Manual Chapter : Define SSH proxy password or keyboard interactive authentication

Applies To:

Show Versions Show Versions

BIG-IP AFM

  • 15.0.1, 15.0.0
Manual Chapter

Define SSH proxy password or keyboard interactive authentication

Generate public/private RSA key pairs, then configure tunnel keys for password or keyboard interactive authentication to allow the SSH proxy to view tunnel traffic.
  1. On the BIG-IP system, type
    ssh-keygen
    .
    The system outputs:
    Generating public/private rsa key pair. Enter file in which to save the key (/root/.ssh/id_rsa):
  2. Hit the
    Enter
    key to save the file.
    The system outputs:
    /root/.ssh/id_rsa already exists. Overwrite (y/n)?
  3. Type
    y
    to save the file.
    The system prompts for a passphrase.
    Enter passphrase (empty for no passphrase):
  4. Leave the passphrase and confirm passphrase fields blank, and hit
    Enter
    .
    The system outputs something like the following example. The output will be different on your system:
    Your identification has been saved in /root/.ssh/id_rsa. Your public key has been saved in /root/.ssh/id_rsa.pub. The key fingerprint is: 08:02:33:1a:8e:45:73:c0:eb:dc:fb:da:87:c5:2c:bf root@localhost.localdomain The key's randomart image is: +--[ RSA 2048]----+ |=o=.. | |+*.o | |o.... | | .. . . | | o . .oS | | o . . + | | . = | | ... o | | .oo.E. | +-----------------+
  5. Copy the key from
    id_rsa
    including the
    -----BEGIN RSA PRIVATE KEY-----
    and
    -----END RSA PRIVATE KEY-----
    headers and footers.
    This is your private key, which you will add to the SSH proxy configuration.
  6. On the Main tab, click
    Security
    Protocol Security
    Security Profiles
    SSH Proxy
    .
    The Protocol Security: Security Profiles: SSH Proxy screen opens.
  7. Click the name of the SSH proxy profile to edit.
    The SSH Profile screen opens.
  8. Click the
    Key Management
    tab.
  9. Click
    Add New Auth Info
    .
  10. In the
    Enter Auth Info Name
    field, type a name for the authentication info settings.
  11. In the
    Real Server Auth Public Key
    field, paste the Host public key from your backend server.
    Make sure not to include the trailing comment.
    The Real Server Auth key must not be commented out in your SSHD configuration. To make sure, on your backend SSH server, locate the file
    /etc/ssh/sshd_config
    , and make sure the line
    HostKey /etc/ssh/ssh_host_rsa_key
    is not commented out.
  12. In the
    Proxy Server Auth Private Key
    field, add the private key that was generated on the BIG-IP system.
    Include the
    -----BEGIN RSA PRIVATE KEY-----
    and
    -----END RSA PRIVATE KEY-----
    headers and footers.
    Leave the
    Proxy Server Auth Public Key
    field blank because the SSH proxy generates the public key from the private key.
  13. Click
    Add
    .
  14. When you are finished adding and editing rules, click
    Commit Changes to System
    .
The SSH proxy profile is saved to the system.
To use an SSH proxy profile with a virtual server, attach the profile to a virtual server.