Client SSH Key Setup
SSH - Client Keys - Overview
The SSH specification allows for three different kinds of authentication. The first is standard username and password, which MOVEit DMZ supports. The second is hostname only, which MOVEit DMZ does not support. The third authentication method is username and client key, which MOVEit DMZ also supports as described below.
As is the case with almost any client key/certificate scheme, the higher security offered by cryptographic-quality keys is offset by additional administrative work. Resetting a password is no longer enough to "let someone back in" when keys are used.
In SSH applications, client keys are almost always generated client-side. Because there is no central authority to vouch for SSH keys (if there was, SSH would be SSL), all SSHkeys must be individually trusted by both client and server.
MOVEit DMZ supports the use of both DSS and RSA keys. The server key automatically generated by MOVEit DMZ's SSH server is an RSA key; no incompatibilities with any SSH clients regarding this key format have ever been encountered. Client keys may be of either type.
Generating SSH Client Keys
MOVEit DMZ is NOT an SSH client key generator. Almost all modern SSH clients already have a facility to generate client keys and these facilities should be used whenever possible. Some common SSH client's key generation facilities are briefly described below:
*nix, OpenSSH: Use the ssh-keygen -t rsa command.
Windows WS_FTP 9.0: From the main menu, select Options | Tools and use the Create... button under the SSH | Client Keys tree.
If you must generate and distribute SSH client keys, consider using the OpenSSH for Windows toolkit to generate these. See Specific Clients - OpenSSH for Windows for more information about this process.
How to Transmit SSH Key to PH TECH?
Preferred Method (most secure)
Step 1) Generate an SSH key using your preferred method
Not sure how to generate a key? Guide for Generating a Key With PuttyGen
Step 2) Transmit your key's fingerprint to PH Tech
The following procedure describes how an SSH client can connect with a new key and leave the key's fingerprint behind for an administrator to promote/accept into the user's profile at a later date. Any SSH user whose client has already generated and installed an SSH client key should be able to use this procedure.
First, have the remote SSH client attempt to connect to secure.phtech.com. This connection should fail.
Once the connection fails, you will need to wait for PH Tech to accept your SSH Key.
When your key is accepted, the PH Tech Information Systems department will reach out to you to notify you that the key has been accepted.
After your key is accepted, you may upload/download files to the PH Tech SFTP site, authenticating via the newly accepted SSH Key!
Default Settings for FTP Clients:
Host: secure.phtech.com
Port: 22
Below is an example of a failed connection attempt:
D:\temp>sftp -oUserKnownHostsFile=c:\progra~1\OpenSSH\bin\ssh\known_hosts -oIdentityFile=c:\progra~1\OpenSSH\bin\ssh\id_rsa sshkeyboi@moveit.myorg.com Connecting to moveit.myorg.com... sshkeyboi@moveit.myorg.com's password: Authenticated with partial success. Permission denied (publickey). Connection closed
Alternate Method
Manually generate a key
Not sure how to generate a key? Guide for Generating a Key With PuttyGen
SECURELY transmit a copy of the PUBLIC key to PH Tech to be imported.
Definitions
SSH: also known as Secure Socket Shell, is a network protocol that provides administrators with a secure way to access a remote computer.
SSL: (Secure Sockets Layer) is a standard security technology for establishing an encrypted link between a server and a client—typically a web server (website) and a browser; or a mail server and a mail client (e.g., Outlook).
DSS/DSA: Click here for more info
RSA: RSA is a cryptosystem for public-key encryption, and is widely used for securing sensitive data, particularly when being sent over an insecure network such as the Internet.