22.1.2. Procedure – Configuring public-key authentication using an LDAP server and a fixed key

Purpose: 

To fetch the public keys of the users from an LDAP server and use a locally-stored private-public keypair in the server-side connection, complete the following steps:

Note

Balabit recommends using 2048-bit RSA keys (or stronger).

Steps: 

  1. Navigate to SSH Control > Authentication Policies and create a new Authentication Policy.

  2. Select Client-side gateway authentication backend > LDAP > Public key, deselect all other options.

  3. Select Relayed authentication methods > Public key > Fix, deselect all other options.

  4. Select Private key and click . A pop-up window is displayed.

  5. Click Browse and select the private key of the user, or paste the key into the Copy-paste field. Enter the password for the private key into the Password field and click Upload.

    Note

    PSM accepts passwords that are not longer than 150 characters. The following special characters can be used: !"#$%&'()*+,-./:;<=>?@[\]^-`{|}

    If the private key of the user is not available, click Generate to create a new private key. You can set the size of the key in the Generate key field. In this case, do not forget to export the public key from PSM and import it to the server. To export the key from PSM, just click on the key and save it to your local computer.

  6. Click on the fingerprint of the key in the Server side private and public key > Private key field and save the public key. Do not forget to import this public key to the server: all connections that use this new authentication policy will use this keypair on the server side.

  7. Click .

  8. Navigate to Policies > LDAP Servers and click to create a new LDAP policy.

  9. Enter the parameters of the LDAP server. For details, see Procedure 7.9, Authenticating users to an LDAP server.

  10. If different from sshPublicKey, enter the name of the LDAP attribute that stores the public keys of the users into the Publickey attribute name field.

    Warning

    The public keys stored in the LDAP database must be in OpenSSH format.

  11. Navigate to SSH Control > Connections and create a new Connection.

  12. Enter the IP addresses of the clients and the servers into the From and To fields.

  13. Select the authentication policy created in Step 1 from the Authentication Policy field.

  14. Select the LDAP policy created in Step 7 from the LDAP Server field.

  15. If the server accepts a user only from a specific IP address, select the Use original IP address of the client radiobutton from the SNAT field.

  16. Configure the other options of the connection as necessary.

  17. Click .

  18. To test the above settings, initiate a connection from the client machine to the server.