SSH public key authentication in GlassFish v3.1 Overview SSH setup is a pre-requisite for setting up GlassFish clusters across multiple machines. SSH provides confidentiality and security for data exchanged between DAS and remote host(s) through the use of public key cryptography. One of the authentication mechanisms in SSH is the public key authentication which allows for password-less login from DAS to instance host(s). The main benefits of public key authentication are:
- Public keys cannot be easily brute forced
- The same private key (with passphrase) can be used to access multiple systems: no need to remember many passwords
Setting up public key access requires certain manual steps. However, this short coming can be overcome in GlassFish 3.1 by using the setup-ssh command. The primary goal of the SSH key setup command is to provide a simple and quick way to setup SSH connectivity between DAS and instance hosts. The key features of the command setup-ssh are:
- Automatic key pair generation
- Automatic key distribution to remote node(s)
- Silent mode setup
- Platform independent
Distributing the public key means installing the public key in $HOME/.ssh/authorized_keys file on the remote host. The key is installed on the remote host (one time) where it is used for subsequent remote access by the holder of the private key (i.e DAS user) Command Usage SSH setup doesn't store any configuration information in domain.xml. It is a local command with the following usage:
Usage: asadmin [asadmin-utility-options] setup-ssh [--sshuser <sshuser>]
[--sshport <sshport(default:22)>] [--sshkeyfile <sshkeyfile>]
[--sshpublickeyfile <sshpublickeyfile>]
[--generatekey[=<generatekey(default:false)>]]
[-?|--help[=<help(default:false)>]] hosts ...
where is the username to use for the remote login (default: user id of asadmin user)
is the port of the sshd server on remote node (default: 22)
is the location of the private key file (default: $HOME/.ssh/id_rsa)
is the location of the public key file (default: $HOME/.ssh/id_rsa.pub)
Apart from accepting the above mentioned SSH credentials, the command accepts multiple operands to setup SSH hosts in one go. User also needs to provide the SSH password to login for distributing the key. So, if public key authentication isn't setup, password authentication is used to distribute the public key to the remote host. Passwords are accepted either by prompting or from a password file. In case where key pair needs to be generated, the user is first prompted for confirmation. User also has an option to generate key with passphrase for tighter security. In silent mode, user is not prompted for any information. SSH password needs to be passed though password file and empty key passphrase is used to generate the key. This would help in performing SSH setup through scripts. SSH key pair generation: Public-key authentication uses two keys, a private key that is kept in a secure place on the local (DAS) machine and protected with a passphrase. And the public key, which is placed on all the remote hosts that DAS communicates with. Generally, users generate the public, private key pair using the standard ssh-keygen utility and then install the public on the remote host. However, to make the this setup task easier for the user, the setup-ssh utility will automatically generate the key pair and distribute it to remote host(s). The automatic generation includes generation of a passphrase protected key for a more secure key. The setup-ssh command will attempt to locate ssh-keygen in default locations if not found in PATH environment variable. In case of Windows, the assumption is that SSH package for cygwin is installed. setup-ssh use cases: Case 1: If public key access is already configured, command fails:
$ asadmin setup-ssh --sshuser yamini1 sunone172.india.sun.com
SSH public key authentication is already configured for yamini1@sunone172.india.sun.com
Command setup-ssh failed.
Case 2: If public key is present (under $HOME/.ssh or in specified location), prompt for SSH password and copy the public key to remote host. Verify connectivity and exit.
$ asadmin setup-ssh --sshuser yamini1 sunone172.india.sun.com
Enter SSH password>
Copied keyfile /home/yamini/.ssh/id_rsa.pub to yamini1@sunone172.india.sun.com
Checking connection...
Successfully connected to yamini1@sunone172.india.sun.com using keyfile /home/yamini/.ssh/id_rsa
Command setup-ssh executed successfully.
Case 3: If --sshpublickeyfile option is specified but file is not found, exit with error.
