Setting Up SSH User Authentication

When a GlassFish Server subcommand uses SSH to log in to a remote host, GlassFish Server must be able to authenticate the SSH user. Setting up SSH user authentication ensures that this requirement is met.

Before setting up SSH user authentication, determine the authentication scheme to use. If SSH is already deployed at your site, the authentication scheme to use might already be chosen for you.

The following table lists the authentication schemes that GlassFish Server supports. The table also lists the advantages and disadvantages of each authentication scheme.

The following topics are addressed here:

• To Set Up Public Key Authentication Without Encryption

• To Set Up Encrypted Public Key Authentication

• To Set Up Password Authentication

To Set Up Public Key Authentication Without Encryption

Use the setup-ssh subcommand in local mode to set up public key authentication without encryption. This subcommand enables you to set up public key authentication on multiple hosts in a single operation.

The setup-ssh subcommand generates a key pair and distributes the public key file to specified hosts. The private key file and the public key file are protected only by the file system's file access permissions. If you require additional security, set up public key authentication with passphrase-protected encryption as explained in To Set Up Encrypted Public Key Authentication.

Before You Begin

Ensure that the following prerequisites are met:

• SSH is set up on each host where you are setting up public key authentication. For more information, see the following sections:

  • Setting Up Cygwin SSH on Windows

  • Setting Up the MKS Toolkit on Windows

  • Setting Up SSH on UNIX and Linux Systems

• Only the SSH user has write access to the following files and directories on each host where you are setting up public key authentication:

  • The SSH user's home directory

  • The ~/.ssh directory

  • The authorized_key file

  If other users can write to these files and directories, the secure service might not trust the authorized_key file and might disallow public key authentication.

1. Generate an SSH key pair and distribute the public key file to the hosts where you are setting up public key authentication.

   ---

   Note - Only the options that are required to complete this task are provided in this step. For information about all the options for setting up an SSH key, see the setup-ssh(1) help page.

   ---

   asadmin> setup-ssh [--sshuser sshuser] host-list

   sshuser

   The SSH user for which you are generating the SSH key pair. If you are running the subcommand as the SSH user, you may omit this option.

   host-list

   A space-separated list of the names of the hosts where the SSH public key is to be distributed.

   After generating the SSH key pair, the subcommand uses SSH to log in to each host in host-list as the SSH user to distribute the public key. Each time a password is required to log in to a host, you are prompted for the SSH user's password.

2. In response to each prompt for a password, type the SSH user's password.

Example 2-4 Setting Up Public Key Authentication Without Encryption

This example generates and sets up an SSH key for the user gfuser on the hosts sua01 and sua02. The command is run by the user gfuser.

asadmin> setup-ssh --generatekey=true sua01 sua02
Enter SSH password for gfuser@sua01> 
Created directory /home/gfuser/.ssh
/usr/bin/ssh-keygen successfully generated the identification /home/gfuser/.ssh/id_rsa
Copied keyfile /home/gfuser/.ssh/id_rsa.pub to gfuser@sua01
Successfully connected to gfuser@sua01 using keyfile /home/gfuser/.ssh/id_rsa
Copied keyfile /home/gfuser/.ssh/id_rsa.pub to gfuser@sua02
Successfully connected to gfuser@sua02 using keyfile /home/gfuser/.ssh/id_rsa
Command setup-ssh executed successfully.

Next Steps

After setting up public key authentication, test the setup by using ssh to log in as the SSH user to each host where the public key was distributed. For each host, log in first with the unqualified host name and then with the fully qualified name. If SSH does not prompt for password, public key authentication is set up correctly on the host.

If you are prompted for a password, verify that the public key file was copied correctly to the SSH user's authorized_keys file.

Troubleshooting

Setup might fail because file access permissions in the SSH user's home directory are too permissive. In this situation, ensure that the file access permissions in the SSH user's home directory meet the requirements for performing this procedure.

If you have set the file access permissions in the SSH user's home directory correctly, setup might still fail if you are using the MKS Toolkit. In this situation, correct the problem in one of the following ways:

• On each remote host, copy the public key file to the SSH user's ~/.ssh directory and import the file. To import the file, select the Secure Service tab in the MKS configuration GUI and click Passwordless.

