SSH Public-Key Authentication
In its default configuration, the Luna Network HSM 7 appliance Administrator account (userid admin) uses standard password authentication (userid/password). You can also choose to use Public Key-based Authentication for SSH access. The relevant commands to manage Public Key Authentication are described here.
Public Key Authentication to a Luna Network HSM 7 Appliance Using UNIX SSH Clients
The following is an example exercise to illustrate the use of Public-Key Authentication.
1.From any UNIX client, generate a public key identity to be used for authentication to the Luna appliance:
[root@mypc /]# ssh-keygen -b 2048 -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
6e:7a:7e:e1:2a:54:8f:99:3e:6a:56:f8:38:22:fb:a6 root@pinky
Two files are created, a private key file (which stays on the client) and a public key file that we now securely copy to the Luna appliance.
2.SSH to the Luna appliance and verify that the default functionality is a password prompt:
[root@mypc /]# ssh admin@myLuna
admin@myLuna's password:
3.Use pscp/scp to transfer the client’s public key to the appliance:
[root@mypc /]# scp /root/.ssh/id_rsa.pub admin@myluna:
admin@myluna's password:
id_rsa.pub 100% |*****************************| 220 00:00
4.On the Luna Network HSM 7 appliance, verify the default settings of the Public Key Authentication service:
lunash:> sysconf ssh show
[myLuna] lunash:>sysconf ssh show
SSHD configuration: SSHD Listen Port: 22 (Default) SSH is unrestricted.
Password authentication is enabled
Public key authentication is enabled
Command Result : 0 (Success)
5.Verify that there are no public key entries by default:
lunash:> my public-key list
[myLuna] lunash:>my public-key list
SSH Public Keys for user 'admin':
Name Type Bits Fingerprint
------------------------------------------------------------------------------
Command Result : 0 (Success)
6.Add the public key that you sent over earlier (from server mypc in our example):
lunash:> my public-key add <filename>
[myLuna] lunash:>my public-key add id_rsa.pub
Command Result : 0 (Success)
7.Check the list again:
lunash:> my public-key list
[myLuna] lunash:>my public-key list
SSH Public Keys for user 'admin':
Name Type Bits Fingerprint
------------------------------------------------------------------------------
id_rsa.pub ssh-rsa 1024 6e:7a:7e:e1:2a:54:8f:99:3e:6a:56:f8:38:22:fb:a6
Command Result : 0 (Success)
Notice that the fingerprint reported is the same as was generated back on mypc.
8.From mypc, SSH into myLuna; you should not be password prompted:
[root@mypc /]# ssh admin@myluna
Luna Network HSM 7.0 Command Line Shell - Copyright (c) 2001-2017 Gemalto, Inc. All rights reserved.
9.Verify that you are still password prompted if you ssh from other clients:
bash-2.05b# ./ssh admin@myLuna
admin@myLuna's password:
10.Disable public key authentication on myLuna, and verify the current status of the service:
lunash:> sysconf ssh publickey disable
lunash:> sysconf ssh show
11.SSH in again from mypc, and verify that you are password prompted:
[root@mypc /]# ssh admin@myLuna
admin@myLuna's password:
Summary
The above example illustrates enabling and disabling Public-Key Authentication for SSH connections to your Luna appliance.
NOTE Console (serial port) access still requires the userid and password.
Once you enable public key authentication for an administration computer, the private SSH key (/root/.ssh/id_rsa) must be protected, and access to that computer must be restricted and password-protected. Anyone who can log into that computer can log into the Luna Network HSM 7 appliance without knowing the LunaSH admin password!
To further explore/confirm the Public-Key Authentication functions, you could SSH in again from Windows and other UNIX clients, and verify that you are still password prompted as normal for those clients.
Verify that the client list is always accurate.
Delete one or two of your public key clients. Verify that those clients are password prompted again.
Clear all public key clients with the -clear sub-command. Verify that all clients are password prompted again.
Obviously, most of the above has been an extended example, to show various aspects of the function, and you do not need to go through all those steps just to set up Public-Key Authentication for a client/admin computer.
Set up Public-Key SSH access for other Luna Network HSM 7 users
Here are the high level steps to set up SSH pubkey access for a non admin user:
>As admin, create the user and assign the desired role to that new user.
>Log on to Luna Network HSM 7 as the new user. You are prompted to change the default password.
>Transfer (pscp/scp) the SSH pubkey to the Luna appliance using the new user account (example $ pscp id_rsa_pub op-number1@lunasa7:).
>Log in with the new account.
>Add your SSH key (lunash:> my public-key add (<filename>)
Here is an example session:
operator@mypc:~/.ssh$ pscp id_rsa.pub op-number1@lunasa7: op-number1@lunasa7's password: id_rsa.pub 100% 392 0.4KB/s 00:00 operator@mypc:~$ ssh op-number1@lunasa7 op-number1@lunasa7's password: Last login: Wed Mar 11 08:51:46 2015 from 192.168.10.18 Luna Network HSM 7.0 Command Line Shell - Copyright (c) 2001-2017 Gemalto, Inc. All rights reserved. [lunasa7] lunash:>my publickey add id_rsa.pub Command Result : 0 (Success)
