How to Create a Key Pair for NetScaler SSH Authentication by Using the PuTTYgen Utility

This article contains information about creating and using a key pair for NetScaler secure shell (SSH) public key authentication by using the PuTTY and the PuTTY Key Generator utilities.

Background

The SSH utility consists of a number of authentication mechanisms, such as password, keyboard-interactive, and public key. By default, passwords are used for authentication but it is possible to significantly enhance security by generating a key pair and using the key pair to authenticate the users. This ensures that a user intending to attack the system would need access not only to the private key but also the passkey used to encrypt the key. It is also possible to create keys which are not protected with a passphrase required for some applications, such as to enable automated scripted logins. You must consider the security risks in such cases if the system has to receive a public key from an unauthorized user.

Creating a Key Pair for SSH Authentication

To create a key pair for SSH authentication by using the PuTTYgen utility, complete the following procedure:

1. Download and run the PuTTY Key Generator Utility.

2. Click Generate.

3. Generate random data by moving the mouse cursor over the blank area.

4. Enter the e-mail address in the Key comment field to ensure that other administrators can identify the public key.

5. Enter a strong passphrase to protect the private key. If you do not enter a passphrase, then you can log on without a passphrase. However, it is not recommended due to security reasons.

6. Save both public and private keys as separate files, such as id_rsa_pub.ppk and id_rsa.ppk. You should not share the private key. This key is used to authenticate remote servers. Ensure that you store this key in a safe location to avoid anyone using it to gain unauthorized access. The public key should be copied to remote servers and appended to the ~/.ssh/authorized_keys file for UNIX hosts. If you are using this key to authenticate a NetScaler appliance, then you should store this key in the /nsconfig/ssh/authorized_keys file on the remote NetScaler appliance.

The following screen shot displays the PuTTY Key Generator utility.

Points to Note

• When you save the ssh key, the key is not in the format that the OpenSSH daemon running on the NetScaler appliance recognizes. If you intend to use this public key with the NetScaler appliance or a server running the OpenSSH daemon, then you must complete one of the following tasks:

  • Copy the text from the Public key for pasting into OpenSSH authorized_keys file field, as shown in the preceding screen shot, and append it in the /nsconfig/ssh/authorized_keys file on the NetScaler appliance or the ~/.ssh/authorized_keys file on the server. In this case, you do not need to save the public key separately. However, you need to save the private key to load it to PuTTY.

  • Copy the public key created in Step 6 of the preceding procedure to the target server and run the following command:
    ssh-keygen -f [public key] -i >> [authorized_keys file]

• The preceding command converts the key to the format that OpenSSH recognizes and appends it to the authorized_keys file. For example, on a NetScaler appliance, assuming that the public key file is named as id_rsa_pub.ppk and the file is in the current working directory, run the following command:
  ssh-keygen -f id_rsa_pub.ppk -i >> /nsconfig/ssh/authorized_keys

Loading the Private Key to PuTTY

To load the private key to PuTTY, complete the following procedure:

1. Open PuTTY, and create the session containing the information for the server that you want to connect to, as shown in the following screen shot:

   

2. Under Connection, expand the SSH node.

3. Select Auth.

4. In the Private key file for authentication field, type the location of the private key, as shown in the following screen shot:

   

5. Click Open to connect to the server.??