SiteScope User's Guide

Using the Integrated Java SSH Client

SiteScope provides a SSH client written in Java that is integrated into the SiteScope application. This client significantly reduces the required system resources used by SiteScope when connecting to servers via SSH. The Java client supports both SSH version 1 and version 2 protocols as well as both password based and key based authentication. The SiteScope configuration for the client is identical for UNIX, Linux and NT SiteScope. Documentation on using an external SSH client can be found at External SSH Client.

This section describes:

• Working with the Integrated SSH Client
• Setting up Key Based Authentication
• Using SSH Version 2 Protocol

Working with the Integrated SSH Client

As noted previously, there are two different versions of the SSH protocol: version 1 and version 2. While they are both considered to be Secure Shell protocols, version 1 and version 2 are considered to be two different protocols and are not compatible with each other. Some security vulnerabilities have been found in SSH1. This resulted in several changes in SSH2 which is being considered the current standard. Most SSH software will support both protocols. However, to ensure that a request for a SSH connection uses SSH2 instead of SSH1, it is necessary to configure SSH clients and SSH hosts to use the same protocol version between them in order to communicate. In many cases, SSH version 1 (SSH1) is the default version used for connections as it is considered the lowest common denominator between a SSH client and a SSH host.

There are two ways to force SSH2 connections. These are:

1. Configure all SSH daemons or servers to accept only SSH2 connection requests
2. Configure the SSH client on the SiteScope server to only make SSH2 requests

The first option is perhaps the most secure but may be the most time consuming unless each server was configured for this option when it was installed and activated. The second option only requires changes to the client on the SiteScope server. For the integrated Java SSH client, this can be controlled by a setting in the SSH Advanced Options section on the remote server set up page.

Another part of SSH security is authentication. The integrated SSH client for SiteScope can be configured to use one of two authentication options. These are:

• Password Authentication
• Key Based Authentication

Password Authentication is the default method for SSH connections in SiteScope. Key Based Authentication adds an additional level of security through the use of a passphrase and a public-private key authentication. See the following section titled Setting up Key Based Authentication for more details on how to set up key based authentication for SSH connections.

Setting up Key Based Authentication

In order to use Key Based Authentication for SSH remotes, you must first generate a pair of public/private keys. The public key will reside on the remote and the private key will be kept on the SiteScope machine. Both cygwin and openssh come with key a key generation tool called ssh-keygen. The ssh-keygen tool will allow you to create both protocol version 1 and version2 keys. Read the documentation on ssh-keygen to create the type of key that you need. For example, to create an RSA key pair SSHv2:

1. Log on to your UNIX remote server as the user that SiteScope will login as..
2. Run the command ssh-keygen -t rsa
   Generating public/private rsa key pair.
   Enter file in which to save the key (/home/dclements/.ssh/id_rsa):
   Enter passphrase (empty for no passphrase):
   Enter same passphrase again:
   Your identification has been saved in /home/dclements/.ssh/id_rsa.
   Your public key has been saved in /home/dclements/.ssh/id_rsa.pub.
   The key fingerprint is:
   09:f4:02:3f:7d:00:4a:b4:6d:b9:2f:c1:cb:cf:0e:e1 dclements@sde4.freshwater.com
   
3. Copy the "identification" file, private key, to the SiteScope machine. The default location for this file is SiteScope/groups/identity.
4. Create or configure Remote settings in SiteScope to use SSH as the connection method. And Key Based as the authentication method under SSH Advanced Settings.

Index

Using SSH Version 2 protocol

By default, the SiteScope Java client will use the SSH1 Protocol if the server it is trying to connect to allows SSH1 connections. If this negotiation fails then SiteScope will try to connect using version 2 protocol. The SiteScope Java client can be configured to use only SSH2 connections. Making the change on the SiteScope machine may be easier than having to reconfigure a large number of remote SSH servers.

When configuring your Remote, Under SSH Advanced Settings select the SSH Version 2 Only check box. Note: When using Key Based authentication the Key File supplied must be a version 2 private key.

Index

Copyright © 2004 Mercury Interactive Corporation.
All rights reserved.

Documentation comments or suggestions?
Please send feedback to documentation@merc-int.com