If you are using a Lastline device (Manager, Engine, Sensor or Pinbox) you can reach the machine via SSH after you activated it via
monitoring_user_password. However, per default this uses only a password for authentication. If you want to use the key-based authentication for this “monitoring” user account you can add the public key to the authorized_keys file for that user.
This is a small record on how to add a public key to the Lastline device. However, it is quite general since the Lastline appliance is built upon a standard Ubuntu server.
Just as a quick reminder, this is how you enable the SSH login on a Lastline box in general. Note that this requires console access:
lastline_setup monitoring_user_password <password> save
(The following guide is not an official guide from Lastline! Talk to the Lastline support or to your SE in order to confirm this for your installation.)
Adding Public Keys
The main goal is to copy the public ssh-key into the
~/.ssh/authorized_keysfile for the user called “monitoring”. If you are not familiar with public/private SSH keys at all, refer to this or that.
There are many ways to copy the public key into the authorized_keys file. If you are on the local machine you can concatenate it with “>>” such as:
cat id_rsa.pub >> authorized_keys
Another way is to use
ssh-copy-idwhen you are logged into the jump host which has the public key. With this way the authorized_keys file is created with the correct file permissions. This is my preferred way. Here is an example:
weberjoh@jw-nb15-lx:~$ ssh-copy-id -f monitoring@192.168.120.20 /usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/home/weberjoh/.ssh/id_rsa.pub" The authenticity of host '192.168.120.20 (192.168.120.20)' can't be established. RSA key fingerprint is SHA256:JqNJhtSBgn0AU9Ka8hZHBxHhjFfD3+RpvpcA81jwwN8. No matching host key fingerprint found in DNS. Are you sure you want to continue connecting (yes/no)? yes monitoring@192.168.120.20's password: Number of key(s) added: 1 Now try logging into the machine, with: "ssh 'monitoring@192.168.120.20'" and check to make sure that only the key(s) you wanted were added.
In any case you should check that the file permissions are rw only for the user! If not, change it with:
sudo chmod 0600 ~/.ssh/*
The following listing shows the ~/.ssh/ folder on my Lastline Pinbox. Note the authorized_keys file with the correct permissions and its content:
monitoring@jw-lastline01:~/.ssh$ ls -ahl total 12K drwxr-x--- 2 monitoring monitoring 4.0K Jan 23 15:32 . drwxr-xr-x 5 monitoring monitoring 4.0K Jan 19 13:48 .. -rw------- 1 monitoring monitoring 404 Jan 23 15:32 authorized_keys monitoring@jw-lastline01:~/.ssh$ cat authorized_keys ssh-rsa AAAAAAAfoobarAAAAABBBBBandevenmuchmorelongerCCCCCCC johannes@webernetz.net
That’s it! You are now able to log in with the SSH key-based authentication. For example with PuTTY this looks like that. Note the third line which requires to type in the passphrase for the private key. Also note that there was no challenge for the password itself:
login as: monitoring Authenticating with public key "imported-openssh-key" Passphrase for key "imported-openssh-key": Welcome to Ubuntu 12.04.5 LTS (GNU/Linux 3.13.0-100-generic x86_64) * Documentation: https://update.lastline.com/updates/distros/Lastline_Enterprise_Pinbox_Installation_Manual.pdf . * To test the status of this Lastline appliance, please execute "lastline_test_appliance". Last login: Mon Jan 23 15:33:21 2017 from 192.168.7.53
[Disabling Password Authentication]
Though it is possible to disable the password authentication at all it is not officially acknowledged by Lastline. However, if you are willing to test it configure the following within the sshd_config file. (Note: NOT the ssh_config but the sshd_config. Note the “d” for daemon that is listening to incoming ssh connections.):
sudo nano /etc/ssh/sshd_config PasswordAuthentication no sudo service ssh restart
Ciao.
Featured image: “Data Center” by Bob Mical is licensed under CC BY-NC 2.0.