Manual Chapter : Authenticate SSH Proxy with the server private key

Applies To:

Show Versions Show Versions

BIG-IP AFM

  • 15.0.0
Manual Chapter

Authenticate SSH Proxy with the server private key

This task is optional and only applies if the SSH virtual server IP address to which you attach the SSH Proxy profile has the same IP address as the backend SSH server. Clients connect directly to the backend SSH server address via the SSH proxy in the middle.
This task describes how to configure SSH proxy authentication when the virtual server on the BIG-IP system and the backend SSH server both have the same IP address. In this case, both the BIG-IP system and the SSH server can use the same keys instead of generating a new set of keys on the BIG-IP system. This prevents clients from having to authenticate when making an SSH connection to the backend SSH server. To do this, you can use the private keys from the backend server and use them as the Proxy Server Auth Private Key in the SSH proxy configuration on the BIG-IP system.
  1. On the Main tab, click
    Security
    Protocol Security
    Security Profiles
    SSH Proxy
    .
    The Protocol Security: Security Profiles: SSH Proxy screen opens.
  2. Click the name of the SSH proxy profile to edit, or create a new one.
    The SSH Profile screen opens.
  3. Click the
    Key Management
    tab.
  4. Click
    Add New Auth Info
    .
  5. In the
    Edit Auth Info Name
    field, type a name for the authentication info settings.
    • To edit an existing rule, click the name of the rule. For example, click
      Default Actions
      to edit the default rule for a profile.
    • To add a new rule, click
      Add New Rule
      . A new line is added to the list of rules. Add a name to the rule to begin editing.
  6. In the
    Real Server Auth Public Key
    field paste the Host public key from your backend server.
    The real server auth key must not be commented out in your sshd configuration. To make sure, on your backend SSH server, locate the file
    etc/ssh/sshd_config
    , and make sure the line
    HostKey /etc/ssh/ssh_host_rsa_key
    is not commented out.
  7. Get the private key from the backend SSH server.
    For example, on the SSH backend server, at the following prompt, the admin uses the specified command to get the SSH server private key:
    admin@Ubuntu-VM3:~$
    sudo cat /etc/ssh/ssh_host_rsa_key
    The output of this command is the private key:
    -----BEGIN RSA PRIVATE KEY----- MIIEowIBAAKCAQEAs4kusmrz6RbkYyz/Yc0YhAXFYCw8p6FqjTLsAqzkRJEog6lq hUa8nRQhsumdVsMCbgzCMOYd7CLqrTqO/M3eqQWm16Y9EC1Mi7RsfNDnt7yJ6cMb xtv2F/Smho6H5GrGSfrTqqDnuULHJ1GK+yMOghLqNnQVSGci/6NSMk7w3y/Pslzu Lz82nZi9IL1dReen3kVbAhdB1K4VsHa0OgqSKV+mnLGNB2sq4Thj5lReKkc+3y8k hyeV0M+SClyUTRyRG18drYldU7kJYc/IDjKjKdiIkqsig3FE5NjstHz2JDQFj5Yn 6uxqZWJIrfORC+VAoLR3+fea6omzkCVhQAMxxQIDAQABAoIBAHTx2cIMGr7s022q hNtu3hY5MBz6E7RZV2+MCOGhPrtPFmXUt/cCYZ+r2luRApTeR7npg6CYdEs5X0Xh S/xuGShd7xSvSz07VI33w2b2KMms/OSQ24oIA2ANU194fhoSVwEfajrNvsMVNWZu HiqB5lRh/7/ik25rCAgemU79zraBdYC5FMzlMnl2TRrxlT0NjGtaniH+wpkZm1x6 S/evuvaJOYWhp8tarMQDcfPi0HNU4+agwRxrCcGNqei7nROTvXjVmsqxrcHGKCdF 4LdJyPJ6KYjtm0IcEYzKAFY3+haeX7ico3vRjSNSfMQwJbcJDMgoQpf44dFf9Jht fEIuHUECgYEA4nwySeehTVftHxg3iv1Azy6FGT5q4KwXktA4G3fMjUmjjDQ2NAx0 VxlSEOU5sH2au8b19s/rOPsPjvYBYRAp8s+JD5BVVnfiJ/pcK8d+ws9gB65V0c3X /ly3Gvz/He8B//CaaGCJOfzlmP4KKwfD3KzHw6+LJHEIdTHjQCMRnvUCgYEAyu60 WDEUpZf3dlOcfpTwaDdKtaHMOCQPH5LMD1vZAQdD1Gts20rEgDp8iKf/jXbo8/uA HfR5jz89AgDygIlWO15an710W8DrhCBYvRP44X9KcQeZlqJswDiOc5tRApunrac1 fEPaJ7OTdLElyA7GuZlIJVkgCLfyDodohewb5ZECgYBfLVwgzLNvglTGrXGh+h2D M4SBgEZ/1jIt40zA1k5izaBqKgLhSp6Vf7GKIhplPdOJt+njZ6rtDiySonUf6iAG xwpNPRVvuf+TV1Xmm/Z8PZOYhr3P5lYvsZzNPaakWK2Zde4dkPv6H3oJGjEBtkir 8vwcEyhBDzNDtMxQRqyABQKBgQCmSsVuH4oTyFv4kruC3vnB7M1D2bpHpwTdkqW1 UEabGSD0SLODX9l2WncCZOh9PBvZExcBdPzH7cJIig4uVlxbeg45KD7ZkVVtiDQv fNZNssmFpfyt+5uySKYzBet0f6kAHC0wD0oNjpIe5atYLQObw4fjUw11F4c7cKqu U7TogQKBgFUu0Q5FLxaNNV1p9hNTCU+KDGN/kIe5K+8aJ08TpYhTSFSzgV2k47av xCzTcSufjcZIpjNiGuwmT+spiwoPYqP+AdXKWWcxNfC4ahBfi7ROP6xSriCkzsYv ZFhMHDfIjDAGDFmHI5v9Gcjxt+iFLdiDV9Pzv1XFDKd5yfJNfmGd -----END RSA PRIVATE KEY-----
  8. Paste the private key into the
    Proxy Server Auth Private Key
    field.
  9. Click
    Add
    .
  10. When you are finished adding and editing rules, click
    Commit Changes to System
    .
The SSH proxy profile is saved to the system.
To use an SSH proxy profile with a virtual server, attach the profile to a virtual server on the Properties page, in the
Configuration (Basic)
settings.