Using agtssh with Public/Private Authentication Key Management
When configuring SSH connections, there are two general scenarios. The first involves generating a public/private key pair, then adding the public key to the authorized key file of the target SSH system. The second scenario entails using a pre-existing public/private key pair, typically in PEM/PPK format, such as when authenticating to an AWS UNIX instance.
To facilitate these processes,
Bravura Security Fabric provides two utilities, located in the utils directory, to facilitate this process:
sshkeygen.exeThis tool generates public/private key pairs for authentication. It produces Bravura Security-style key pairs or Putty format keys.
sshkeyconvert.exeThis tool converts PEM/PPK format files to the KVG public/private format. See Scenario Two: Converting a PEM/PPK to kvg Format Authentication Key.
Generate a public/private key pair
This scenario is suitable when creating a key pair from a self-signed certificate not certified by a CA signing authority.
Use
sshkeygento create an encrypted public/private key file:sshkeygen -p mypass > user_ppk.kvg
The resulting user_ppk.kvg file contains details such as the key type, encryption status, and creation timestamp.
Add the public key to the user's authorized_keys file; for exampe:
cat ~/.ssh/authorized_keys
After logging in the user, append "KeyType" [space] "PublickKey" into ~/.ssh/authorized_keys. It should look like:
rsa AAAAB3NzaC1yc2EAVAABJQAAAIEAqJQh1F6dyZcrUNWmvRtcuItLXsTDZqBjuw9vRMS2/9oalMEiKSu1T/ZlHdoQSxRDL8Utz+n5s08Xx/oYp/BbP\ te6vnbo0muL94aw0rf//jyWLsztVsXsiH+GbNXARt2H/v/ZYH0Bt1US3bXt5C2mV/I30nplDbdhEm1n6HtDSNU=
Configure
agtsshto use the public/private key for authentication. Change the target address line to add the authkey option to user_ppk.kvg and copy the file into the script folder.For public key authentication, the adminid is used to decrypt the authentication key file and systempw isused to authenticate for sudo (if sudo is set in privileged escalation mode).
Convert a PEM/PPK to KVG Format Authentication Key
This scenario is appropriate when importing a key pair from a signed certificate certified by a CA signing authority.
Conversion of an encrypted PPK requires a password, whereas an unencrypted PEM file does not:
sshkeyconvert.exe -i user_ppk.pem -o user_ppk.kvg -p mypass
Configure
agtsshto use the public/private key for authentication. Change the target address line to add the authkey option to user_ppk.kvg and copy the file into the script folder.For public key authentication, the adminid is used to decrypt the authentication key file and systempw is used to authenticate for sudo (if sudo is set in privileged escalation mode).
See usage information for sshkeyconvert .
Common error
Unable to find or validate private SSH authentication key [<path>] - [fall through/unknown key type.]. Falling back to username+password login.
Indicates that the format of the authentication key provides is unrecognized. It's important to understand that agtssh does not take PEM/PPK format keys. They need to be converted into the kvg format.
The sshkeyconvert program is used to convert SSH public/private keys. The key pairs can be converted into KVGroup or PuTTY format, and can be either saved to a file or sent to stdout.
Keys generated by sshkeyconvert or PuTTY’s puttygen utility are supported by this program.
sshkeyconvert [options]
The arguments are described in the following table:
Argument | Description |
|---|---|
-i <filename> | The name of the key file to convert. |
-o <filename> | The name of the key output file. If omitted, the stream is written to stdout, with the exception of SSHv1 KVGroup format keys. |
A passphrase must be specified when converting keys. Keys will not be converted if the wrong passphase is given.
A key output file must be provided if the key input file format is SSHv1 and the key format is KVGroup.
Keys not generated from a recent PuTTY version (ie. older than v0.72) cannot be converted by this program.
To use
sshkeyconvertto to convert a KVGroup format key file (non-SSHv1) called testkvg.kvg into PuTTY format and write to stdout, type:sshkeyconvert.exe -i "\Program Files\Bravura Security\Bravura Security Fabric\default\script\testkvg.kvg"
To use
sshkeyconvertto to convert a PuTTY format key file (non-SSHv1) called testputty.ppk into KVGroup format and write to stdout, type:sshkeyconvert.exe -i "\Program Files\Bravura Security\Bravura Security Fabric\default\script\testputty.ppk"
To use
sshkeyconvertto convert a KVGroup format key file called testkvg.kvg into a PuTTY format key file called kvg2ppk.ppk, type:sshkeyconvert.exe -i "\Program Files\Bravura Security\Bravura Security Fabric\default\script\testkvg.kvg" -o "\Program Files\Bravura Security\Bravura Security Fabric\default\script\kvg2ppk.ppk"
To use
sshkeyconvertto convert a PuTTY format key file called testputty.ppk into a KVGroup format key file called ppk2kvg.kvg, type:sshkeyconvert.exe -i "\Program Files\Bravura Security\Bravura Security Fabric\default\script\testputty.ppk" -o "\Program Files\Bravura Security\Bravura Security Fabric\default\script\ppk2kvg.kvg"