Guardium 10.5 allows authenticate on cli accounts by public keys.
The configuration is simple but is not well described at this moment in the standard documentation so I have decided to publish this short post.
I present here the most popular case where the SSH access is based on PuTTy.
Step 1 – PuTTy configuration
I suggest use the puttygen.exe to create SSH keys (can be downloaded as a supporting tool from PuTTy home page – link)
I push Generate button to create keys. The default settings points the RSA algorithm and 2048 bits key length. For production purposes I suggested use the longer keys.
Now we need to save the private key in the place available for PuTTY. I strongly suggest provide the key passphrase to secure private key, it will be inserted for any session opened with the generated here the keys.
Then we need also save somewhere the public key.
Step 2 – Collector setup
This actions have to be repeated on each appliance which will support the authentication using the public key infrastructure.
The appliance configuration requires the setup of appliance keys and import public keys for all Guardium administrators which are allowed to login on cli account. Of course the clue of the public key infrastructure is the keys uniqueness per administrator what does allow us to control access even for shared accounts.
Action 1 – Appliance keys generation
From cli (still logged using password) execute command:
show system public key cli
The output will inform that there is no keys on the appliance and they will be generated.
The message will also display just generated public key. In case of PuTTy configuration we do not need to copy it.
There is also possible deletion of existing keys using command:
store system public key reset
The appliance keys removal will stop access to system using public key infrastructure for all registered users. To restore configuration after appliance keys deletion we need execute again the command:
show system public key cli
Action 2 – Client public key import
The import of user public keys is possible by use command:
store system public key authorized
The command will expect the client public key in Open SSH format inserted in one line:
ssh-rsa <key> <comment label>
but the exported public key from Step 1 has been stored by puttygen in the standard format and should be reformatted to supported by Guardium one.
So in this case the command which registers my PuTTy client on the appliance looks like that:
We can review the list of registered client using command:
show system public key authorized
To remove particular client access we can use command:
delete system public key authorized
Step 3 – Putty session configuration
Now we can configure our PuTTY to use the generated keys. I have created new session (MySSHPKI) to login on appliance as cli user.
and I set the location of my private key inside Connection/SSH/Auth configuration view and saved the session settings.
Step 4 – Connection test
The ssh connection asked me for my private key passphrase and I will able finally login to the appliance without Guardium password.
I suggest this kind of configuration for all production systems. It allows control access to system and quickly remove access to Guardium infrastructure by removing the public key from the list of accepted on the appliance.
Still configuration has to be managed on each appliance separately and there is not internal audit trail for key used during cli connections but I believe that these improvements will be implemented soon.