Skip to main content
Version: Axidian Privilege 3.2

Authentication in SSH Proxy via SSH key

Users can connect to SSH Proxy using SSH keys. This method ensures secure and fast login to SSH Proxy without the need to use passwords. To check if this authentication method is available to you, contact your PAM administrator.

SSH key in text format

To connect to SSH Proxy, you need to generate an SSH key and pass a public key to the PAM administrator. The method of generation depends on the client used to connect to SSH Proxy. When using cmd, generate a key with the ssh-keygen utility. When using PuTTY, generate a key with the PuTTYgen utility. When using MobaXterm, any method is suitable.

Key generation with the ssh-keygen utility

  1. Generate an SSH key.

    Supported key encryption algorithms:

    • rsa-sha2-256
    • rsa-sha2-512
    • ecdsa-sha2-nistp256
    • ecdsa-sha2-nistp384
    • ecdsa-sha2-nistp521
    • ssh-ed25519

    Template and example command for generating an SSH key
    Template
    ssh-keygen -t <algorithm>
    Example
    ssh-keygen -t ssh-ed25519

  2. Pass the public key to the PAM administrator. The key string must contain the encryption algorithm and the key. Optionally, the string may contain a comment, such as a username and a host. Example: ssh-ed25519 AAAAC3... user@host.

  3. Wait for the administrator to configure the connection via an SSH key.

  4. Connect to SSH Proxy.

info

It is recommended to place the SSH key in the .ssh folder. For example, C:\Users\user\.ssh for Windows and /home/user/.ssh for Linux.

It is recommended to keep the default name of the key. For example, id_rsa, id_ecdsa, id_ed25519.

If the key files are located in a different place or their names differ from the standard ones, then when connecting to SSH Proxy, you need to specify the path to the private key.

Key generation with the PuTTYgen utility

  1. Open PuTTYgen.
  2. In the Type of key to generate field select one of the values: RSA, ECDSA nistp-256, ECDSA nistp-384, ECDSA nistp-521, EdDSA Ed25519.
  3. Click Generate.
  4. Move the mouse in the empty area of the PuTTYgen window until the key generation is complete.
  5. Clear the Key comment field and enter the username and host in the user@host format. To find out the username and host, run the command in the terminal: 
    whoami
  6. Save the text from the Public key for pasting into OpenSSH authorized keys file field.
  7. Click Save private key.
  8. In the pop-up window, click Yes.
  9. Specify a file name, for example key-private.
  10. Then click Save.
  11. Pass the public key to the PAM administrator. The key string must include the encryption algorithm, key, username, and host. Example: ssh-ed25519 AAAAC3... user@host.
  12. Wait for the administrator to configure the connection via an SSH key.
  13. Connect to SSH Proxy.

X.509 certificate

To connect to SSH Proxy, you need to generate a certificate with an SSH key and pass a public key to the PAM administrator.

  1. Generate an X.509 certificate that does not have a certificate chain.

    Generation Instructions
    1. Open the Manage user certificates snap-in, and then open Personal → Certificates.
    2. Right-click the Certificates folder. Select All Tasks → Request a new certificate.
    3. Click Next.
    4. Select a certificate enrollment policy and click Next.
    5. Select a certificate.
    6. Click Request.

  2. Export the certificate.

    Export Instructions
    1. Open the Manage user certificates snap-in, and then open Personal → Certificates.
    2. Right-click on the certificate that was generated in the previous step. Select All Tasks → Export.
    3. In the window that opens, click Next.
    4. Select the X.509 Files option (.CER) encoded DER.
    5. Select the file location and fill in File Name. Click Next.
    6. Check your entered data and click Done.

  3. Pass the certificate file to the PAM administrator. Supported file extensions: PEM, DER, CRT.

  4. Wait for the administrator to configure the connection via an SSH key.

  5. Connect to SSH Proxy.