1.3 Key-Based Authentication

You can use public key-based SSH authentication to connect to the CLI. When you set up key-based authentication, you can log in to the CLI without being prompted for a password. Using key-based authentication does not effect the existing authentication mechanism using a username and password.

Keys are set up between a local system and the Oracle VM Manager host. After the keys are set up, you log in for the first time with the CLI admin password, as you normally would, then a connection is established using public key authentication and the channel is identified to the CLI Server by the client IP address and user name. Subsequent log ins do not require the password, for as long as the channel remains open. If the channel is closed, or the admin user's password is changed, key-based authentication is terminated and you are required to enter the admin user's password again. To reestablish the connection using key-based authentication, log in again using the standard SSH connection, enter the admin user's password, and the channel is opened again.

To set up key-based authentication:

  1. Make sure the ssh-agent is running on your local host:

    $ eval `ssh-agent`
    Agent pid number

    If the ssh-agent is not running, you may encounter the following error when you perform the next step:

    Could not open a connection to your authentication agent.
  2. On your local host, generate a public/private key pair to log in to the CLI. Make sure you remember the passphrase that you enter.

    $ ssh-keygen -t rsa -f ~/.ssh/admin
    Generating public/private rsa key pair.
    Enter passphrase (empty for no passphrase): passphrase
    Enter same passphrase again: passphrase
    Your identification has been saved in /user/.ssh/admin.
    Your public key has been saved in /user/.ssh/admin.pub.
    The key fingerprint is:
    fingerprint user@hostname

    The two keys are generated in ~/.ssh/: admin (the private key) and admin.pub (the public key).

  3. Add the private key to the authentication agent, using the same passphrase you used to create the key pair, for example:

    $ ssh-add ~/.ssh/admin 
    Enter passphrase for /home/user/.ssh/admin: passphrase
    Identity added: /home/user/.ssh/admin (/home/user/.ssh/admin)
  4. Copy the public key to the Oracle VM Manager host, for example:

    $ scp ~/.ssh/admin.pub oracle@hostname:/home/oracle/.ssh/

    Where hostname is the hostname of the Oracle VM Manager host. Make sure you do the copy as the oracle user.

  5. Log into the Oracle VM Manager host as the oracle user and append the admin.pub public key to the CLI authorized file (ovmcli_authorized_keys).

    $ ssh oracle@hostname
    $ cd /home/oracle/.ssh/
    $ cat admin.pub >> ovmcli_authorized_keys
    $ exit

    Where hostname is the hostname of the Oracle VM Manager host.

  6. From the local machine, log in to the CLI using the command:

    $ ssh -l admin hostname -p 10000

    You are requested to enter the admin user's password. Enter it.

    admin@hostname's password: password

    Subsequent log ins use the newly established channel and do not require a password.

For security reasons, the channel for public key authentication expires after a designated period of time. See Section 1.9, “Configuring the Oracle VM CLI” for information on how to change the public key authentication expiry time.