SSH login with public/private key authentication

To be able to connect to Airlock Gateway using SSH with public key authentication, the password for user log must be set in the configuration center of Airlock Gateway. The following paragraphs explain how to use SSH public key authentication with the two publicly available SSH tools putty and OpenSSH.

PuTTY (recommended for Windows platforms)

Please follow these steps to create a public and a private key for SSH access with PuTTY:

  • 1.
    Start the program PuTTYgen (PuTTY key generator)
  • 2.
    Choose type of key to generate "SSH2 RSA"
  • 3.
    Press "Generate"
  • 4.
    Move mouse pointer in window to create random bits
  • 5.
    Define a passphrase for the private key
  • 6.
    Save private key as "id_airlock.ppk"
  • 7.
    Save public key as "id_airlock"

It is possible to use OpenSSL on Windows to create the key. There are precompiled OpenSSL binaries available. OpenSSL is a command line tool and does not provide a Windows GUI.

Please follow these steps after the key generation to transform the key into OpenSSH format:

  • 1.
    Start an editor of your choice
  • 2.
    Load the generated public key "id_airlock" into the editor
  • 3.
    Add the line "ssh-rsa" in the beginning and join all key lines
  • 4.
    Remove extra lines

The resulting key should look like this example key:

copy
ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAIBg0BmHN3QGltSBqxguuz<...>IQBWXGuhfLRWBeH2SQ==

Note: The complete resulting encoded key must be on the same line.

Now follow these steps to import the key to Airlock Gateway:

  • 1.
    Start client program PuTTY
  • 2.
    Connect to Airlock Gateway server with username log and enter password
  • 3.
    Edit the key file on Gateway using the command
  • copy
     vi .ssh/authorized_keys
  • 4.
    Copy and paste the complete transformed public key into this file
    (type "i" to insert, paste the content, press the ESC key and enter ":wq" for save and exit)

You can add as much different public keys into the same file as you like (access for different persons). Each key has to be on exactly one line.

Connecting using the SSH private key is done as follows:

  • 1.
    Start PuTTY
  • 2.
    Load private key: Connection→SSH→Auth→Browse
  • 3.
    Choose "id_airlock.ppk"
  • 4.
    Log in using the passphrase of the private key. If the format of the public key file is not correct, then putty will ask for the password (fallback authentication).

It is also possible to connect using the PuTTY authentication agent (Pageant):

  • 1.
    Start Pageant (PuTTY authentication agent)
  • 2.
    Right click on pageant tray icon and choose "Add key"
  • 3.
    Import the private key
  • 4.
    Keep Pageant running

Now if you start PuTTY to connect to Airlock Gateway it will automatically log in (as long as Pageant runs).

For usage with other tools you can export the private key in OpenSSH format:

  • 1.
    Start PuTTYgen
  • 2.
    Import "id_airlock.ppk"
  • 3.
    In menu choose: Conversions→Export OpenSSH Key
OpenSSH (recommended for Unix/Linux platforms)

The following steps are necessary to use public/private key-based SSH access with OpenSSH:

  • 1.
    Create the ssh user directory on your client machine (if this does not exist)
  • copy
    % cd ~
    % mkdir -p .ssh
    % cd .ssh
  • 2.
    Generate public/private key pair (type RSA)
  • copy
    % ssh-keygen -t rsa -C "Airlock access for $USER" -f id_airlock
  • 3.
    Set the passphrase for the private key as requested
  • 4.
    Import the key to Airlock Gateway:
  • copy
    % ssh log@myairlock.example.com
    % vi .ssh/authorized_keys
  • 5.
    Copy/paste the complete public key file into this file

The public key has to have the following format:

copy
ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAIBg0BmHN3QGltSBqxguuz<...>IQBWXGuhfLRWBeH2SQ==

The SSH public key must be on exactly one line.

Now connect using the private key:

copy
% ssh -i id_airlock log@myairlock.example.com

It is also possible to use the SSH key store agent:

  • Use the program "ssh-agent" and the command "ssh-add" as described in the OpenSSH documentation