This article describes the procedure that has to be performed on the Linux Server running OpenSSH Service (commonly known as SSHD) in order to allow SSH access to the server via Secure Access Cloud (SAC) platform.
This article assumes that you are an administrator desiring to provide SSH access to one or more servers. The procedure described below assumes that you have access to the servers and are capable of modifying local files and performing commands on the machine. If you are providing access to virtual machines hosted by an Infrastructure-as-a-Service provider, you will need a one-time Console access to each machine in order to perform the below procedure. For environments with multiple dynamically-created virtual machines, we recommend to perform this procedure once, and then create an "image" containing this configuration and instantiate new instances with this configuration built-in.
The procedure can be performed either manually, as described below, or via running an automatic script that can be copied from the SSH Application page in the SAC Administration Web Portal:
The manual setup performed in 3 easy steps:
Download the Public Key for the Certificate Authority from the SAC Administration Portal and copy it to the server [this step requires administrative credentials to your company's SAC Administration Portal]
Modify the configuration of the OpenSSH Daemon on the server [this step requires root access to the server]
Restart the OpenSSH Daemon to re-load the updated configuration [this step requires root access to the server]
After completing the above steps, it is recommended to test the connection to the machine via the SAC platform.
Step I - Download the Public Key for the Certificate Authority and copy it to the server
Public Key for the Certificate Authority used by SAC to create short-lived unique access certificates can be downloaded from the SAC Administration Portal.
Please click on the download button to retrieve the public key. The downloaded file contains a key in the SSH-RSA format. It should be copied to the server (that will be accessed via SSH using a SAC system). As the file is in ASCII format, it could be transferred using any remote terminal capabilities.
Step II - Modify the configuration of the OpenSSH Daemon on the server
In order to perform this step you need to be connected to the server via a remote terminal, having root access (as you will need to modify system configuration files that affect multiple users on the machine).
We assume that the public key uploaded to the machine in the previous step is located in /etc/ssh/luminate.pub (that doesn't necessarily have to be the name of the file, we are using it just as an example).
You need to modify the file sshd_conf located in /etc/ssh directory, adding the following line (could be anywhere in the file):
Note: If you would like to configure a single SSH server to recognize keys generated by a number of different Certificate Authorities, the file referenced by TrustedUserCAKeys should contain all the CA public keys.
After saving the file, you need to restart the SSHD service.
Step III - Restart the OpenSSH Daemon
Detailed information about restarting services in various Linux distributions can be found in these articles: