F5 Logo MyF5
Search
  1. MyF5 Home
  2. BIG-IP AFM: Network Firewall Policies and Implementations
  3. Protocol Security
  4. SSH Protocol Security
  5. Authenticate SSH proxy traffic
  6. Authenticate SSH Proxy with the server private key
Manual Chapter : Authenticate SSH Proxy with the server private key

Applies To:

Show Versions Show Versions

BIG-IP AFM

  • 17.1.0, 17.0.0, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0
Manual Chapter

Authenticate SSH Proxy with the server private key

This task is optional and only applies if the SSH virtual server IP address to which you attach the SSH Proxy profile has the same IP address as the backend SSH server. Clients connect directly to the backend SSH server address via the SSH proxy in the middle.
This task describes how to configure SSH proxy authentication when the virtual server on the BIG-IP system and the backend SSH server both have the same IP address. In this case, both the BIG-IP system and the SSH server can use the same keys instead of generating a new set of keys on the BIG-IP system. This prevents clients from having to authenticate when making an SSH connection to the backend SSH server. To do this, you can use the private keys from the backend server and use them as the Proxy Server Auth Private Key in the SSH proxy configuration on the BIG-IP system.
  1. On the Main tab, click
    Security
    Protocol Security
    Security Profiles
    SSH Proxy
    .
    The Protocol Security: Security Profiles: SSH Proxy screen opens.
  2. Click the name of the SSH proxy profile to edit, or create a new one.
    The SSH Profile screen opens.
  3. Click the
    Key Management
     tab.
  4. Click
    Add New Auth Info
    .
  5. In the
    Edit Auth Info Name
     field, type a name for the authentication info settings.
    • To edit an existing rule, click the name of the rule. For example, click
      Default Actions
       to edit the default rule for a profile.
    • To add a new rule, click
      Add New Rule
      . A new line is added to the list of rules. Add a name to the rule to begin editing.
  6. In the
    Real Server Auth Public Key
     field paste the Host public key from your backend server.
    The real server auth key must not be commented out in your sshd configuration. To make sure, on your backend SSH server, locate the file
    etc/ssh/sshd_config
    , and make sure the line
    HostKey /etc/ssh/ssh_host_rsa_key
     is not commented out.
  7. Get the private key from the backend SSH server.
    For example, on the SSH backend server, at the following prompt, the admin uses the specified command to get the SSH server private key:
    admin@Ubuntu-VM3:~$
    sudo cat /etc/ssh/ssh_host_rsa_key
    The output of this command is the private key:
    -----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAs4kusmrz6RbkYyz/Yc0YhAXFYCw8p6FqjTLsAqzkRJEog6lq
hUa8nRQhsumdVsMCbgzCMOYd7CLqrTqO/M3eqQWm16Y9EC1Mi7RsfNDnt7yJ6cMb
xtv2F/Smho6H5GrGSfrTqqDnuULHJ1GK+yMOghLqNnQVSGci/6NSMk7w3y/Pslzu
Lz82nZi9IL1dReen3kVbAhdB1K4VsHa0OgqSKV+mnLGNB2sq4Thj5lReKkc+3y8k
hyeV0M+SClyUTRyRG18drYldU7kJYc/IDjKjKdiIkqsig3FE5NjstHz2JDQFj5Yn
6uxqZWJIrfORC+VAoLR3+fea6omzkCVhQAMxxQIDAQABAoIBAHTx2cIMGr7s022q
hNtu3hY5MBz6E7RZV2+MCOGhPrtPFmXUt/cCYZ+r2luRApTeR7npg6CYdEs5X0Xh
S/xuGShd7xSvSz07VI33w2b2KMms/OSQ24oIA2ANU194fhoSVwEfajrNvsMVNWZu
HiqB5lRh/7/ik25rCAgemU79zraBdYC5FMzlMnl2TRrxlT0NjGtaniH+wpkZm1x6
S/evuvaJOYWhp8tarMQDcfPi0HNU4+agwRxrCcGNqei7nROTvXjVmsqxrcHGKCdF
4LdJyPJ6KYjtm0IcEYzKAFY3+haeX7ico3vRjSNSfMQwJbcJDMgoQpf44dFf9Jht
fEIuHUECgYEA4nwySeehTVftHxg3iv1Azy6FGT5q4KwXktA4G3fMjUmjjDQ2NAx0
VxlSEOU5sH2au8b19s/rOPsPjvYBYRAp8s+JD5BVVnfiJ/pcK8d+ws9gB65V0c3X
/ly3Gvz/He8B//CaaGCJOfzlmP4KKwfD3KzHw6+LJHEIdTHjQCMRnvUCgYEAyu60
WDEUpZf3dlOcfpTwaDdKtaHMOCQPH5LMD1vZAQdD1Gts20rEgDp8iKf/jXbo8/uA
HfR5jz89AgDygIlWO15an710W8DrhCBYvRP44X9KcQeZlqJswDiOc5tRApunrac1
fEPaJ7OTdLElyA7GuZlIJVkgCLfyDodohewb5ZECgYBfLVwgzLNvglTGrXGh+h2D
M4SBgEZ/1jIt40zA1k5izaBqKgLhSp6Vf7GKIhplPdOJt+njZ6rtDiySonUf6iAG
xwpNPRVvuf+TV1Xmm/Z8PZOYhr3P5lYvsZzNPaakWK2Zde4dkPv6H3oJGjEBtkir
8vwcEyhBDzNDtMxQRqyABQKBgQCmSsVuH4oTyFv4kruC3vnB7M1D2bpHpwTdkqW1
UEabGSD0SLODX9l2WncCZOh9PBvZExcBdPzH7cJIig4uVlxbeg45KD7ZkVVtiDQv
fNZNssmFpfyt+5uySKYzBet0f6kAHC0wD0oNjpIe5atYLQObw4fjUw11F4c7cKqu
U7TogQKBgFUu0Q5FLxaNNV1p9hNTCU+KDGN/kIe5K+8aJ08TpYhTSFSzgV2k47av
xCzTcSufjcZIpjNiGuwmT+spiwoPYqP+AdXKWWcxNfC4ahBfi7ROP6xSriCkzsYv
ZFhMHDfIjDAGDFmHI5v9Gcjxt+iFLdiDV9Pzv1XFDKd5yfJNfmGd
-----END RSA PRIVATE KEY-----
  8. Paste the private key into the
    Proxy Server Auth Private Key
     field.
  9. Click
    Add
    .
  10. When you are finished adding and editing rules, click
    Commit Changes to System
    .
The SSH proxy profile is saved to the system.
To use an SSH proxy profile with a virtual server, attach the profile to a virtual server on the Properties page, in the
Configuration (Basic)
 settings.
Contact Support Contact Support

Have a Question?

Support and Sales >

About F5

Education

F5 Sites

Support Tasks




©2023 F5, Inc. All rights reserved.


Trademarks Policies Privacy California Privacy Do Not Sell My Personal Information