Applies To:Show Versions
- 15.0.1, 15.0.0
Define SSH proxy
public key authentication
- On the BIG-IP system command line, typessh-keygen.The system outputs:Generating public/private rsa key pair. Enter file in which to save the key (/root/.ssh/id_rsa):
- Hit theEnterkey to save the file.The system outputs:/root/.ssh/id_rsa already exists. Overwrite (y/n)?
- Typeyto save the file.The system prompts for a passphrase.Enter passphrase (empty for no passphrase):
- Leave the passphrase and confirm passphrase fields blank, and hitEnter.The system outputs something like the following example. (The output will be different on your system.)Your identification has been saved in /root/.ssh/id_rsa. Your public key has been saved in /root/.ssh/id_rsa.pub. The key fingerprint is: 08:02:33:1a:8e:45:73:c0:eb:dc:fb:da:87:c5:2c:bf firstname.lastname@example.org The key's randomart image is: +--[ RSA 2048]----+ |=o=.. | |+*.o | |o.... | | .. . . | | o . .oS | | o . . + | | . = | | ... o | | .oo.E. | +-----------------+
- Copy the key fromid_rsa.This is your private key, which you will add to the SSH proxy configuration.
- On the Main tab, click.The Protocol Security: Security Profiles: SSH Proxy screen opens.
- Click the name of the SSH proxy profile to edit.The SSH Profile screen opens.
- Click theKey Managementtab.
- ClickAdd New Auth Info.
- In theEnter Auth Info Namefield, type a name for the authentication info settings.
- In theProxy Client Auth Private Keyfield, paste the private key you have generated. For private keys, the-----BEGIN RSA PRIVATE KEY-----and-----END RSA PRIVATE KEY-----headers/footers are required.Proxy Client Auth Public Keyis an optional field that can be left blank because it is derived from the configured private keys.
- ClickCommit Changes to System.
- Next, log in to the SSH client system.
- On the SSH client system, generate a private/public key pair with the commandssh-keygen.The system outputs:Generating public/private rsa key pair. Enter file in which to save the key (/home/user1/.ssh/id_rsa):
- ClickEnteror specify a different file location.
- Type and confirm a passphrase when prompted, or leave the fields blank to specify no passphrase.The system outputs something like the following example. This output will be different on your system:Your identification has been saved in /home/user1/.ssh/id_rsa. Your public key has been saved in /home/user1/.ssh/id_rsa.pub. The key fingerprint is: 25:26:7e:49:56:61:71:ca:23:ec:d1:49:6b:49:61:6b user1@Ubuntu-VM1 The key's randomart image is: +--[ RSA 2048]----+ | X+. | | . O B | | . O E | | . * O . | | . S | | . | | | | | | | +-----------------+
- On the backend SSH server, open the sshd configuration file (/etc/ssh/sshd_config) and set the public key authentication to yes as follows:PubkeyAuthentication yes
- Specify a central authorized keys file by editing the AuthorizedKeysFile line as follows:AuthorizedKeysFile %h/.ssh/authorized_keys /etc/ssh/authorized_keysYou can specify your own path and filename for the authorized keys file on the SSH server.Restart the SSH daemon on the SSH server.
- Copy the public key from the BIG-IP AFM system and paste it into the authorized keys file on the SSH server (for example,/etc/ssh/authorized_keys). On the SSH server, paste the public key using the following commands (the file location and name may differ, and the public key is an example only).user1@Ubuntu-VM3:~$ vi /etc/ssh/authorized_keys ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAkCmU13s2/LVfm/eJ+HGesb8WeZ3A00iNX4S6ZDa7bOwb+f jpr8rCwt4fWw8U7VwPaeqE35odBW7LhwQUXg5zL1KdxgguILVI2i/cDSkPKcaQKcUIvG+BrpYj wky4T9tTKo2br+XQ92eWMh+xrVUwY4h2crpZxdng+YV+hUbqgJ+PHO4t0ozAYpgIul5C+2MTcN zMuEYxbZqWdtNFtceAywu4CYZBwAZ3mCJbfW1wtFo6DG85tIo3LuaGXpA10jav1cC2szEo0OKT 0HUPJzYfSQiU/jHQv7Becwc9L8bOC6CxryTvx3Uq/Zf0ONQHhsyasIxg2wrVwzhbI1ctSyZgww== email@example.com
- Copy the public key from the client to the SSH server in one of two ways:
- Copy the public key you created on the client system and paste it into the user authorized keys file (for example/.ssh/authorized_keys) using the following commands (the file location and name may differ, and the public key is an example only):user1@Ubuntu-VM3:~$ vi ~/.ssh/authorized_keys ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDSMcf/wX3YZQAg+/RxbqXvXpIPVvnugCOYJm uapYIze7Etc+192CB/zakmT3pKDyHHiVP1PwpP3jr99tY95llYg3p+A8nfv7+1UcwJYlS2EfYy 8qenb3Q4Mdtzrxr0AEjU/a4WXmGYd5h/ju5yRxQUt//q09PbxsEAf0qY05Tpax7R3rGl+15tf6 AI1a+poNGidfAAS1Pqc453qIXM1cp/PnOaKKzveQWBM2IIPenVxwdyX06Tn2OYBh4Rq4qUrt38 PyiYmKOYqQ/M4hD0R6/VLvF24i936uKfvBdkZcvePLGMpswQAteFzJA0JJjbWUIfvCYFCOLiFO IATUGe9Nxl user1@Ubuntu-VM1
- Alternatively, on the client system, you can issue thessh-copy-idcommand to copy the public key generated on the client system to transparently copy it to the backend server by way of the BIG-IP system.For this to work, you need to have established a successful SSH connection from the client to the backend SSH server through the BIG-IP.ssh-copy-id -i ~/.ssh/id_rsa.pub user@<Virtual-Server-IP>For example,ssh-copy-id -i ~/.ssh/id_rsa.pub firstname.lastname@example.org