HPE 3PAR SSH Key Authentication

Passwords are not going to vanish any time soon but there are better ways of authenticating to a system both in terms of convenience and security.

HPE (Hewlett Packard Enterprise) 3PAR arrays support the use of SSH keys for authentication and this post will discuss their setup and use.

 

What are SSH keys?

SSH keys are based on public key authentication whereby you have a public and a private key pair which are intrinsically linked. Your public key is made available to anyone and anything (i.e people and systems) while your private key should be secured and accessible only by yourself. The private key should be protected with a complex passphrase so that if it is stolen you have time to revoke your public key from systems before the attacker brute forces your passphrase.

Now I don’t want to go hugely in depth on this topic so I’ll provide a link below with further information. What I do want to say is that this type of authentication (when used and deployed correctly) is typically far more secure than the traditional password. Brute force attacks are still possible but they are much harder for the attacker.

Wikipedia – Public Key Cryptography

 

How to create a key pair

HPE 3PAR documentation requires us to use the ssh-keygen utility to create our key pair. This can be found on Unix/Linux distributions and is also available for Windows via programs such as PuTTy.

 

Linux Steps – ssh-keygen

The ssh-keygen command has various switches and I’m not going to cover them all. You can use the command below to quickly create a key pair which is sufficient for a 3PAR array.

ssh-keygen –t rsa –b 2048

 

For reference I am merely telling ssh-keygen to use an RSA key with a 2048 bit key size. The system then asks me to give the file a name and potentially a file path. I allowed it to save the key pair in the default folder path (in my case (/home/ab/.ssh/id_rsa) with a file name of ‘ab’. If you are not accessing the 3PAR from the Unix/Linux system which you created the keys on then copy them to the target system now.

 

Windows steps – PuTTy

If you want to create a key pair on Windows there are various tools to do this but PuTTy tends to be something most IT engineers have and are familiar with.

  • Open the PUTTYGEN.exe program
    • Make sure you select SSH-2 RSA for the key type and I recommend a minimum key size of 2048 bits

Open PUTTYGEN.exe

  • Click the ‘Generate’ button
    • You will be asked to move the mouse within the grey box area below the progress bar

Click Generate and create randomness by moving mouse

  • The key will then be generated

Key is generated

  • At this point you can add a comment and passphrase to the key
    • I STRONGLY recommend you add a passphrase which is complex with a mix of upper and lower alpha, numeric and special symbols to protect the private key

Add comment and passphrase

  • Click to save the private key – I recommend you save it to a secure location which only you can access. While it is protected with a passphrase, loss of the private key and subsequent brute force of the passphrase would allow a malicious threat actor to connect to any system which you have configured your public key on

Save private key

  • Next we need to copy out the public key. PuTTY saves it in a format which is not compatible with the 3PAR system
    • Right click in the public key field and ‘Select All’

Right click and select all

  • Now right click to copy the data

Right click and copy

I would suggest saving the public key into a text file. Once you have done this connect to the 3PAR array you wish to configure via SSH. Make sure you logon as the user which you are configuring an SSH key for. When you run the 3PAR command it will set the key for the currently logged on user so be mindful.

  • Use the setsshkey command to configure the SSH key. Copy and paste the PUBLIC key into the SSH session then press ‘Enter’ twice. If you have followed the steps correctly you will see a success confirmation

 

 

At this point you can now configure your chosen SSH client to use key based authentication. Now when you connect the system should automatically log you in without prompting for a password. If you are using PuTTY to connect then the configuration is simple.

  • Open a new PuTTy session and expand the Connection –> SSH menus and select Auth

Select Auth menu

  • You will see the ‘Browse’ button which allows us to select a private key for authentication

Select the private key

Private key selected

  • When you connect you will be prompted as follows

 

You have probably noticed PuTTy asked for the private key passphrase. It will do this each time which can be a real pain from your primary system. There are of course other programs like which will allow you to save the passphrase in the program (encrypted with a passphrase) and then when that opens you authenticate to the application which then gives you access to all your sessions. I would suggest you look to work in this fashion – I use SecureCRT and it allows me to store my keys and passphrases behind additional layers of security on my computer. As it’s a laptop which is encrypted and requires multiple levels of authentication I am happy to work this way.

Of course you could create your public/private key pair and choose not to assign a passphrase. You need to make a judgement call and ensure you comply to any legislation/governance which applies to you.

 

View 3PAR users with an SSH key

To see which users on the 3PAR have set an SSH key use the showuser command with the –k switch.

 

Removing an SSH Key

If you want to remove the SSH key from your 3PAR account then the command removesshkey is for you. Note that you must run this command while logged on as the user in question.

If we now check for users with a key set –

 

Important Notes

  1. LDAP users are only allowed to set an SSH key if the setauthparam command has been used to set the allow-ssh-key parameter to 1. When an LDAP user runs the setsshkey command, the user’s role is recorded and is assigned when the user logs in using the key. Changes in the group-to-role mappings set with the setauthparam command or changes in the user’s data in the LDAP server have no effect as long as the user has an SSH key.
  2. Removing the user’s SSH key forces a new role to be determined at the user’s next login.
  3. The maximum number of characters used to represent the SSH key (including the -from option, key type, and additional comments) is 4095.
  4. Only one key may be entered at a time; to enter multiple keys, run the setsshkey command again with the -add option.

 


I hope this has been useful and as always if you have any comments or questions please leave them below.

Leave a Reply