Error when trying to use PAM SSH Gateway : Permission denied (publickey)
search cancel

Error when trying to use PAM SSH Gateway : Permission denied (publickey)

book

Article ID: 415058

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

When running the command "ssh -i your-keyname.key root@112001@[email protected]:[email protected] -p 22222" from a Mac OSx terminal prompt, it fails to connect through the PAM ssh gateway with a permission denied error. The private key and user certificate are both accessible from this directory.

Cause

The reason the command failed was the extension .key added to the private key name in the command used. The sshd command line will automatically look for a user certificate by the same name entered for the -i switch plus the extension "-cert.pub". This effectively means the ssh command was looking for a user certificate by the name your-keyname.key-cert.pub.

Resolution

The filename and file extensions are important to the authentication process PAM uses. You can enter any name for the public key file for your identification, but it does need to have the .pub filename extension and your corresponding stored private key should not have an extension. Additionally, the user certificate you download will need the same base key name with a -cert.pub extension. The command line you use to connect will only need the key filename and the process will assume the -cert.pub extension. 

[your-key-name].pub          - the public certificate enter into PAM

[your-key-name]                 - the private certificate matching the public certificate entered into PAM

[your-key-name]-cert.pub.  - the user certificate downloaded from PAM for the specific session started. This file is only valid after selecting an access session for the time period defined under "Configuration>PAM Gateways>SSH Configuration>Certificate Validity Duration (Hours):" which has a default of 1 hour.

 

 

When you click the badge icon you will be presented with a download for the "user certificate". it is important that the file name is based on your private key name plus a "-cert" and a ".pub" extension (your-keyname-cert.pub>

Note: You should overwrite the original each time you update the same file. You should never save the file with a (1) as it will not function.

You will reuse the same private key for every connection you create but the -cert.pub user certificate is only valid for the specific connection you are making and is only valid for the amount of time defined in the Certificate Validity Duration (Hours) SSH Gateway properties. 

 

When you are ready to start your connection, you can click the copy icon  to paste into either a terminal prompt or a putty like tool.

 

For terminal ssh it is important to have both your private key "your-keyname" (with no file extension) and the user certificate downloaded "your-keyname-cert.pub" in the same folder.

ssh -i your-keyname root@112001@[email protected]:[email protected] -p 22222

For putty it is important to define the private key (in PPK format) your-keyname.ppk and the user certificate download your-keyname-cert.pub

You can copy the host connection string "root@112001@[email protected]:[email protected]" into the Host Name field and gateway port "22222" into the Poirt field from PAM to connect.

 

 

 

Additional Information

Creating a private key pair can be done using puttygen on a windows machine. Create the new keypair

Copy the public key from puttygen and paste into the user identity

Save your new PPK for later use

Save private key in openssh format by exporting your-keyname (with no filename extension)

 

Powered by Wolken Software