• Disable strict modes.

See Also

• Setting Up Cygwin SSH on Windows

• Setting Up the MKS Toolkit on Windows

• Setting Up SSH on UNIX and Linux Systems

• setup-ssh(1)

You can also view the full syntax and options of the subcommand by typing asadmin help setup-ssh at the command line.

To Set Up Encrypted Public Key Authentication

Encrypted key file authentication uses an encrypted private key file that is protected with a passphrase. This passphrase must be provided to use the private key to unlock the public key. If you require encrypted public key authentication, you must use the SSH utility ssh-keygen to generate an SSH key pair with an encrypted private key. You can then use the setup-ssh subcommand to distribute the public key file to specified hosts.

To use the encrypted key file, GlassFish Server requires the passphrase with which the key file was encrypted. To provide this passphrase securely to GlassFish Server, create a GlassFish Server password alias to represent the passphrase and store this alias in a password file that is passed to the asadmin(1M) utility.

Before You Begin

Ensure that the following prerequisites are met:

• SSH is set up on each host where you are setting up public key authentication. For more information, see the following sections:

  • Setting Up Cygwin SSH on Windows

  • Setting Up the MKS Toolkit on Windows

  • Setting Up SSH on UNIX and Linux Systems

• Only the SSH user has write access to the following files and directories on each host where you are setting up public key authentication:

  • The SSH user's home directory

  • The ~/.ssh directory

  • The authorized_key file

  If other users can write to these files and directories, the secure service might not trust the authorized_key file and might disallow public key authentication.

1. Generate an SSH key pair with an encrypted private key file.

   Use the SSH utility ssh-keygen(1) for this purpose.

   $ ssh-keygen -t type

   type

   The algorithm that is to be used for the key and which must be rsa, dsa, or rsa1.

   The ssh-keygen utility prompts you for a file in which to save the key.

2. To simplify the distribution of the key file, accept the default file.

   The ssh-keygen utility prompts you for a passphrase.

3. In response to the prompt, type your choice of passphrase for encrypting the private key file.

   The ssh-keygen utility prompts you to type the passphrase again.

4. In response to the prompt, type the passphrase that you set in Step 3.
5. Distribute the public key file to the hosts where you are setting up public key authentication.

   Use the setup-ssh(1) asadmin subcommand for this purpose.

   $ asadmin setup-ssh --generatekey=false host-list

   host-list

   A space-separated list of the names of the hosts where the SSH public key is to be distributed.

   The subcommand uses SSH to log in to each host in host-list as the SSH user to distribute the public key. Each time a passphrase or a password is required to log in to a host, you are prompted for the passphrase or the SSH user's password.

6. In response to each prompt, type the requested information.
   • In response to each prompt for a passphrase, type the passphrase that you set in Step 3.
   • In response to each prompt for a password, type the SSH user's password.
7. Create a GlassFish Server password alias for the passphrase that you set in Step 3.

   Use the create-password-alias(1) asadmin subcommand for this purpose.

   $ asadmin create-password-alias alias-name

   alias-name

   Your choice of name for the alias that you are creating.

   The create-password-alias subcommand prompts you to type the passphrase for which you are creating an alias.

8. In response to the prompt, type the passphrase that you set in Step 3.

   The create-password-alias subcommand prompts you to type the passphrase again.

9. In response to the prompt, type the passphrase that you set in Step 3 again.
10. Create a plain text file that contains the following entry for the passphrase alias:

    AS_ADMIN_SSHKEYPASSPHRASE=${ALIAS=alias-name}

    alias-name

    The alias name that you specified in Step 7.

    ---

    Note - When you create an SSH node, pass this file as the --passwordfile option of the asadmin utility. For more information, see To Create an SSH Node.

    ---

Example 2-5 Setting Up Encrypted Public Key Authentication

This example generates an SSH key pair with an encrypted private key for the user gfadmin and distributes the public key to the hosts sj01 and ja02. The example also creates an alias that is named ssh-key-passphrase for the private key's passphrase.

