SSH Public-Key Authentication

In its default configuration, the Luna appliance Administrator account (userid admin) uses standard password authentication (userid/password). You can also choose to use Public Key-based Authentication for SSH access. The relevant commands to manage Public Key Authentication are described here.

Public Key Authentication to a Luna Network HSM Appliance Using UNIX SSH Clients

The following is an example exercise to illustrate the use of Public-Key Authentication.

1.From any UNIX client, generate a public key identity to be used for authentication to the Luna appliance:

[root@mypc /]# ssh-keygen -b 2048 -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
6e:7a:7e:e1:2a:54:8f:99:3e:6a:56:f8:38:22:fb:a6 root@pinky

Two files are created, a private key file (which stays on the client) and a public key file that we now securely copy to the Luna appliance.

2.SSH to the Luna appliance and verify that the default functionality is a password prompt:

[root@mypc /]# ssh admin@myLuna
admin@myLuna's password:

3.Use pscp/scp to transfer the client’s public key to the appliance:

[root@mypc /]# scp /root/.ssh/id_rsa.pub  admin@myluna:
admin@myluna's password:
id_rsa.pub           100% |*****************************|   220       00:00

4.On the Luna Network HSM appliance, verify the default settings of the Public Key Authentication service:

lunash:> sysconf ssh show

[myLuna] lunash:>sysconf ssh show

 SSHD configuration:    SSHD Listen Port: 22 (Default)  SSH is unrestricted.  
 Password   authentication is enabled
 Public key authentication is enabled

Command Result : 0 (Success)

5.Verify that there are no public key entries by default:

lunash:> my public-key list

[myLuna] lunash:>my public-key list

SSH Public Keys for user 'admin':
Name             Type     Bits Fingerprint
------------------------------------------------------------------------------
Command Result : 0 (Success)

6.Add the public key that you sent over earlier (from server mypc in our example):

lunash:> my public-key add <filename>

[myLuna] lunash:>my public-key add id_rsa.pub
 
Command Result : 0 (Success)

7.Check the list again:

lunash:> my public-key list

[myLuna] lunash:>my public-key  list

SSH Public Keys for user 'admin':
Name             Type     Bits Fingerprint
------------------------------------------------------------------------------
id_rsa.pub       ssh-rsa  1024 6e:7a:7e:e1:2a:54:8f:99:3e:6a:56:f8:38:22:fb:a6

Command Result : 0 (Success)

Notice that the fingerprint reported is the same as was generated back on mypc.

8.From mypc, SSH into myLuna; you should not be password prompted:

[root@mypc /]# ssh admin@myluna
Luna Network HSM 7.0 Command Line Shell - Copyright (c) 2001-2017 Gemalto, Inc. All rights reserved.

9.Verify that you are still password prompted if you ssh from other clients:

bash-2.05b# ./ssh admin@myLuna
admin@myLuna's password:

10.Disable public key authentication on myLuna, and verify the current status of the service:

lunash:> sysconf ssh publickey disable

lunash:> sysconf ssh show

11.SSH in again from mypc, and verify that you are password prompted:

[root@mypc /]# ssh admin@myLuna
admin@myLuna's password:

Summary

The above example illustrates enabling and disabling Public-Key Authentication for SSH connections to your Luna appliance.

NOTE   Console (serial port) access still requires the userid and password.

Once you enable public key authentication for an administration computer, the private SSH key (/root/.ssh/id_rsa) must be protected, and access to that computer must be restricted and password-protected. Anyone who can log into that computer can log into the Luna Network HSM appliance without knowing the LunaSH admin password!

To further explore/confirm the Public-Key Authentication functions, you could SSH in again from Windows and other UNIX clients, and verify that you are still password prompted as normal for those clients.

Verify that the client list is always accurate.

Delete one or two of your public key clients. Verify that those clients are password prompted again.

Clear all public key clients with the -clear sub-command. Verify that all clients are password prompted again.

Obviously, most of the above has been an extended example, to show various aspects of the function, and you do not need to go through all those steps just to set up Public-Key Authentication for a client/admin computer.

Set up Public-Key SSH access for other Luna Network HSM users

Here are the high level steps to set up SSH pubkey access for a non admin user:

>As admin, create the user and assign the desired role to that new user.

>Log on to Luna Network HSM as the new user. You are prompted to change the default password.

>Transfer (pscp/scp) the SSH pubkey to the Luna appliance using the new user account (example $ pscp id_rsa_pub op-number1@lunasa7:).

>Log in with the new account.

>Add your SSH key (lunash:> my public-key add (<filename>)

Here is an example session:

operator@mypc:~/.ssh$ pscp id_rsa.pub op-number1@lunasa7:
op-number1@lunasa7's password:
id_rsa.pub                                     100%  392     0.4KB/s   00:00
operator@mypc:~$ ssh op-number1@lunasa7
op-number1@lunasa7's password:
Last login: Wed Mar  11 08:51:46 2015 from 192.168.10.18
Luna Network HSM 7.0 Command Line Shell - Copyright (c) 2001-2017 Gemalto, Inc. All rights reserved.
[lunasa7] lunash:>my publickey add id_rsa.pub

Command Result : 0 (Success)