Setting Up Public Key Authentication for SSH
SSH supports both password-based authentication and public key authentication. By default, the QAD .NET UI uses password-based authentication, but you can set up public key authentication instead.
Public key authentication is an authentication method that relies on a generated public/private keypair. The keypair is generated using public key cryptography that has the mathematical property that prohibits the same key from encrypting and decrypting the same message. The keys are used at the protocol level for authentication inside SSH during session creation.
It is important to protect the privacy of the private key file. The private key file can be encrypted with a password to ensure that even if someone were to obtain the private key file it would be useless. The SSH public key authentication implementation supports both password protected and unencrypted private key files.
To set up public key authentication:
1 Log in to the server as the user specified in the Connection Manager settings for Startup Script or Server Startup User. After logging in, go to your .ssh directory:
$ cd $HOME/.ssh
2 Generate your public/private RSA keys with a blank passphrase:
$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (~/.ssh/id_rsa): (press return)
Enter passphrase (empty for no passphrase): (press return)
Enter same passphrase again: (press return)
Your identification has been saved in ~/.ssh/id_rsa
Your public key has been saved in ~/.ssh/id_rsa.pub
The key fingerprint is:
3 Ensure that your .ssh directory has the correct permissions:
$ chmod 700 .ssh
4 Copy the contents of your public key "id_rsa.pub" into your .ssh/authorized_keys file:
$ cat id_rsa.pub >> authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAIEAlW5CbYdQXy4hmLVZq2A8uMKk6eZyNF+r6ak23RUHyxscAm7EEysD4lnDW1sbdc1aEEKPowcXKYoG4h1RkJbjz8KBj6kYeplo60NEg6Vm+q+MUzdm99CdneN0fQHEjvTxtyBCvyUx+dotKOl0DuCteMHsASuyTWq37X0bHyEcBxE= rsa-key-20130418
5 Ensure that your public/private keys have the correct file permissions:
$ chmod 600 id_rsa.pub
$ chmod 600 authorized_keys
The private key file needs to be accessible by the user that started Tomcat. Put it in a location accessible by that user and change its owner and permissions:
$ chown <tomcat user>:<tomcat group> id_rsa
$ mv id_rsa tomcat/webapps/<app name>/WEB-INF
$ chmod 600 tomcat/webapps/<app name>/WEB-INF/id_rsa
Add a Passphrase to Private Key File
Use the following command to add or change a passphrase to an existing private key file.
1 If not already in your .ssh directory, go to your .ssh directory:
$ cd .ssh
2 Add a passphrase to your private key stored in the id_rsa file:
$ ssh-keygen -f id_rsa -p
Key has comment 'id_rsa'
Enter new passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved with the new passphrase.
Connection Manager Configuration Screen Settings
Finally, in the Connection Manager configuration screen, set the following:
In Startup Script, remove the login and password entries but leave all the other text including the pipe symbols ( | ).
For example, if the setting for Startup Script is:
Change it to:
In Server Startup User, enter the user ID.
In Server Startup Password, remove any value (this field should be blank).
In SSH Private Key File, enter the directory path to the file (for instance, /directory/path/id_rsa).
In SSH Private Key Password, enter the passphrase.
If the Connection Manager sessions are not connecting properly via SSH (that is, they are stuck in the initializing state), then check the following:
• Check the desktop.log file (tomcat/webapps/<app_name>/WEB-INF/logs) for connection errors.
• On Linux, check the /var/log/secure file for SSH connection errors.
• Some systems using SSH require that the home directory of the SSH user is owned by the SSH user. For example, if the user is telnet and the home directory is /home/telnet, then make sure that the owner of that directory is telnet and that it belongs to the same group as telnet.
• Some systems using SSH require that the home directory of the SSH user has certain permissions. Set the permissions to 700 (for example: chmod 700 /home/telnet).