Skip to main content
Skip table of contents

CLI cookbook: configuring SSH host verification for UNIX environments

This topic describes how to configure SSH host verification when authenticating to UNIX environments, which lets the Delphix server ensure it connects to the intended environment hosts. This method uses the Delphix CLI to set the SSH key or fingerprint of each host. Currently, it is only possible to configure SSH host verification via the CLI or the Web Service API.

When an SSH key or fingerprint is specified for an environment host, the Delphix server will use it when connecting to that host to verify that host. If the key or fingerprint does not match the information presented by that host, the Delphix server will close that connection and report the problem to the user.

The key types supported by the Delphix server are RSA (ssh-rsa), DSA (ssh-dsa), ECDSA (ecdsa-sha2-nistp256) and ED25519 (ssh-ed25519). The fingerprint types supported are SHA256 and SHA512; the MD5 type is considered insecure and, therefore, is not supported.

Prerequisites

  • To obtain the SSH public key or fingerprint of a host remotely from another machine, you must have the ssh-keyscan and ssh-keygen utilities.

  • To obtain the SSH public key or fingerprint directly from a host, you must be able to log into that host.

Obtaining an SSH key or fingerprint

  1. Remotely: List the SSH public keys of the host using the standard utility ssh-keyscanand choose one of them. For example:

    CODE
    $ ssh-keyscan example.environment.host # example.environment.host:22 SSH-2.0-OpenSSH_7.4 example.environment.host ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDBsOAAokSRO67jI28syRmX0wY/fKIboLLu/ofk6BzYLKtkMaK1QC78/6QlelIJUP5HdK8E7Um/iM1JMxry4h9Rl13onYOuJVZkDB9wnJiztSu/Wl9Eqbt59TU1vGmp/4ulWS3PISl7bxs+l43HzsrjM4dTs2efQ7sLWoW86CDlL7Je4va65/aopvifxKZeZkT0srB3L8VzHKw9+NJOumy1CI3DIBiICURJd4WZ10IH5TFUDRaUFAc/trzW1gvJY/Whp892tPHekyP32hOZNIc7oDPx2boZauJVR6/BHmKpmLlhkPpEqfZP8JW+JNsNnLr9BEmwJXaEpwnua1BUii8F ...

    where the key is the Base64-code string to the right of the key type. In this example, the RSA SSH public key is the string starting in "AAAAB3Nza" and ending in "a1BUii8F".

  2. Alternatively, from the host: Log into the host and print the file contents of your public key of choice. For example:

    CODE
    $ cat /etc/ssh/ssh_host_rsa_key.pub ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDBsOAAokSRO67jI28syRmX0wY/fKIboLLu/ofk6BzYLKtkMaK1QC78/6QlelIJUP5HdK8E7Um/iM1JMxry4h9Rl13onYOuJVZkDB9wnJiztSu/Wl9Eqbt59TU1vGmp/4ulWS3PISl7bxs+l43HzsrjM4dTs2efQ7sLWoW86CDlL7Je4va65/aopvifxKZeZkT0srB3L8VzHKw9+NJOumy1CI3DIBiICURJd4WZ10IH5TFUDRaUFAc/trzW1gvJY/Whp892tPHekyP32hOZNIc7oDPx2boZauJVR6/BHmKpmLlhkPpEqfZP8JW+JNsNnLr9BEmwJXaEpwnua1BUii8F
  3. If a fingerprint is preferred, use ssh-keygenin conjunction with the above commands. For example, remotely:

    CODE
    $ ssh-keyscan example.environment.host | ssh-keygen -E sha256 -lf - ... 2048 SHA256:8Cx8cBg/pSbkId3uu2vATeugkAXcm+Ruu9hu66OXEGI example.environment.host (RSA) ...

    where the fingerprint is "SHA256:8Cx8cBg/pSbkId3uu2vATeugkAXcm+Ruu9hu66OXEGI" (the string between the key size and the hostname).
    Alternatively, from the host:

    CODE
    $ cat /etc/ssh/ssh_host_rsa_key.pub | ssh-keygen -E sha256 -lf - 2048 SHA256:8Cx8cBg/pSbkId3uu2vATeugkAXcm+Ruu9hu66OXEGI user@environment.host (RSA)

Configuring SSH host verification during environment creation

The default SSH verification strategy is SshAcceptAlways, which always trusts the key or fingerprint presented by a remote host. The procedure to change this strategy to perform fingerprint-based host verification for single-host Unix environments is:

  1. Set the new strategy to SshVerifyFingerprint:

    CODE
    delphix environment create *> edit hostParameters.host.sshVerificationStrategy delphix environment create hostParameters.host.sshVerificationStrategy *> set type=SshVerifyFingerprint
  2. Set the key type and fingerprint type. For example:

    CODE
    delphix environment create hostParameters.host.sshVerificationStrategy *> set keyType=RSA delphix environment create hostParameters.host.sshVerificationStrategy *> set fingerprintType=SHA256
  3. Set the fingerprint. For example:

    CODE
    delphix environment create hostParameters.host.sshVerificationStrategy *> set fingerprint=SHA256:8Cx8cBg/pSbkId3uu2vATeugkAXcm+Ruu9hu66OXEGI
  4. Alternatively, you can specify the key itself using the SshVerifyRawKeystrategy. For example:

    CODE
    delphix environment create hostParameters.host.sshVerificationStrategy *> set type=SshVerifyRawKey delphix environment create hostParameters.host.sshVerificationStrategy *> set keyType=RSA delphix environment create hostParameters.host.sshVerificationStrategy *> set rawKey=AAAAB3NzaC1yc2EAAAADAQABAAABAQDBsOAAokSRO67jI28syRmX0wY/fKIboLLu/ofk6BzYLKtkMaK1QC78/6QlelIJUP5HdK8E7Um/iM1JMxry4h9Rl13onYOuJVZkDB9wnJiztSu/Wl9Eqbt59TU1vGmp/4ulWS3PISl7bxs+l43HzsrjM4dTs2efQ7sLWoW86CDlL7Je4va65/aopvifxKZeZkT0srB3L8VzHKw9+NJOumy1CI3DIBiICURJd4WZ10IH5TFUDRaUFAc/trzW1gvJY/Whp892tPHekyP32hOZNIc7oDPx2boZauJVR6/BHmKpmLlhkPpEqfZP8JW+JNsNnLr9BEmwJXaEpwnua1BUii8F
  5. When you are done specifying all other environment creation parameters, create the environment:

    CODE
    delphix environment create *> commit
  6. If you are creating a Unix cluster, the procedure to start editing the SSH verification settings for the first node in that cluster is similar to the single-host case. For example:

    CODE
    delphix> environment create delphix environment create *> set type=OracleClusterCreateParameters delphix environment create *> edit nodes delphix environment create nodes *> add delphix environment create nodes 0 *> edit delphix environment create nodes 0 *> edit hostParameters.host.sshVerificationStrategy # configure SSH verification settings

Note that only one node (host) can be specified and configured when creating a Unix cluster environment. The SSH verification settings for the remaining hosts can only be specified afterward by editing them via "host select <hostname> update", once the corresponding nodes have been discovered or added. See the next section.

Configuring SSH host verification for existing hosts

For any Unix environment host, whether it is single or part of a cluster, you can set up or change its configuration for SSH verification after the environment has been added by editing the host. For example:

CODE
delphix> host select example.environment.host update sshVerificationStrategy delphix host 'example.environment.host' update sshVerificationStrategy *> edit sshVerificationStrategy # configure SSH verification settings

Testing SSH host verification

It is possible to configure an SSH key or fingerprint when performing a connectivity test to a Unix host. This can be done without even creating an environment for that host. For example:

CODE
delphix> connectivity ssh # configure address and credentials ... delphix connectivity ssh *> edit sshVerificationStrategy # configure SSH verification settings

SSH host verification errors

When the Delphix server initiates an SSH connection to a host, if SSH host verification is configured (i.e. the verification strategy is not the default SshAcceptAlways), the server will first check the key presented by the host. Only if this check passes, the server will attempt to authenticate. Therefore, a host key verification failure will be reported as "Unrecognized key or fingerprint" to the user before any authentication failure. For example:

CODE
delphix connectivity ssh *> set credentials.password=<BAD PASSWORD> delphix connectivity ssh *> set sshVerificationStrategy.rawKey=<BAD KEY> delphix connectivity ssh *> commit Error: Unrecognized key or fingerprint returned by host "example.environment.host". Action: Contact your administrator as this could be a man-in-the-middle attack. Otherwise, correct the host's ssh key/fingerprint configuration. delphix connectivity ssh *> set sshVerificationStrategy.rawKey=<GOOD KEY> delphix connectivity ssh *> commit Error: Unable to authenticate to host "example.environment.host" using username "myusername". Action: Check the username and password and try again.
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.