View Source

Introduction

Using SSH keys for authentication offers significant security advantages over traditional password-based logins. SSH keys are more secure, less prone to brute-force attacks, and eliminate the need for users to remember complex passwords. By leveraging LDAP for user management, you can centralize user authentication and simplify access control across multiple systems.

Steps to Generate and Use SSH Keys for LDAP Users

This guide considers creating SSH keys for LDAP (accepting OpenSSH format). If you prefer to set local keys into the VMs using Morpheus (accepting PEM format), please follow the guide at: Add your SSH key pair.

Generate SSH Key Pair

On a Unix-based System (Linux/macOS):

Open a terminal
Generate a new SSH key pair:
```
ssh-keygen -t rsa -b 2048
```
Follow the prompts to save the key (default location is ~/.ssh/id_rsa). You can optionally set a passphrase.

On Windows using PuTTYgen:

Download and open PuTTYgen
Click on "Generate" and move your mouse around to create randomness.
Save the private key (e.g., id_rsa.ppk) and the public key (e.g., id_rsa.pub).

Add the public keys to LDAP

Using CLI

First connect to ldap VM with your shell using credentials stored in Morpheus Cypher entries secret/ipaadmin_username and password/ipaadmin.

ipa user-mod <USERNAME> --sshpubkey="ssh-rsa <key_content>"

# Example for single key
ipa user-mod alice --sshpubkey="$(cat /home/alice/.ssh/id_rsa.pub)"

# To upload multiple keys, pass a comma-separated list of keys with a single --sshpubkey option:
ipa user-mod alice --sshpubkey="key1==,key2==,key3=="

Using Web UI

Start by connecting to your Remote Desktop with the username assigned to your ldap tenancy.
Once you're in, launch Firefox and visit the IP of your LDAP server.
Once you're in the LDAP, You can then click on the user and insert SSH keys

European Weather Cloud Knowledge Base > SSH Key Authentication with LDAP: Setup and Usage (EUMETSAT) > image-2024-7-1_11-42-27.png

Force SSH key authentication for already provisioned instances:

All new VMs accept only SSH key authentication by default. For security reason, users are advised to modify enforce the ssh key authentication also in already existing VMs. The ssd settings can be changed with following steps:

Go to the Instance → Actions → Run workflow → force_ssh_authentication

European Weather Cloud Knowledge Base > SSH Key Authentication with LDAP: Setup and Usage (EUMETSAT) > image-2024-7-1_11-53-59.png

Please make sure that you have first set up the SSH keys to your LDAP or VMs. Otherwise you won't be able to ssh into your VM after running the workflow.

Logging in with SSH Keys

Login Using SSH Keys (Default Path):

ssh username@hostname
or
ssh -J user@ssh-proxy user@internal-vm

Login Using SSH Keys (Specified Path): If your private key is not in the default location, specify the path using the -i option:

ssh -i /path/to/private_key username@hostname
or
ssh -o "ProxyJump user@ssh-proxy" -i /path/to/private_key user@internal-vm