Managing keys
When managing SSH keys for authentication keys and host keys for SSH targets, use the appropriate programs (sshkeygen for user keys and sshhostkey for host keys). Ensure that SSH keys are properly stored and managed to maintain security and prevent authentication issues.
For authentication keys, If you do not have a SSH key pair for the Bravura Security Fabric server, you need to manually create one using the sshkeygen program. The public key must be manually copied to the correct location on the target SSH system.
For host keys, the first time that agtssh connects to an SSH target, agtssh stores that target’s public key. On subsequent connections to the same target, agtssh validates the target’s public key against the previously stored value. In the event that a target’s public key has changed, agtssh does not update the stored value, but instead indicates that the value has changed. This behavior is intentional and is used to indicate that there might be a security issue. You must manually remove the old public key using the sshhostkey program and then reconnect to the target; the new value will then be stored. Host file keys are either stored in the registry or in the <Program Files path>\Bravura Security\Bravura Security Fabric\<instance>\ script\ directory. Storing host keys in the registry is preferred, but if you do opt to store the host keys in a kvg file using the “Host keys file” option, you should not need to manually modify this file. Rather, see the sshhostkey -f option.
To manage public host keys for SSH targets, use the sshhostkey program. See usage information for sshhostkey .
To manage the public/private authentication keys for SSH targets, use the sshkeygen program. See usage information for sshkeygen .
Keys for users are also either stored in the registry or in the <Program Files path>\Bravura Security\Bravura Security Fabric\<instance>\ script\ directory.
The agtssh program does not allow empty administrator passwords for password-based authentication, and it does not allow empty passphrases for public key authentication. Also, agtssh does not fall back on password authentication when using a private key file.
When public key authentication is used, the passphrase has to be provided. You must enter it in the target system’s administrator ID password field. If public key authentication is unavailable, agtssh will automatically use that field as the password for a target that does not recognize your public key or passphrase.
The sshhostkey program is used to manage host keys in the Windows registry or a KVGroup-based database.
This program is installed with Connector Pack . It may be located in the util directory under either the Connector Pack\global\ directory or the IDM Suite\<instance> directory.
sshhostkey print|delete|verify|update -s <Server>:<Port> [-v] [-f <filename>] [--instance <instance>]
The arguments are described in the following table:
Argument | Description |
|---|---|
Prints the public key for the specified <server>:<port> or for the servers specified by the server pattern. | |
delete | Deletes the public key for the specified <server>:<port> or for the servers specified by the server pattern. |
verify | Verifies the public key for the specified <server>:<port>. |
update | Updates the public key for the specified <server>:<port>, if it doesn’t match the stored key. |
-s <server>:<port> | The DNS name or IP address of the target system. You can use a regular expression to match more than one server. |
-l | Displays verbose messaging for verify and update arguments. |
-f <filename> | Uses the host key KVG file, or the registry if a file isn’t specified. |
--instance <instance> | The name of the Bravura Security Fabric instance on which to run this utility to get log information. If not specified, the program looks for the default instance. |
It is recommended that you perform a print before using delete with extended regular expression patterns.
To print the public keys stored in the registry, type:
sshhostkey print
To connect to an SSH target and verify whether the locally stored public key is correct, type:
sshhostkey verify <server>:<port>
The sshkeygen program is used to generate SSH public/private keys. The key pairs can be created in KVGroup or PuTTY format, and can be either saved to a file or sent to stdout.
To enable logging for this program, you must add a system environment variable, IDM_SUITE_INSTANCE, to define the instance to log; for example: IDM_SUITE_INSTANCE = default. See your operating system documentation to learn how to do this. The program will be logged in:
Bravura Security\Bravura Security Fabric\Logs\<instance name>\idmsuite.log
sshkeygen [options]
The arguments are described in the following table:
Argument | Description |
|---|---|
-b <bits> | The length of the key in bits. If omitted, the default values will be used:
|
-c <comment> | The comment used in the private and public key files. |
-f <file name> | The name of the key file. If omitted, the stream is written to stdout. |
-t <type> | The key type. The acceptable values are rsa, dsa, ed25519, and sshv1. Default type is rsa. |
-r <format> | The key format: putty or kvg. Default format is kvg. |
Keys generated by sshkeygen in Connector Pack 4.1.x are compatible with Connector Pack 4.2 and above, while the reverse is not compatible.
