Manual Chapter :
Define SSH proxy
public key authentication
Applies To:
Show VersionsBIG-IP AFM
- 17.1.2, 17.1.1, 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0
Define SSH proxy
public key authentication
Before you can define public key authentication in the SSH proxy configuration, you
need to have password or keyboard authentication and the Real Server Auth Public Key
configured.
Generate a public/private key pair, then configure
tunnel keys for public key authentication to allow the SSH proxy to view tunnel traffic.
Start on the BIG-IP system, then continue the task on the SSH client system.
- On the BIG-IP system command line, typessh-keygen.The system outputs:Generating public/private rsa key pair. Enter file in which to save the key (/root/.ssh/id_rsa):
- Hit theEnterkey to save the file.The system outputs:/root/.ssh/id_rsa already exists. Overwrite (y/n)?
- Typeyto save the file.The system prompts for a passphrase.Enter passphrase (empty for no passphrase):
- Leave the passphrase and confirm passphrase fields blank, and hitEnter.The system outputs something like the following example. (The output will be different on your system.)Your identification has been saved in /root/.ssh/id_rsa. Your public key has been saved in /root/.ssh/id_rsa.pub. The key fingerprint is: 08:02:33:1a:8e:45:73:c0:eb:dc:fb:da:87:c5:2c:bf root@localhost.localdomain The key's randomart image is: +--[ RSA 2048]----+ |=o=.. | |+*.o | |o.... | | .. . . | | o . .oS | | o . . + | | . = | | ... o | | .oo.E. | +-----------------+
- Copy the key fromid_rsa.This is your private key, which you will add to the SSH proxy configuration.
- On the Main tab, click.The Protocol Security: Security Profiles: SSH Proxy screen opens.
- Click the name of the SSH proxy profile to edit.The SSH Profile screen opens.
- Click theKey Managementtab.
- ClickAdd New Auth Info.
- In theEnter Auth Info Namefield, type a name for the authentication info settings.
- In theProxy Client Auth Private Keyfield, paste the private key you have generated. For private keys, the-----BEGIN RSA PRIVATE KEY-----and-----END RSA PRIVATE KEY-----headers/footers are required.Proxy Client Auth Public Keyis an optional field that can be left blank because it is derived from the configured private keys.
- ClickAdd.
- ClickCommit Changes to System.
- Next, log in to the SSH client system.
- On the SSH client system, generate a private/public key pair with the commandssh-keygen.The system outputs:Generating public/private rsa key pair. Enter file in which to save the key (/home/user1/.ssh/id_rsa):
- ClickEnteror specify a different file location.
- Type and confirm a passphrase when prompted, or leave the fields blank to specify no passphrase.The system outputs something like the following example. This output will be different on your system:Your identification has been saved in /home/user1/.ssh/id_rsa. Your public key has been saved in /home/user1/.ssh/id_rsa.pub. The key fingerprint is: 25:26:7e:49:56:61:71:ca:23:ec:d1:49:6b:49:61:6b user1@Ubuntu-VM1 The key's randomart image is: +--[ RSA 2048]----+ | X+. | | . O B | | . O E | | . * O . | | . S | | . | | | | | | | +-----------------+
- On the backend SSH server, open the sshd configuration file (/etc/ssh/sshd_config) and set the public key authentication to yes as follows:PubkeyAuthentication yes
- Specify a central authorized keys file by editing the AuthorizedKeysFile line as follows:AuthorizedKeysFile %h/.ssh/authorized_keys /etc/ssh/authorized_keysYou can specify your own path and filename for the authorized keys file on the SSH server.Restart the SSH daemon on the SSH server.
- Copy the public key from the BIG-IP AFM system and paste it into the authorized keys file on the SSH server (for example,/etc/ssh/authorized_keys). On the SSH server, paste the public key using the following commands (the file location and name may differ, and the public key is an example only).user1@Ubuntu-VM3:~$ vi /etc/ssh/authorized_keys ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAkCmU13s2/LVfm/eJ+HGesb8WeZ3A00iNX4S6ZDa7bOwb+f jpr8rCwt4fWw8U7VwPaeqE35odBW7LhwQUXg5zL1KdxgguILVI2i/cDSkPKcaQKcUIvG+BrpYj wky4T9tTKo2br+XQ92eWMh+xrVUwY4h2crpZxdng+YV+hUbqgJ+PHO4t0ozAYpgIul5C+2MTcN zMuEYxbZqWdtNFtceAywu4CYZBwAZ3mCJbfW1wtFo6DG85tIo3LuaGXpA10jav1cC2szEo0OKT 0HUPJzYfSQiU/jHQv7Becwc9L8bOC6CxryTvx3Uq/Zf0ONQHhsyasIxg2wrVwzhbI1ctSyZgww== root@localhost.localdomain
- Copy the public key from the client to the SSH server in one of two ways:
- Copy the public key you created on the client system and paste it into the user authorized keys file (for example/.ssh/authorized_keys) using the following commands (the file location and name may differ, and the public key is an example only):user1@Ubuntu-VM3:~$ vi ~/.ssh/authorized_keys ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDSMcf/wX3YZQAg+/RxbqXvXpIPVvnugCOYJm uapYIze7Etc+192CB/zakmT3pKDyHHiVP1PwpP3jr99tY95llYg3p+A8nfv7+1UcwJYlS2EfYy 8qenb3Q4Mdtzrxr0AEjU/a4WXmGYd5h/ju5yRxQUt//q09PbxsEAf0qY05Tpax7R3rGl+15tf6 AI1a+poNGidfAAS1Pqc453qIXM1cp/PnOaKKzveQWBM2IIPenVxwdyX06Tn2OYBh4Rq4qUrt38 PyiYmKOYqQ/M4hD0R6/VLvF24i936uKfvBdkZcvePLGMpswQAteFzJA0JJjbWUIfvCYFCOLiFO IATUGe9Nxl user1@Ubuntu-VM1
- Alternatively, on the client system, you can issue thessh-copy-idcommand to copy the public key generated on the client system to transparently copy it to the backend server by way of the BIG-IP system.For this to work, you need to have established a successful SSH connection from the client to the backend SSH server through the BIG-IP.ssh-copy-id -i ~/.ssh/id_rsa.pub user@<Virtual-Server-IP>For example,ssh-copy-id -i ~/.ssh/id_rsa.pub adminserver@10.2.2.140
When the SSH server is added to a pool on a virtual server, and the SSH profile is
attached to the virtual server, the client should now be able to make an SSH connection
to the SSH server using the virtual server address.