In its default configuration, the Luna appliance Administrator account (userid admin) uses standard password authentication (userid/password). You can also choose to use Public Key-based Authentication for SSH access. The relevant commands to manage Public Key Authentication are described here.
The following is an example exercise to illustrate the use of Public-Key Authentication.
Public Key Authentication to a Luna Appliance Using UNIX SSH Clients
[root@mypc /]# ssh-keygen -b 2048 -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
6e:7a:7e:e1:2a:54:8f:99:3e:6a:56:f8:38:22:fb:a6 root@pinky
Two files are created, a private key file (which stays on the server) and a public key file that we now scp to the Luna appliance.
[root@mypc /]# ssh admin@myLuna
admin@myLuna's password:
[root@mypc /]# scp /root/.ssh/id_rsa.pub
admin@viper23:
admin@myluna's password:
id_rsa.pub 100%
|*****************************| 220
00:00
[myLuna] lunash:>sysconf -ssh show
SSH is unrestricted.
Password authentication
is enabled
Public key authentication is enabled
Command Result : 0 (Success)
[myLuna] lunash:>sysconf -ssh publickey
list
SSH Public Keys for user 'admin':
Name Type
Bits
Fingerprint
------------------------------------------------------------------------------
Command Result : 0 (Success)
[myLuna] lunash:>sysconf -ssh publickey
add root@mypc -f id_rsa.pub
Public key added
Command Result : 0 (Success)
[myLuna] lunash:>sysconf -ssh publickey
list
SSH Public Keys for user 'admin':
Name Type
Bits
Fingerprint
------------------------------------------------------------------------------
root@pinky ssh-rsa
1024 6e:7a:7e:e1:2a:54:8f:99:3e:6a:56:f8:38:22:fb:a6
Command Result : 0 (Success)
Notice that the fingerprint reported is the same as was generated back on mypc.
[root@mypc /]# ssh admin@myluna
Luna SA 5.1.0-22 Command Line Shell - Copyright (c) 2001-2011 SafeNet, Inc. All rights reserved.
bash-2.05b# ./ssh admin@myLuna
admin@myLuna's password:
[myLuna] lunash:>sysconf ssh publickey
disable
Public key authentication disabled
Command Result : 0 (Success)
[myLuna] lunash:>sysconf ssh show
SSH is unrestricted.
Password authentication
is enabled
Public key authentication is disabled
Command Result : 0 (Success)
[root@mypc /]# ssh admin@myLuna
admin@myLuna's password:
The above example illustrates enabling and disabling Public-Key Authentication for SSH connections to your Luna appliance.
Console (serial port) access still requires the userid and password.
Once you enable public key authentication for an administration computer, the private SSH key (/root/.ssh/id_rsa) must be protected, and access to that computer must be restricted and password-protected. Anyone who can log into that computer can log into the Luna SA appliance without knowing the Luna shell (lunash:> admin password!
To further explore/confirm the Public-Key Authentication functions, you could SSH in again from Windows and other UNIX clients, and verify that you are still password prompted as normal for those clients.
Verify that the client list is always accurate.
Delete one or two of your public key clients. Verify that those clients are password prompted again.
Clear all public key clients with the -clear subcommand. Verify that all clients are password prompted again.
Obviously, most of the above has been an extended example, to show various aspects of the function, and you do not need to go through all those steps just to set up Public-Key Authentication for a client/admin computer.