________________________________________________________________________
Applicable Environment
________________________________________________________________________
- Topic: Network protocol - SSH Public-Key Authentication
- SDP: 7.1.0
- Target: All supported hosts and targets
________________________________________________________________________
Problem
________________________________________________________________________
When using SSH to access a remote system, there are two methods of authentication: password and public-key authentication.
________________________________________________________________________
Solution
________________________________________________________________________
This guide will demonstrate how to enable public-key authentication between a host and a remote system.
Firstly, sshd and ssh have to be setup on QNX before accessing into a QNX remote system through ssh or using QNX to access a remote system. The links to configure them for QNX 7.1.0 are listed below:
http://www.qnx.com/developers/docs/7.1/index.html#com.qnx.doc.neutrino.utilities/topic/s/sshd.html
http://www.qnx.com/developers/docs/7.1/index.html#com.qnx.doc.neutrino.utilities/topic/s/ssh.html
In general, the host(client) stores the private and public keys in /etc/ssh. The remote system (server) has to have public keys for each host in a file called authorized_keys located in ~/.ssh/authorized_keys.
The below instructions are applicable for both Linux and QNX
1. In the host system, navigate to /etc/ssh directory that contains the keys. There are different types of keys based on their encryption algorithm (DSA, RSA, ECDSA, Ed25519). In this example, RSA encrypted keys are used.
2. If there are no keys available in this directory, keys can be created using ssh-keygen. Below is an example:
ssh-keygen -t rsa -b 1024 -f /etc/ssh/ssh_host_rsa_key -N ''
3. Run the following command to copy over the public key over to the remote system (ensure that .ssh directory exists under the USER/root's directory)
cat ~/.ssh/ssh_host_rsa_key.pub | ssh root@<ipAddress> "cat >> .ssh/authorized_keys"
Alter the path of .ssh depending on where it is located inside the user directory. If this works without any issues, the public key will be appended to the USER/.ssh/authorized_keys file. If the user is a different directory, (for example: /home/qnxuser), then the authorized_keys file would be created in /home/qnxuser/.ssh/authorized_keys. In a remote Linux system, authorized_keys file can be located or created in ~/.ssh.
You may also choose to perform this step in the build script through inserting the following lines (when QNX is the remote system):
[uid=1000 gid=1000 perms=0755 type=dir] /root
[uid=1000 gid=1000 perms=0755 type=dir] /root/.ssh
[uid=1000 gid=1000 perms=0600] /root/.ssh/authorized_keys = {
ssh-rsa AAAAAB3NzaC1yc2EAAAADAQABAAABAQCyVGaw1PuEl98...aVFft085yvVq7KZbF2OPPbl+erDW91+EZ2FgEi+v1/CSJ5 your_username@hostname
}
4. Run the following commands to give .ssh and authorized_keys appropriate file permissions:
chmod 700 ~/.ssh && chmod 600 ~/.ssh/authorized_keys
If root is going to be used to log in to ssh (root@ipAddress), it is important to ensure that the authorized_keys file is also owned by "root" and located under /root/.ssh.
5. In your remote system, ensure that the following lines are present in /etc/ssh/sshd_config
PermitRootLogin yes
RSAAuthentication yes
PubkeyAuthentication yes
PasswordAuthentication no
This will disable password authentication and force authentication public keys.
6. You can now login to the remote system from host using "ssh root@<remoteIPAddress>"
The process is slightly different when there is a need to access a QNX server/remote system through Windows
1. Follow the instructions in
https://docs.microsoft.com/en-us/windows-server/administration/openssh/openssh_keymanagement until the end of the section "User key generation"
2. In the end, public and private keys should be stored in
C:\Users\username/.ssh/id_rsa (using rsa in this case)
3. To deploy this public key, we need to navigate to
C:\Users\username/.ssh/id_rsa.pub, open and manually copy its contents.
4. Perform steps from 3. in the above instructions for Linux/QNX to copy the public key over to the remote system. Note that the path to the public key is now
C:\Users\username/.ssh/id_rsa.pub.
________________________________________________________________________
NOTE:
This entry has been validated against the SDP version listed above. Use
caution when considering this advice for any other SDP version. For
supported releases, please reach out to QNX Technical Support if you have any questions/concerns. ________________________________________________________________________