the configuration of the SSH daemon on the application server

# /top/tarantella/bin/tarantella object edit --name o=appservers/cn=some_application_server --sgdpermittedauthtypes password,sshkeys

Comments
Post Details
Added on May 3 2019
0 comments
179 views