$ asadmin setup-ssh --sshuser yamini1 --sshpublickeyfile /tmp/foo sunone172.india.sun.com
Specified key file /tmp/foo does not exist.
Command setup-ssh failed.
Case 4: If --sshpublickeyfile is not specified, and key file is not present under $HOME/.ssh, ask user if key pair needs to be generated. If user says 'n', exit with a message stating SSH key setup failed.
$ asadmin setup-ssh --sshuser yamini1 sunone172.india.sun.com
SSH key not found for user yamini1
Would you like to generate SSH key pair for yamini1 to access sunone172.india.sun.com? y/n: n
SSH key setup failed: SSH key pair not present. Please generate a key pair manually or specify an existing one and re-run the command.
Command setup-ssh failed.
Case 5: If key doesn't exist and user answers 'y' for key pair generation, locate ssh-keygen. Run ssh-keygen to generate key pair with/without passphrase, copy the public key to remote host, verify connectivity and exit.
$ asadmin setup-ssh --sshuser yamini1 sunone172.india.sun.com
SSH key not found for user yamini1
Would you like to generate SSH key pair for yamini1 to access sunone172.india.sun.com? y/n: j
SSH key not found for user yamini1
Would you like to generate SSH key pair for yamini1 to access sunone172.india.sun.com? y/n: y
Enter SSH key passphrase (empty for no passphrase)>
Enter SSH password>
Generating public/private rsa key pair.
Created directory '/home/yamini/.ssh'.
Your identification has been saved in /home/yamini/.ssh/id_rsa.
Your public key has been saved in /home/yamini/.ssh/id_rsa.pub.
The key fingerprint is:
61:ca:40:a4:68:0f:71:7a:39:13:0e:b2:36:0e:cd:ac yamini@onyx
The key's randomart image is:
-[ RSA 2048]---
.o +o
.**oo
+=. o
=.= oo o .
E. . o S
-----------------
ssh-keygen exit status: 0
Copied keyfile /home/yamini/.ssh/id_rsa.pub to yamini1@sunone172.india.sun.com
Checking connection...
Successfully connected to yamini1@sunone172.india.sun.com using keyfile /home/yamini/.ssh/id_rsa
Command setup-ssh executed successfully.
ase 6: If ssh-keygen is not found or fails for some reason, ask user to generate ssh-keygen manually and re-run the command to distribute the key.
$ asadmin setup-ssh --sshuser yamini1 sunone172.india.sun.com
SSH key not found for user yamini1
Would you like to generate SSH key pair for yamini1 to access sunone172.india.sun.com? y/n: y
Enter SSH key passphrase (empty for no passphrase)>
Enter SSH password>
SSH key pair generation failed. Please generate key manually.
Command setup-ssh failed.
Case 7: Allow non-interactive mode for setup-ssh i.e allow for reading SSH password from password file and assume default 'n' for key pair generation. --interactive is part of asadmin common options.
$ echo "AS_ADMIN_SSH_PASSWORD=xxxxx" >/tmp/passwd
$ asadmin --passwordfile /tmp/passwd --interactive=false setup-ssh --sshuser yamini1 --generatekey=true sunone172.india.sun.com
Generating public/private rsa key pair.
Created directory '/home/yamini/.ssh'.
Your identification has been saved in /home/yamini/.ssh/id_rsa.
Your public key has been saved in /home/yamini/.ssh/id_rsa.pub.
The key fingerprint is:
2c:77:7c:9c:77:55:ae:a7:c7:f0:7d:15:2c:10:3b:8b yamini@onyx
The key's randomart image is:
-[ RSA 2048]---
o. .
o ...
o . oo
. ...o...o
. SEo.+ + +
o . . . Bo
. *
..
-----------------
ssh-keygen exit status: 0
Copied keyfile /home/yamini/.ssh/id_rsa.pub to yamini1@sunone172.india.sun.com
Checking connection...
Successfully connected to yamini1@sunone172.india.sun.com using keyfile /home/yamini/.ssh/id_rsa
Command setup-ssh executed successfully.
|
