Forum Stats

  • 3,814,894 Users
  • 2,258,926 Discussions


Using ssh private keys to authenticate to SGD application servers

Jan-Oracle Member Posts: 122 Employee
edited Feb 26, 2020 6:49PM in Secure Global Desktop

One of the new features of SGD since version 5.4 is the ability to use SSH keys for authenticating to 3rd-tier application servers.

The SGD clients (tcc and HTML5) only accept RSA keys and the format of the keys matters. Only PEM format keys are accepted.

Recent versions of OpenSSH on Linux and Mac OS X create OpenSSH format keys which the TCC doesn’t understand. Therefore provide the correct format when generating ssh keys with the ssh-keygen command

$ ssh-keygen -m PEM -f my_new_key

If you generated ssh keys in the OpenSSH format (the private key file starts with -----BEGIN OPENSSH PRIVATE KEY-----), there is a way to convert the key to PEM with the following command. In the example I generate an ssh key with the pass phrase "test" and then change the pass phrase and specify the format with -m PEM

$ ssh-keygen -f test -P "test"Generating public/private rsa key pair.Your identification has been saved in test.Your public key has been saved in key fingerprint is:SHA256:e11NmiHr0mAX8SZWKhzV3hAkUAp4s+b+XP+TtWePZrU [email protected] key's randomart image is:+---[RSA 2048]----+|       .. o+=o+. ||      . oo o *o  ||       . o+ *.+o.||        o  o *.*.||       oS o o + .||        .o * .  o||       .. o =  .=||        .o o .oEo||         .o  ooo*|+----[SHA256]-----+$ head test-----BEGIN OPENSSH PRIVATE KEY-----b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jdHIAAAAGYmNyeXB0AAAAGAAAABAsZUINtgDP6DmlQB0nf5WaAAAAEAAAAAEAAAEXAAAAB3NzaC1yc2EAAAADAQABAAABAQDCGVMKf0C0ZodppYHR8C0Ps6XcNwQHblJFCfAQ1pk2lAs7YZ0XK7vbPL7CBYggrd2z2mt2TfgdCVt0Dk6wkw1LH3tlve4NZW0GPMEvgaO9dBD3FZQFjUZFkzcIrqVrIwoyX88xVwOJx8ZF2TVrtX9pvJatlE9DyPhJz2LuGV1SVCXUjVcR2Fb8X4YzI7e/OcJy0jaFnqnjUCTQojJIEWvVx8bPTIN6dTA5De8R8mhUER0dbiDv4eHyzlc0d8JvKhtzSTbPUI2skAjZS36w++iFPYnaXmAyiUdl\$ ssh-keygen -p -f test -m PEM -P "test" -N "test2"Key has comment '[email protected]'Your identification has been saved with the new passphrase.$ head test-----BEGIN RSA PRIVATE KEY-----Proc-Type: 4,ENCRYPTEDDEK-Info: AES-128-CBC,0056B24BBA34CA5B549EA03365FF1847W8c0aa2cttecD3kB9Fn7sbnHQydYPQe2ZrSiIx4QlGU5LfsKnSrpl01IXeAoADOrv3IBozxOrFaY2pbMzW4GBKG3gOO0Vwe6ie4hfEJTEog++PBv3P0oGudDOVL8ERDN+LzVzLq3yrYXaa9U6BJy3nWyjkknnQTi2ZLIKUfSpmy70EHTH4/qToeK5G8yfJHzgUYQTdcGPf6JmW1e3vpJZ8JsVsc+ar+PIv9+FJR2RwTpY9PtY6CEFM/yTnx7JSpdxrqj24V3GZe8lTRsQowgpOil6Kiwl96CiYvA3b14dPpuYfuSehH7AKR2vIhKKkQDU4zTs8d9HeIaXKoSy3d/pEIsCLY86myGTrT71mNKMFGFSDPx8vYlmAszTUXEZEZd

Overall the use of ssh keys can be controlled by a global variable. The following command turns off SSH key authentication system wide

# /opt/tarantella/bin/tarantella config edit --tarantella-config-execpeconfig-usesshkeys 0

Additionally there is a new application server attribute: sgdpermittedauthtypes. It can only be set from the command line and is an ordered list:

  • Default value: empty/missing
  • Other values: password sshkeys

It is used as a hint to the preferred authentication type on a server. Ultimate control set in the configuration of the SSH daemon on the application server

# /top/tarantella/bin/tarantella object edit --name o=appservers/cn=some_application_server --sgdpermittedauthtypes password,sshkeys