Warning
Refrain from using SSHv1 keys for systems that support newer protocols. SSHv1 does not meet current security standards; use only for legacy systems that support nothing else.
A passphrase must be specified when creating keys.
The minimum of 256 bits is required for rsa and dsa key types.
sshkeygenwill not generate a key otherwise.The acceptable key length for ed25519 is 256 bits. Any other key length will be ignored.
A file name must be provided if the key type is sshv1 and key format is putty.
Key files will not be created if there is already a file with the same name.
The KVGroup format for the user’s key pair is as follows:
# KVGROUP-V1.0
"" "" = {
"Comment" = " "
"Encrypted" = " "
"KeyFingerprint" = " "
"KeyType" = " "
"PrivateKey" = " "
"PrivateMAC" = " "
"PublicKey" = " "
}The KVGroup format for the user’s key pair for SSHv1 is as follows:
# KVGROUP-V1.0
"" "" = {
"A1-RSA-Signature" = "SSH PRIVATE KEY FILE FORMAT 1.1\n"
"Comment" = " "
"KeyFingerprint" = " "
"RSA-SSH1-Key" = " "
"authorized_keys" = " "
}To use
sshkeygento create a KVGroup format key and write to stdout, type:sshkeygen.exe -r kvg
The output looks like:
# KVGROUP-V1.0 "" "" = { "Comment" = "Public/Private Key Generated by sshkeygen at 2021-01-12 15:44:42 (UTC-07:00)" "Encrypted" = "yes" "KeyFingerprint" = "ssh-rsa 2048 45:2e:38:a4:99:50:ad:10:61:8a:33:da:df:c4:32:e0" "KeyType" = "ssh-rsa" "PrivateKey" = "Vc52v4mvaqyWer+f2roNluuxCcvpAorvAKcgS/dWpW8Pwzf6twJ1eLhfiQ0QrhfMWZTzM9kMdErEHWH+/av0GEfYqMloli74Au+ihOpn0F+ChIwDU/lSheIwGCcEU/3cyH8bBAGFMX7PUhl58FEoO0K0WtM7ROJjEzyO1WswIIDkM2hSvGINpm6jAlxPZUdUwNkhcFh17odSpUgRFVaKRU03BUxMARxNyA4dTzg50uzSOoEyF1sxDSMQUsiNpvlep4m/87xFTt0+h0cvv9yvFMAaRsegXOUu2oug5aBKMGYgiEvZKH0v0LIFcL3OQfp+1h07c01XlA8Bl4REhBqcIRYd9AN+Hwru5Cn99Gg9ygrxAJ1M2ra2+DG3j+NZeqowgbDax2yphFZgytOmbawnWxxICBB+Yp3eZyCsiT78QGGYB2r12ucpTSV8+dR/zqwhg8M6CM6riptdlGjtID7N7cxlbcTw2Cj8b4UbJ+rEXw1ViiwKcOkuBVZsBNkN9Ei1yQublZwIrdsCrRdeRDC9nXQuK02e0P8ZQdhUZA8wGAEu9FSflka7sLdCZ3wxhJip22KMvbVJFrGv9jyyJzaGXSJ3xY/jaUgES6Tz2CJpQZ483D9tPF60pek3AlOUG9JtjaHUzn3svOVNEIuEq/REffKhBtd3q4URX74Qc+kZC0Raw89v7mW+zDhL+h0IDX+LsZMy1x6IV0uJBj5ottBpSKmC/kRZuCDOIBnfRdXIktP5tldXmoctAhh7h8eZBLCHCCV6CnxuxtaWI3ajWNzSVH/CxWmE57brDf2wmIEEr/qkjQbFMMu7NLOSnrFr89AzmnECB6b36FWi0BK5hGpMAXl8QD25n48qheeqfYL4T88