One of the challenges in administering a system is to enforce proper authentication measures of users accessing the system. NetScaler supports authentication locally as well as through external authentication Servers. In addition, NetScaler supports Public key based authentication through Secure Shell. We can login to NetScaler through CLI, GUI and API. While accessing the CLI through Secure Shell Login, we are prompted for a password. Sometimes entering the password may not be suitable for some cases such as those that involve automation. This blog talks about configuring key based authentication for Secure Login to NetScaler without interruption. This blog in addition will have a script that automates the configuration steps involved.
Configuring public key authentication involves broadly the following steps:-
- Generate a public/private key pair using “ssh-keygen” command from the Shell. The public/private key pair is generated as /root/.ssh/id_rsa, unless –f option is used to provide a different path and/or key name.
- Copy the public key and append it to “/nsconfig/ssh/authorized_keys” in the remote Netscaler system.
- Set the appropriate directory permissions of the path to authorized_keys file on the remote Netscaler system
- Use “-i <path to private key>” when using Secure Shell to login to remote Netscaler device.
Wouldn’t it be nice if the setup could be done swiftly, cleanly and with minimum intervention? As it turns out there is such a way to configure public key authentication for Secure Shell login between a pair of Netscaler systems or between a Secure Shell client and a Netscaler Secure Shell server. Using the script “ssh_keycopy”, public key authentication is configured with minimum effort and with no hassle. The script does all the afore mentioned steps for you.
Along with being easy to use, this script allows the user to configure some extra parameters as well, like specifying the key size, specifying the encryption algorithm, specifying a custom key file name and also the mode. The mode essentially means what kind of setup will use the authentication method. The script has been customized to support internode Secure Shell login between Netscaler Cluster/HA nodes or plain public key authentication between a pair of Secure Shell client and a Netscaler Secure Shell server.
The script is very handy. It does the routine and repetitive work for you. You just have to run it and with just a key stroke (or a few more) you get the public key authentication setup for you.
Configuring public key authentication using default parameters
Configuring Internode login in an HA setup
Configuring public key authentication with user specified parameters
The client can be a Netscaler or any other Secure Shell client. The remote machine must be a Netscaler server. Over prolonged repeated use of the script, the file “authorized_keys” may become cluttered. The user is advised to routinely clean this file.