Requirement:In ClearPass 6.6 there is a new feature introduced to login into SSH using Public Key.
The Public key should be imported on the server and from the local machine where you are intending to take SSH you should store the private key file in a secured location on the local machine itself.
Solution:Using SSH public-key authentication we introduce a robust, more secure alternative to logging in to the server. SSH public-key authentication relies on asymmetric cryptographic algorithms that generate a pair of separate keys (i.e., a key pair), one "private" and the other "public". You keep the private key a secret and store it on the computer you use to connect to the remote system. Conceivably, you can share the public key with anyone without compromising the private key
We can make sure unauthorized access to server CLI is avoided and introduce an extra level of security using Public/Private key architecture, overcoming the traditional method of Username and Password.
Configuration:Setting up public-key authentication using SSH:
1. Please login to the CLI of OSX or Linux system and execute the below command to generate RSA private key and Public Key:
ssh-keygen -t rsa
2. You will be prompted to supply a filename (for saving the key pair) and a password (for protecting your private key):
A. Filename: To accept the default filename (and location) for your key pair, press Enter or Return without entering a filename.
Alternatively, you can enter a filename (e.g., my_ssh_key) at the prompt, and then press Enter or Return.
3. Password: Enter a password that contains at least five characters, and then press Enter or Return. If you press Enter or Return without entering a password, your private key will be generated without password-protection.
4.Your private key will be generated using the default filename (e.g., id_rsa) or the filename you specified (e.g., my_ssh_key), and stored on your computer in a .ssh directory off your home directory (e.g., ~/.ssh/id_rsa or ~/.ssh/my_ssh_key).
The corresponding public key will be generated using the same filename (but with a .pub extension added) and stored in the same location Once the RSA keygen is created it will show you the location where the files are saved
5. Please open the Public Key file using:
cat /root/.ssh/id_rsa.pub
6. Please navigate to Administration > Server Manager > Server Configuration > Network and click on "Add Publick Key" .
7. Copy and Paste the Public Key in the space provided.
8. Now you can login to the Server from your local system.
VerificationLogin to using private key:
1. In order to login On the SSH command line: Add the "-i" flag and the path to your private key.
For example, to invoke the private key id_rsa , stored in the /root/.ssh/ directory, when connecting to your account on a remote host (e.g., appadmin@<CPPM-IP/Hostname>), enter:
ssh -i /root/.ssh/id_rsa appadmin@<hosname/IP>
2. It will prompt you to enter the private key passphrase to decrpt the encrypted private key file, please provide the same pass-phrase which was given during RSA creation.
3. Please ignore the warning which it will prompt when you connect for the first time as that device is not in the list of Known Clients.
4. Once you provide input as "Yes" it will be automatically added to the list of Known hosts, and allow you access to the CPPM Command Line.