Passwords are not going to vanish any time soon but there are better ways of authenticating to a system both in terms of convenience and security.
HPE (Hewlett Packard Enterprise) 3PAR arrays support the use of SSH keys for authentication and this post will discuss their setup and use.
What are SSH keys?
SSH keys are based on public key authentication whereby you have a public and a private key pair which are intrinsically linked. Your public key is made available to anyone and anything (i.e people and systems) while your private key should be secured and accessible only by yourself. The private key should be protected with a complex passphrase so that if it is stolen you have time to revoke your public key from systems before the attacker brute forces your passphrase.
Now I don’t want to go hugely in depth on this topic so I’ll provide a link below with further information. What I do want to say is that this type of authentication (when used and deployed correctly) is typically far more secure than the traditional password. Brute force attacks are still possible but they are much harder for the attacker.
How to create a key pair
HPE 3PAR documentation requires us to use the ssh-keygen utility to create our key pair. This can be found on Unix/Linux distributions and is also available for Windows via programs such as PuTTy.
Linux Steps – ssh-keygen
The ssh-keygen command has various switches and I’m not going to cover them all. You can use the command below to quickly create a key pair which is sufficient for a 3PAR array.
ssh-keygen –t rsa –b 2048
[email protected]:~$ ssh-keygen -t rsa -b 2048 Generating public/private rsa key pair. Enter file in which to save the key (/home/ab/.ssh/id_rsa): ab Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in ab. Your public key has been saved in ab.pub. The key fingerprint is: 11:dd:0d:21:30:d4:7a:db:56:c6:b3:3e:b4:5e:ef:83 [email protected] The key's randomart image is: +---[RSA 2048]----+ | .=+..o+ | | oo.. . | | .. . | | ... = | | S. o o o | | . o o | | . o...| | E+o.| | ..o+| +-----------------+ [email protected]:~$
For reference I am merely telling ssh-keygen to use an RSA key with a 2048 bit key size. The system then asks me to give the file a name and potentially a file path. I allowed it to save the key pair in the default folder path (in my case (/home/ab/.ssh/id_rsa) with a file name of ‘ab’. If you are not accessing the 3PAR from the Unix/Linux system which you created the keys on then copy them to the target system now.
Windows steps – PuTTy
If you want to create a key pair on Windows there are various tools to do this but PuTTy tends to be something most IT engineers have and are familiar with.
- Open the PUTTYGEN.exe program
- Make sure you select SSH-2 RSA for the key type and I recommend a minimum key size of 2048 bits
- Click the ‘Generate’ button
- You will be asked to move the mouse within the grey box area below the progress bar
- The key will then be generated
- At this point you can add a comment and passphrase to the key
- I STRONGLY recommend you add a passphrase which is complex with a mix of upper and lower alpha, numeric and special symbols to protect the private key
- Click to save the private key – I recommend you save it to a secure location which only you can access. While it is protected with a passphrase, loss of the private key and subsequent brute force of the passphrase would allow a malicious threat actor to connect to any system which you have configured your public key on
- Next we need to copy out the public key. PuTTY saves it in a format which is not compatible with the 3PAR system
- Right click in the public key field and ‘Select All’
- Now right click to copy the data
I would suggest saving the public key into a text file. Once you have done this connect to the 3PAR array you wish to configure via SSH. Make sure you logon as the user which you are configuring an SSH key for. When you run the 3PAR command it will set the key for the currently logged on user so be mindful.
- Use the setsshkey command to configure the SSH key. Copy and paste the PUBLIC key into the SSH session then press ‘Enter’ twice. If you have followed the steps correctly you will see a success confirmation
BSA-3PAR01 cli% setsshkey Please enter the SSH public key below. When finished, press enter twice. The key is usually long. It's better to copy it from inside an editor and paste it here. (Please make sure there are no extra blanks.) The maximum number of characters used to represent the SSH key (including the "from" option, key type, and additional comments) is 4095. ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEA4ZTBVIB1ZBZGmvvhiW5dtBVzM5iJmvJA5iwFsioDT3h6pzgf0TBM53QSoBCahD+0iGEUFw7k7zVQShBFK8CoSgVBmLoazSrZnf4G9Mvu3zs6uzayeoQmTiS15UkBy5iKE4kBobjXZY8cS5Kirodt4xny9gkwsDCgyAdzmg3cPFviEhVqr+wNLaDl1nlzJ8aJmQzoIbeCBbSbMd162kmOx+Za50SQ7606zHjE7hXe61ZiVG58oOxP4Ooui3IV2jXcWugLBdMakop0enQmBlW9/LPCdQoxtzELY7qtF1F4oYfeotA+1DMF9YD9cm3sYdlwI2TvFtCXCnBTTLa0A56fEQ== ab SSH public key successfully set. BSA-3PAR01 cli%
At this point you can now configure your chosen SSH client to use key based authentication. Now when you connect the system should automatically log you in without prompting for a password. If you are using PuTTY to connect then the configuration is simple.
- Open a new PuTTy session and expand the Connection –> SSH menus and select Auth
- You will see the ‘Browse’ button which allows us to select a private key for authentication
- When you connect you will be prompted as follows
login as: ab Authenticating with public key "ab" Passphrase for key "ab" BSA-SP3PAR01 cli%
You have probably noticed PuTTy asked for the private key passphrase. It will do this each time which can be a real pain from your primary system. There are of course other programs like which will allow you to save the passphrase in the program (encrypted with a passphrase) and then when that opens you authenticate to the application which then gives you access to all your sessions. I would suggest you look to work in this fashion – I use SecureCRT and it allows me to store my keys and passphrases behind additional layers of security on my computer. As it’s a laptop which is encrypted and requires multiple levels of authentication I am happy to work this way.
Of course you could create your public/private key pair and choose not to assign a passphrase. You need to make a judgement call and ensure you comply to any legislation/governance which applies to you.
View 3PAR users with an SSH key
To see which users on the 3PAR have set an SSH key use the showuser command with the –k switch.
BSA-3PAR01 cli% showuser -k Username ab BSA-3PAR01 cli%
Removing an SSH Key
If you want to remove the SSH key from your 3PAR account then the command removesshkey is for you. Note that you must run this command while logged on as the user in question.
BSA-3PAR01 cli% removesshkey SSH public key successfully removed. BSA-3PAR01 cli%
If we now check for users with a key set –
BSA-3PAR01 cli% showuser -k No user with a public SSH key set found
- LDAP users are only allowed to set an SSH key if the setauthparam command has been used to set the allow-ssh-key parameter to 1. When an LDAP user runs the setsshkey command, the user’s role is recorded and is assigned when the user logs in using the key. Changes in the group-to-role mappings set with the setauthparam command or changes in the user’s data in the LDAP server have no effect as long as the user has an SSH key.
- Removing the user’s SSH key forces a new role to be determined at the user’s next login.
- The maximum number of characters used to represent the SSH key (including the -from option, key type, and additional comments) is 4095.
- Only one key may be entered at a time; to enter multiple keys, run the setsshkey command again with the -add option.
I hope this has been useful and as always if you have any comments or questions please leave them below.