Setting up security involves the following steps:
-
System administrator sets up SSH on Linux, described in set up SSH on Linux.
-
Generate public and private keys on the client (your PC), as described in generate public and private keys using the Putty tool and n generate public and private keys using the SSH command line interface, or use the keys in the package.
There are three tools available to set up security on Linux:
-
Putty (a free UI tool available on the Internet)
-
CGWIN (a free SSH toolkit SDK available on the Internet)
-
SSH command line
Trillium recommends either the Putty or CGWIN method, which uses the standard steps and copies the public key from the client to the server. The SSH command line method requires copying the private key from the server to the client, which is not recommended.
-
-
Create a passphrase.
-
Copy the public key from the client to the Linux server.
-
Append the public key to the authorized_keys file.
-
Insert the Trillium command script directive before the public key entry inside the authorized_keys file.
To set up SSH on Linux
Follow this step if a system administrator or authorized user needs to set up SSH to work with a user account on Linux.
Create a .ssh directory for a Trillium user or authorized user and set necessary permissions.
Example
cd ~ (home directory or Trillium user directory)
mkdir .ssh
chmod 700 .ssh
To generate public and private keys using the Putty tool
You can use Putty or CGWIN to generate public and private keys. The Putty tool method is described as an example.
-
Start puttygen.exe. The PuTTYKey Generator window opens.
-
In Parameters, select SSH-2 RSA.
-
In Actions, click Generate. The key will be generated.
Figure 1. Putty Key Generator -
In Key passphrase, enter your key passphrase and confirm it.
-
Select Conversions > Export OpenSSH key. Save the file.
-
Highlight the entire text of the public key and copy it to the clipboard.
-
Open a text editor such as Notepad and paste the key.
-
Save the public key file using the same name as the private key file with a file extension of .pub. This helps you tell which files are paired.
If you are running the Director System Manager using a special Trillium user created by the administrator on Linux, give this public key to the administrators and have them perform the following steps.
If you are running the Director System Manager using your own user id on Linux, you can do the following steps by yourself to your own user account.
-
Append the public key to the authorized_keys file and set necessary permissions.
The ~user directory on Linux is configured by the administrator to have a subdirectory of .ssh. This directory holds the authorized_keys file used by OpenSSH.
Example
cd ~/.ssh (the .ssh directory in home directory) cat directorkey.pub >> authorized_keys chmod 644 authorized_keys
-
Open the authorized_keys file and add the following Trillium command before the word “ssh-rsa” which is in front of the key. The Trillium command points to the trilsecure.sh script in the bin directory of Trillium Software on your server.
command="/<linux_trillium_software_bin_location>/trilsecure.sh"
Example
Before:
ssh-rsa AAB3NzaC1yc2EAAAmx5ZFqxa....=mlamand@tril01
After:
command="/Vendors/
TrilliumSoftware
/tsq/Software/bin/ trilsecure.sh" ssh-rsa AAB3NzaC1yc2EAAAmx5ZFqxa....=mlamand@tril01
Rather than using Putty or CGWIN, you can use the SSH command line interface on the server side invoking the ssh-keygen tool. You could do this step in your user account, or a system administrator could do this step in a designated Trillium user account.
To generate public and private keys using the SSH command line interface
-
Change directory to .ssh
-
Using the following interactive script command, generate public and private keys with passphrase.
ssh-keygen -t rsa
Note: If you are on Red Hat 8, you need to run the command:ssh-keygen -m PEM
Example
Enter file to save key: directorkey Enter Passphrase: ******* Re-Enter Passphrase: *******
The following key files are generated in this example:
-
directorkey.pub
. The public key which will be required on the server. -
directorkey
. The private key that stays on the client.
Record the passphrase you created for this key. In the Director System Manager, you will need to specify both the private key file and its passphrase. Whenever you attempt to perform secured functionality for Linux-based Director services, the public key file and its passphrase are required.
-
-
Copy the private key to the remote client machine. You can copy the private key file to your client PC on which the Director System Manager runs to anywhere on your PC. The private key is useless without a passphrase. Only you know that passphrase.
-
Append the public key file to the
authorized_keys
file and set necessary permissions.Example
cd ~/.ssh (the .ssh directory in your home directory) cat directorkey.pub >> authorized_keys chmod 644 authorized_keys (necessary permissions)
-
Open the authorized_keys file and add the following Trillium command before the word “ssh-rsa” which is in front of the key. The Trillium command points to the trilsecure.sh script in the bin directory of Trillium Software on your server.
command="/<linux_trillium_software_bin_location>/trilsecure.sh"
Example
Before:
ssh-rsa AAB3NzaC1yc2EAAAmx5ZFqxa....=mlamand@tril01
After:
command="/Vendors/
TrilliumSoftware
/tsq/Software/bin/
trilsecure.sh" ssh-rsa
AAB3NzaC1yc2EAAAmx5ZFqxa....=mlamand@tril01