$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/gfadmin/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/gfadmin/.ssh/id_rsa.
Your public key has been saved in /home/gfadmin/.ssh/id_rsa.pub.
The key fingerprint is:
db:b5:f6:0d:fe:16:33:91:20:64:90:1a:84:66:f5:d0 gfadmin@dashost
$ asadmin setup-ssh --generatekey=false sj01 sj02
Key /home/gfadmin/.ssh/id_rsa is encrypted
Enter key passphrase> 
Enter SSH password for gfadmin@sj01> 
Copied keyfile /home/gfadmin/.ssh/id_rsa.pub to gfadmin@sj01
Successfully connected to gfadmin@sj01 using keyfile /home/gfadmin/.ssh/id_rsa
Successfully connected to gfadmin@sj02 using keyfile /home/gfadmin/.ssh/id_rsa
SSH public key authentication is already configured for gfadmin@sj02
Command setup-ssh executed successfully.
$ asadmin create-password-alias ssh-key-passphrase
Enter the alias password> 
Enter the alias password again> 
Command create-password-alias executed successfully.

The entry in the password file for the ssh-key-passphrase alias is as follows:

AS_ADMIN_SSHKEYPASSPHRASE=${ALIAS=ssh-key-passphrase}

Troubleshooting

Setup might fail because file access permissions in the SSH user's home directory are too permissive. In this situation, ensure that the file access permissions in the SSH user's home directory meet the requirements for performing this procedure.

If you have set the file access permissions in the SSH user's home directory correctly, setup might still fail if you are using the MKS Toolkit. In this situation, correct the problem in one of the following ways:

• On each remote host, copy the public key file to the SSH user's ~/.ssh directory and import the file. To import the file, select the Secure Service tab in the MKS configuration GUI and click Passwordless.

• Disable strict modes.

See Also

• Setting Up Cygwin SSH on Windows

• Setting Up the MKS Toolkit on Windows

• Setting Up SSH on UNIX and Linux Systems

• asadmin(1M)

• create-password-alias(1)

• setup-ssh(1)

• ssh-keygen(1)

You can also view the full syntax and options of the subcommands by typing the following commands at the command line:

• asadmin help create-password-alias

• asadmin help setup-ssh

To Set Up Password Authentication

To use SSH to log in to a remote host, GlassFish Server requires the SSH user's password. To provide this password securely to GlassFish Server, create a GlassFish Server password alias to represent the password and store this alias in a password file that is passed to the asadmin(1M) utility.

Before You Begin

Ensure that SSH is set up on each host where you are setting up password authentication. For more information, see the following sections:

• Setting Up Cygwin SSH on Windows

• Setting Up the MKS Toolkit on Windows

• Setting Up SSH on UNIX and Linux Systems

1. Create an alias for the SSH user's password.

   ---

   Note - Only the options that are required to complete this task are provided in this step. For information about all the options for creating a password alias, see the create-password-alias(1) help page.

   ---

   asadmin> create-password-alias alias-name

   alias-name

   Your choice of name for the alias that you are creating.

   The create-password-alias subcommand prompts you to type the password for which you are creating an alias.

2. In response to the prompt, type the SSH user's password.

   The create-password-alias subcommand prompts you to type the password again.

3. In response to the prompt, type the SSH user's password again.
4. Create a plain text file that contains the following entry for the password alias:

   AS_ADMIN_SSHPASSWORD=${ALIAS=alias-name}

   alias-name

   The alias name that you specified in Step 1.

   ---

   Note - When you create an SSH node, pass this file as the --passwordfile option of the asadmin utility. For more information, see To Create an SSH Node.

   ---

Example 2-6 Creating an Alias for the SSH User's Password

This example creates an alias that is named ssh-password for the SSH user's password.

$ asadmin create-password-alias ssh-password
Enter the alias password> 
Enter the alias password again> 
Command create-password-alias executed successfully.

The entry in the password file for the ssh-password alias is as follows:

AS_ADMIN_SSHPASSWORD=${ALIAS=ssh-password}

See Also

• Setting Up Cygwin SSH on Windows

• Setting Up the MKS Toolkit on Windows

• Setting Up SSH on UNIX and Linux Systems

• asadmin(1M)

• create-password-alias(1)

You can also view the full syntax and options of the subcommand by typing the asadmin help create-password-alias at the command line.