Manual Chapter : Define SSH proxy public key authentication

Applies To:

Show Versions Show Versions

BIG-IP AFM

  • 15.0.0
Manual Chapter

Define SSH proxy public key authentication

Before you can define public key authentication in the SSH proxy configuration, you need to have password or keyboard authentication and the Real Server Auth Public Key configured.
Generate a public/private key pair, then configure tunnel keys for public key authentication to allow the SSH proxy to view tunnel traffic. Start on the BIG-IP system, then continue the task on the SSH client system.
  1. On the BIG-IP system command line, type
    ssh-keygen
    .
    The system outputs:
    Generating public/private rsa key pair. Enter file in which to save the key (/root/.ssh/id_rsa):
  2. Hit the
    Enter
    key to save the file.
    The system outputs:
    /root/.ssh/id_rsa already exists. Overwrite (y/n)?
  3. Type
    y
    to save the file.
    The system prompts for a passphrase.
    Enter passphrase (empty for no passphrase):
  4. Leave the passphrase and confirm passphrase fields blank, and hit
    Enter
    .
    The system outputs something like the following example. (The output will be different on your system.)
    Your identification has been saved in /root/.ssh/id_rsa. Your public key has been saved in /root/.ssh/id_rsa.pub. The key fingerprint is: 08:02:33:1a:8e:45:73:c0:eb:dc:fb:da:87:c5:2c:bf root@localhost.localdomain The key's randomart image is: +--[ RSA 2048]----+ |=o=.. | |+*.o | |o.... | | .. . . | | o . .oS | | o . . + | | . = | | ... o | | .oo.E. | +-----------------+
  5. Copy the key from
    id_rsa
    .
    This is your private key, which you will add to the SSH proxy configuration.
  6. On the Main tab, click
    Security
    Protocol Security
    Security Profiles
    SSH Proxy
    .
    The Protocol Security: Security Profiles: SSH Proxy screen opens.
  7. Click the name of the SSH proxy profile to edit.
    The SSH Profile screen opens.
  8. Click the
    Key Management
    tab.
  9. Click
    Add New Auth Info
    .
  10. In the
    Enter Auth Info Name
    field, type a name for the authentication info settings.
  11. In the
    Proxy Client Auth Private Key
    field, paste the private key you have generated. For private keys, the
    -----BEGIN RSA PRIVATE KEY-----
    and
    -----END RSA PRIVATE KEY-----
    headers/footers are required.
    Proxy Client Auth Public Key
    is an optional field that can be left blank because it is derived from the configured private keys.
  12. Click
    Add
    .
  13. Click
    Commit Changes to System
    .
  14. Next, log in to the SSH client system.
  15. On the SSH client system, generate a private/public key pair with the command
    ssh-keygen
    .
    The system outputs:
    Generating public/private rsa key pair. Enter file in which to save the key (/home/user1/.ssh/id_rsa):
  16. Click
    Enter
    or specify a different file location.
  17. Type and confirm a passphrase when prompted, or leave the fields blank to specify no passphrase.
    The system outputs something like the following example. This output will be different on your system:
    Your identification has been saved in /home/user1/.ssh/id_rsa. Your public key has been saved in /home/user1/.ssh/id_rsa.pub. The key fingerprint is: 25:26:7e:49:56:61:71:ca:23:ec:d1:49:6b:49:61:6b user1@Ubuntu-VM1 The key's randomart image is: +--[ RSA 2048]----+ | X+. | | . O B | | . O E | | . * O . | | . S | | . | | | | | | | +-----------------+
  18. On the backend SSH server, open the sshd configuration file (
    /etc/ssh/sshd_config
    ) and set the public key authentication to yes as follows:
    PubkeyAuthentication yes
  19. Specify a central authorized keys file by editing the AuthorizedKeysFile line as follows:
    AuthorizedKeysFile %h/.ssh/authorized_keys /etc/ssh/authorized_keys
    You can specify your own path and filename for the authorized keys file on the SSH server.
    Restart the SSH daemon on the SSH server.
  20. Copy the public key from the BIG-IP AFM system and paste it into the authorized keys file on the SSH server (for example,
    /etc/ssh/authorized_keys
    ). On the SSH server, paste the public key using the following commands (the file location and name may differ, and the public key is an example only).
    user1@Ubuntu-VM3:~$ vi /etc/ssh/authorized_keys ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAkCmU13s2/LVfm/eJ+HGesb8WeZ3A00iNX4S6ZDa7bOwb+f jpr8rCwt4fWw8U7VwPaeqE35odBW7LhwQUXg5zL1KdxgguILVI2i/cDSkPKcaQKcUIvG+BrpYj wky4T9tTKo2br+XQ92eWMh+xrVUwY4h2crpZxdng+YV+hUbqgJ+PHO4t0ozAYpgIul5C+2MTcN zMuEYxbZqWdtNFtceAywu4CYZBwAZ3mCJbfW1wtFo6DG85tIo3LuaGXpA10jav1cC2szEo0OKT 0HUPJzYfSQiU/jHQv7Becwc9L8bOC6CxryTvx3Uq/Zf0ONQHhsyasIxg2wrVwzhbI1ctSyZgww== root@localhost.localdomain
  21. Copy the public key from the client to the SSH server in one of two ways:
    1. Copy the public key you created on the client system and paste it into the user authorized keys file (for example
      /.ssh/authorized_keys
      ) using the following commands (the file location and name may differ, and the public key is an example only):
      user1@Ubuntu-VM3:~$ vi ~/.ssh/authorized_keys ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDSMcf/wX3YZQAg+/RxbqXvXpIPVvnugCOYJm uapYIze7Etc+192CB/zakmT3pKDyHHiVP1PwpP3jr99tY95llYg3p+A8nfv7+1UcwJYlS2EfYy 8qenb3Q4Mdtzrxr0AEjU/a4WXmGYd5h/ju5yRxQUt//q09PbxsEAf0qY05Tpax7R3rGl+15tf6 AI1a+poNGidfAAS1Pqc453qIXM1cp/PnOaKKzveQWBM2IIPenVxwdyX06Tn2OYBh4Rq4qUrt38 PyiYmKOYqQ/M4hD0R6/VLvF24i936uKfvBdkZcvePLGMpswQAteFzJA0JJjbWUIfvCYFCOLiFO IATUGe9Nxl user1@Ubuntu-VM1
    2. Alternatively, on the client system, you can issue the
      ssh-copy-id
      command to copy the public key generated on the client system to transparently copy it to the backend server by way of the BIG-IP system.
      For this to work, you need to have established a successful SSH connection from the client to the backend SSH server through the BIG-IP.
      ssh-copy-id -i ~/.ssh/id_rsa.pub user@<Virtual-Server-IP>
      For example,
      ssh-copy-id -i ~/.ssh/id_rsa.pub adminserver@10.2.2.140
When the SSH server is added to a pool on a virtual server, and the SSH profile is attached to the virtual server, the client should now be able to make an SSH connection to the SSH server using the virtual server address.