5.3 Secure Shell

Use the Secure Shell panel to manage the public and private keys needed for secure shell (SSH) connections.

5.3.1 Known Hosts List

The known hosts list contains the public keys of hosts that the terminal emulator can connect to using secure shell. When an SSH connection is negotiated, the client authenticates the host against a list of known hosts.

The known hosts list on the Management and Security Server can be used by all clients, similar to the default user key pair. The table displays the hosts that are known.

To add a host to the list of known hosts, import a file that contains the host's public key.

  1. In the /etc/ssh directory, locate the file that contains the public key, such as ssh_host_<algorithm>_key.pub.

    The format of the file can be OpenSSH, Base64 encoded.DER, or .PFX.

  2. Add hostname,ip if the file does not already contain that information.

    That is, be sure the file contains hostname,ip algorithm key. For example:

    mySSHhost,10.10.1.1 ssh-rsa AAAAB3NzaB1yc2EAAAABIwAAAIEA0WR3aIRtilXquUmXtxw5oi3rMkhY9jw/lV03WvUNvSb/xQnIfoMeserY5DfU8+eqUPzLX0efJMik22VFAzFo+ZCOnlHbj39yNi2a1/7dAJYECaHo7pxhILHAZxXbwOpWSms3aaccWOOEA+Fyzv8DpppQ9WrpD/fWVvXWNGR22sU=

  3. Copy the key file into this directory on Management and Security Server:

    Unix: /var/opt/microfocus/mss/mssdata/certificates

    Windows: C:\ProgramData\Micro Focus\MSS\MSSData\Certificates

  4. On the Secure Shell panel, under Known Hosts List, click + IMPORT.

  5. Enter the required information:

    • File name: the name of the file with the host’s public key that you copied (step 2).

    • Public key file password: if required.

    • Host name: as specified in the public key file. The name you enter must exactly match the hostname in the public key. For example, if the hostname in the key is hostname.example.com, and you enter hostname, the import will not work.

    • Host IP address: as specified in the public key file, if present. If there is no IP address in the public key file, leave this field blank.

  6. Click IMPORT.

    This host now displays in the Known Hosts List.

5.3.2 Shared User Key Pair

A user key pair is a public and private key used to authenticate a web-based client to a secure shell host. Although each typically has unique keys, a key pair can be shared among users.

To share a user key pair, choose one of these methods:

+ GENERATE

The generated user key pair will be stored on the Management and Security Server and automatically deployed to Reflection for the Web clients.

To generate a key pair, enter the required information:

  • Key algorithm: RSA (the default) or DSA

  • Encryption key length: the size of the public and private keys. Longer keys are more secure but may take more time to generate.

When you click APPLY, the key pair is created in the MSSData/trustedcerts folder as sshclient.bcfks, and the details are displayed in this panel.

+ IMPORT

A public key and its associated private key pair can be imported from a local workstation.

To import a key pair to the Management and Security Server:

  1. Copy the key pair file or files to the certificates directory on the Management and Security Server:

    UNIX: /var/opt/microfocus/mss/mssdata/certificates

    Windows: C:\ProgramData\Micro Focus\MSS\MSSData\Certificates

  2. Enter the File name.

    • If the keys are in OpenSSH format files, enter the name of the private key file. The public key must be in a file with the same name and a .pub extension.

    • If the keys are in a .PFX format file, enter the file name.

  3. Enter the Password that protects the private key. If the file is not protected, leave this field blank.

  4. If the file contains multiple certificates, enter the Friendly name of the one associated with the desired key pair. Otherwise, leave this field blank.

  5. Click IMPORT. The key pair file is created in the MSSData/trustedcerts folder, and the details are displayed on this panel,

EXPORT

You can export the shared user public key or key pair to an OpenSSH or secssh format file.

Specify a file name for export; for example, id_rsa. The public key is written to a file with this name and a .pub extension. When selected for export, the private key is written to this file.

The file or files are written to this folder on the Management and Security Server:

UNIX: /var/opt/microfocus/mss/mssdata/certificates

Windows: C:\ProgramData\Micro Focus\MSS\MSSData\certificates

Check or enter the required information.

  • Export the private key with the public key - otherwise, only the public key is exported.

  • Overwrite existing file(s) - if other key files exist with the name.

  • Key file name - a name for the file that will be created by the export operation.

    Enter the name for the private key (the file name with no extension) even if you are exporting only the public key.

  • Private key passphrase (optional) - if you are exporting the private key, you can protect it with a password you enter here.

    Note: The password does not apply to the public key.

Shared User Key Pair Details

  • Public Key Algorithm - the algorithm used to generate the host's key pair.

  • Public Key Fingerprint (SHA-1) - A message digest of the public key made using the SHA-1 algorithm. The fingerprint can be used by a client to validate the public key.

  • Public Key Fingerprint (MD5) - A message digest of the public key made using the MD-5 algorithm.

Related Topics