SSH Public-Key Authentication
In its default configuration, the Luna Network HSM 7 appliance Administrator account (userid admin) uses standard password authentication (userid/password). You can also choose to use Public Key-based Authentication for SSH access. The relevant commands to manage Public Key Authentication are described herein.
CAUTION! Always [re-]generate new/fresh public keys for your Luna Network HSM 7 HSM appliance SSH access, and trade with clients as appropriate, before you place the appliance in service or after any security incident that might compromise SSH access. Consider doing this whether you normally use public-key authentication or prefer password authentication - the point is to minimize potential attack surfaces at the appliance administration level. See SSH Key Rotation and Security.
Public Key Authentication to a Luna Network HSM 7 Appliance Using UNIX SSH Clients
The following is an example exercise to illustrate the use of Public-Key Authentication.
1.From any UNIX client, generate a public key identity to be used for authentication to the Luna appliance:
[root@mypc /]# ssh-keygen -b 2048 -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
6e:7a:7e:e1:2a:54:8f:99:3e:6a:56:f8:38:22:fb:a6 root@pinky
Two files are created, a private key file (which stays on the client) and a public key file that we now securely copy to the Luna appliance.
2.SSH to the Luna appliance and verify that the default functionality is a password prompt:
[root@mypc /]# ssh admin@myLuna
admin@myLuna's password:
3.Use pscp/sftp to transfer the client’s public key to the appliance:
[root@mypc /]# sftp /root/.ssh/id_rsa.pub admin@myluna:
admin@myluna's password:
id_rsa.pub 100% |*****************************| 220 00:00
4.On the Luna Network HSM 7 appliance, verify the default settings of the Public Key Authentication service:
lunash:> sysconf ssh show
[myLuna] lunash:>sysconf ssh show
SSHD configuration: SSHD Listen Port: 22 (Default) SSH is unrestricted.
Password authentication is enabled
Public key authentication is enabled
Command Result : 0 (Success)
5.Verify that there are no public key entries by default:
lunash:> my public-key list
[myLuna] lunash:>my public-key list
SSH Public Keys for user 'admin':
Name Type Bits Fingerprint
------------------------------------------------------------------------------
Command Result : 0 (Success)
6.Add the public key that you sent over earlier (from server mypc in our example):
lunash:> my public-key add <filename>
[myLuna] lunash:>my public-key add id_rsa.pub
Command Result : 0 (Success)
7.Check the list again:
lunash:> my public-key list
[myLuna] lunash:>my public-key list
SSH Public Keys for user 'admin':
Name Type Bits Fingerprint
------------------------------------------------------------------------------
id_rsa.pub ssh-rsa 1024 6e:7a:7e:e1:2a:54:8f:99:3e:6a:56:f8:38:22:fb:a6
Command Result : 0 (Success)
Notice that the fingerprint reported is the same as was generated back on mypc.
8.From mypc, SSH into myLuna; you should not be password prompted:
[root@mypc /]# ssh admin@myluna
Luna Network HSM 7.0 Command Line Shell - Copyright (c) 2001-2017 Gemalto, Inc. All rights reserved.
9.Verify that you are still password prompted if you ssh from other clients:
bash-2.05b# ./ssh admin@myLuna
admin@myLuna's password:
10.Disable public key authentication on myLuna, and verify the current status of the service:
lunash:> sysconf ssh publickey disable
lunash:> sysconf ssh show
11.SSH in again from mypc, and verify that you are password prompted:
[root@mypc /]# ssh admin@myLuna
admin@myLuna's password:
Summary
The above example illustrates enabling and disabling Public-Key Authentication for SSH connections to your Luna appliance.
NOTE Console (serial port) access still requires the userid and password.
Once you enable public key authentication for an administration computer, the private SSH key (/root/.ssh/id_rsa) must be protected, and access to that computer must be restricted and password-protected. Anyone who can log into that computer can log into the Luna Network HSM 7 appliance without knowing the LunaSH admin password!
Use sysconf ssh regenKeyPair (and send the resulting new key(s) to your client(s)) when commissioning a new network HSM appliance or redeploying one that was used elsewhere.
To further explore/confirm the Public-Key Authentication functions, you could SSH in again from Windows and other UNIX clients, and verify that you are still password prompted as normal for those clients.
Verify that the client list is always accurate.
Delete one or two of your public key clients. Verify that those clients are password prompted again.
Clear all public key clients with the -clear sub-command. Verify that all clients are password prompted again.
Obviously, most of the above has been an extended example, to show various aspects of the function, and you do not need to go through all those steps just to set up Public-Key Authentication for a client/admin computer.
Set up Public-Key SSH access for other Luna Network HSM 7 users
Here are the high level steps to set up SSH pubkey access for a non admin user:
>As admin, create the user and assign the desired role to that new user.
>Log on to Luna Network HSM 7 as the new user. You are prompted to change the default password.
>Transfer (pscp/sftp) the SSH pubkey to the Luna appliance using the new user account (example $ pscp id_rsa_pub op-number1@lunasa7:).
>Log in with the new account.
>Add your SSH key (lunash:> my public-key add (<filename>)
Here is an example session:
operator@mypc:~/.ssh$ pscp id_rsa.pub op-number1@lunasa7: op-number1@lunasa7's password: id_rsa.pub 100% 392 0.4KB/s 00:00 operator@mypc:~$ ssh op-number1@lunasa7 op-number1@lunasa7's password: Last login: Wed Mar 11 08:51:46 2015 from 192.168.10.18 Luna Network HSM 7.0 Command Line Shell - Copyright (c) 2001-2017 Gemalto, Inc. All rights reserved. [lunasa7] lunash:>my publickey add id_rsa.pub Command Result : 0 (Success)
SSH Key Rotation and Security
When first commissioning any Luna Network HSM appliance for deployment, or to confine administrative access within a group of HSM appliances, always [re-]generate new SSH keypairs before placing the appliance in-service. Do this even if you intend to rely primarily on password-authenticated access to the appliance.
1.Run this lunash command:
sysconf ssh regenKeyPair
on each Luna Network HSM appliance to obtain a newer keypair for ECDSA, ED25519, and RSA.
NOTE Specify the Elliptic Curve size as desired (256,384,521) with -curvesize <curvesize> (sysconf ssh regenKeyPair -curvesize 384). The default size is 256.
2.After all new or repurposed/redeployed appliances have had the regenKeyPair command run, then
to verify that you now have different fingerprints on all Luna Network HSM appliances in your stable,
or
to verify that only those that should have shared admin access are in possession of the necessary new SSH keys, run
sysconf fingerprint ssh
and inspect the fingerprints for the now-available SSH keys.
CAUTION! Failure to manage SSH keys on all your Luna Network HSM 7 appliances could potentially leave them vulnerable to unauthorized access or man-in-the-middle attack.