Information about Public Key Authentication Communication in Agentless mode in Control Compliance Suite (CCS)

book

Article ID: 156034

calendar_today

Updated On:

Products

Control Compliance Suite Exchange

Issue/Introduction

Information about Public Key Authentication Communication in Agentless mode in Control Compliance Suite (CCS)

Resolution

About Public Key Authentication

The implementation of the Public Key Authentication method provides a secured authentication mode to establish a connection between the Information Server and the UNIX target computers. This implementation requires the generation of SSH keys such as public and private for successful public key authentication. The SSH keys can be generated using the Public Key Infrastructure (PKI) arrangement. You can generate a pair of public and private keys on the Information Server and deploy the public key on the UNIX target computers.

Note: The PKI must be available with you to generate the pair of keys as it is not provided by the BV-Control for UNIX snap-in. You can use utilities such as PuTTYgen to generate the SSH public-private key pairs.

The Public Key Authentication support mode can be used to configure the UNIX target computer. For every new SSH connection to the UNIX target computer, the private key is fetched from the credential database and a signature is generated which is sent to the UNIX target computer. The SSH server on the UNIX target computer can authenticate the signature by evaluating it with the public key deployed on it. If the verification succeeds, then the Information Server is successfully authenticated and the connection is established.

The Public Key Authentication credentials consist of the username, the private key file and the passphrase (if any). These credentials are used to authenticate the generated private key in the Information Server, which is used for establishing connection with the target computer. You can encrypt the private key with a passphrase and store it in the credential database.

Private key formats that are supported by BV-Control for UNIX

The following formats of the private key are supported by BV-Control for UNIX:

  • SSH1 private key
  • SSH2
  • PuTTY’s format of SSH2 private key
  • ssh.com’s format of SSH2 private key
  • OpenSSH’s format of SSH2 private key

Deploying the public key on the UNIX target computer

The public key of the Information Server that you have generated must be deployed on the UNIX target computers.

About Public Key Authentication.

On the UNIX target computers, OpenSSH uses the file, authorized_keys, which determines the private key that can access a user account. The authorized_keys file is located in the .ssh directory of the user’s home directory (~/.ssh).
Note: Older versions of OpenSSH refer to the authorized_keys file as authorized_keys2 for SSH2. All recent versions of OpenSSH refer the file as authorized_keys for both SSH1 and SSH2.
 
To deploy the public key on the UNIX target computer
 
1.   Copy the public key that is generated on the Information Server.
2.   Navigate to the <home_directory>/.ssh directory on the target computer.
3.   Open the authorized_keys file and paste the public key of the Information Server.
 
“Recommended 1024-8192 bits”

Public Key Authentication credentials

   
The Public Key Authentication credentials comprise the username, the private key file, and the passphrase (if any). These credentials are used to authenticate the generated private key in the Information Server, which is used for establishing connection with the target computer. You can encrypt the private key with a passphrase and store it in the credential database.