+DjFpe3AKEeNge51gYCrW" "PrivateMAC" = "bd5693d9b9c59064a35a3f70ecf397f5b346e50c" "PublicKey" = "AAAAB3NzaC1yc2EAAAABJQAAAQEAy+2xdnaBaHjxqwSUOo+gtIaX3ztLLoB4lYzs+YrcMP5uP3thjGBTOry3JXL4sV2PCL3Gl5pXH6m5t2YyKywGnTHy0SsPs+XqA+JTREYgWihHBILrb16DmdOUo0G3+pQRcnKgxf0xLzKyM/Yv+Rtq3lt/qo0OxBCIJP2Kpl76lggGe+J8JNhbW530DgFw/soqBUNHJ52sdVscvYQNky+tptTrE5xN/bw/OB9gN2uzKMOjWkcZQ6i3yfbpTwjsT4h1b3WhHvHDeYI0y/rc+CyCPqx076u8d0mPKWudJuXyTBkXktQYrO2A0foo/q30idrCNjxniF7iHpimd/EwO0qHgQ==" }To use
sshkeygento create a PuTTY format key and write to stdout, type:sshkeygen.exe -r putty
The output looks like:
PuTTY-User-Key-File-2: ssh-rsa Encryption: aes256-cbc Comment: Public/Private Key Generated by sshkeygen at 2021-01-12 15:56:04 (UTC-07:00) Public-Lines: 6 AAAAB3NzaC1yc2EAAAABJQAAAQEA/XhhGFeZOxU99kV7s43wk4VY9PIeJAHQ+uon Gc2KwFU1Ad288I1kdrZDPWDxZTQfv1KZEIaVWvLO7qSjqOO64TrPXa4ZabLc39JO OaUZxB2BjDnQG3xsRzjPLphp8G63s1xavSLpVdDBtyT+tJzm+VYgYBW1+CWLMFLS RxzpmNrN8P69dJo5cVVcusMLqw7PzlyQt7SdqDzdMJIj8QPv1J3YfZJznnGedTao EC4lWp7ve18utjpy1EOXIPPJShcV5f9hLnVyXKVvnhzT5slaXGJtzP/LvSGCmj3s D3AL7aHfCDvepVeTvsyseC41xoLrzJbHJk/Il5ksn8vSWLWr8Q== Private-Lines: 14 STmae6fZ2+7T7Ji2I3Zp9/J+oiG/F7qGub3t3oWSZ3rvN3UYjWSVXokiSgFjMmg3 bubIeNIGCJDG37PbbFpaLPQv66Zc636EdFxUSAGWQU7LMNN8ALKVXui5yDef+kz+ gw7pL+VLOtHac27ztVKyIPp0HR+zIS1Z9aObVIeuMLxhFk9iUOlrch1dLX6dbaME bBSWFT+a72tOgx+//bbNAhBKcM8W3nDV26Bumr45KZDgsBPiSWxJcffKUcUPwVWh Ou94NCrDvqQyYDmLGnuxvVnJPNMibHVrTIguWj3f8UxpWZ03tIkd12URB/b9BQI4 UOxcXEPayau2u287WwgM1pTb6jvk2fUACu6YdZDcBZYS1IUV3dZyytdIZM/HDd8g JPuKt49s2gL9P9dJpmxbO6Jp38Bv3kxsP5KHneauin48soV0A7ACmIg5zONQOFTC jDlL6XdHeu9bG7b2BOz9XRGG8k4H98gqOQt6AcwBW4/LwXhHIpObKF6h42o9b2iy JnJ2niii5+XmaCGr1O7zEm2G1csQMEAYzRBSYZ4tk7F2qBw6p+JGuOou/NDPo5ec G63TfUAQHPzghjS/sYT44lgAcluIiUq6QhQCO30jMcrSkqtgUlVQALiAmezjEv2v QgofiXJ15q+Ljo2wFHmCwXJzY7u6iV5qhULsjLCBC7s3akjhJWBCp+kd9be6pAz9 5QesvZeRH21yPmGuTiGVjShDkCfvzIV+Sa06E6fuJ1K9ER4TvXxtZRnN4Zv569Pp vVJXScUW5B67JIb9YwSUEjQAefnxrHiS58mvnU09m6BpXN+UI6LeQNKNTq3yp6Qq RzLUTS+oWvnmC2fJz3aasuaShyafSRXxOJ9cRA3iMl5VcwYxWSpbd5byi7/Q/d09 Private-MAC: f81dd3f7a7e0ce4b22dd5ae279ec7bc02c9a9b3d
To use
sshkeygento create a key file using KVGroup format (test.kvg):sshkeygen.exe -r kvg -f "\Program Files\Bravura Security\Bravura Security Fabric\default\script\test.kvg"