CLI cookbook: configuring SSH host verification for UNIX environments
This topic describes how to configure SSH host verification when authenticating to UNIX environments, which lets the Delphix server ensure it connects to the intended environment hosts. This method uses the Delphix CLI to set the SSH key or fingerprint of each host. Currently, it is only possible to configure SSH host verification via the CLI or the Web Service API.
When an SSH key or fingerprint is specified for an environment host, the Delphix server will use it when connecting to that host to verify that host. If the key or fingerprint does not match the information presented by that host, the Delphix server will close that connection and report the problem to the user.
The key types supported by the Delphix server are RSA (ssh-rsa), DSA (ssh-dsa), ECDSA (ecdsa-sha2-nistp256) and ED25519 (ssh-ed25519). The fingerprint types supported are SHA256 and SHA512; the MD5 type is considered insecure and, therefore, is not supported.
Prerequisites
To obtain the SSH public key or fingerprint of a host remotely from another machine, you must have the
ssh-keyscanandssh-keygenutilities.To obtain the SSH public key or fingerprint directly from a host, you must be able to log into that host.
Obtaining an SSH key or fingerprint
Remotely: List the SSH public keys of the host using the standard utility
ssh-keyscanand choose one of them. For example:CODE$ ssh-keyscan example.environment.host # example.environment.host:22 SSH-2.0-OpenSSH_7.4 example.environment.host ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDBsOAAokSRO67jI28syRmX0wY/fKIboLLu/ofk6BzYLKtkMaK1QC78/6QlelIJUP5HdK8E7Um/ iM1JMxry4h9Rl13onYOuJVZkDB9wnJiztSu/Wl9Eqbt59TU1vGmp/4ulWS3PISl7bxs+l43HzsrjM4dTs2efQ7sLWoW86CDlL7Je4va65/ aopvifxKZeZkT0srB3L8VzHKw9+NJOumy1CI3DIBiICURJd4WZ10IH5TFUDRaUFAc/trzW1gvJY/Whp892tPHekyP32hOZNIc7oDPx2boZauJVR6/BHmKpmLlhkPpEqfZP8JW+JNsNnLr9BEmwJXaEpwnua1BUii8F ...where the key is the Base64-code string to the right of the key type. In this example, the RSA SSH public key is the string starting in "
AAAAB3Nza" and ending in "a1BUii8F".Alternatively, from the host: Log into the host and print the file contents of your public key of choice. For example:
CODE$ cat /etc/ssh/ssh_host_rsa_key.pub ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDBsOAAokSRO67jI28syRmX0wY/fKIboLLu/ofk6BzYLKtkMaK1QC78/6QlelIJUP5HdK8E7Um/ iM1JMxry4h9Rl13onYOuJVZkDB9wnJiztSu/Wl9Eqbt59TU1vGmp/4ulWS3PISl7bxs+l43HzsrjM4dTs2efQ7sLWoW86CDlL7Je4va65/aopvifxKZeZkT0srB3L8VzHKw9 +NJOumy1CI3DIBiICURJd4WZ10IH5TFUDRaUFAc/trzW1gvJY/Whp892tPHekyP32hOZNIc7oDPx2boZauJVR6/BHmKpmLlhkPpEqfZP8JW+JNsNnLr9BEmwJXaEpwnua1BUi i8FIf a fingerprint is preferred, use
ssh-keygenin conjunction with the above commands. For example, remotely:CODE$ ssh-keyscan example.environment.host | ssh-keygen -E sha256 -lf - ... 2048 SHA256:8Cx8cBg/pSbkId3uu2vATeugkAXcm+Ruu9hu66OXEGI example.environment.host (RSA) ...where the fingerprint is "
SHA256:8Cx8cBg/pSbkId3uu2vATeugkAXcm+Ruu9hu66OXEGI" (the string between the key size and the hostname).
Alternatively, from the host:CODE$ cat /etc/ssh/ssh_host_rsa_key.pub | ssh-keygen -E sha256 -lf - 2048 SHA256:8Cx8cBg/pSbkId3uu2vATeugkAXcm+Ruu9hu66OXEGI user@environment.host (RSA)
Configuring SSH host verification during environment creation
The default SSH verification strategy is SshAcceptAlways, which always trusts the key or fingerprint presented by a remote host. The procedure to change this strategy to perform fingerprint-based host verification for single-host Unix environments is:
Set the new strategy to
SshVerifyFingerprint:CODEdelphix environment create *> edit hostParameters.host.sshVerificationStrategy delphix environment create hostParameters.host.sshVerificationStrategy *> set type=SshVerifyFingerprintSet the key type and fingerprint type. For example:
CODEdelphix environment create hostParameters.host.sshVerificationStrategy *> set keyType=RSA delphix environment create hostParameters.host.sshVerificationStrategy *> set fingerprintType=SHA256Set the fingerprint. For example:
CODEdelphix environment create hostParameters.host.sshVerificationStrategy *> set fingerprint=SHA256:8Cx8cBg/pSbkId3uu2vATeugkAXcm+Ruu9hu66OXEGIAlternatively, you can specify the key itself using the
SshVerifyRawKeystrategy. For example:CODEdelphix environment create hostParameters.host.sshVerificationStrategy *> set type=SshVerifyRawKey delphix environment create hostParameters.host.sshVerificationStrategy *> set keyType=RSA delphix environment create hostParameters.host.sshVerificationStrategy *> set rawKey= AAAAB3NzaC1yc2EAAAADAQABAAABAQDBsOAAokSRO67jI28syRmX0wY/fKIboLLu/ofk6BzYLKtkMaK1QC78/6QlelIJUP5HdK8E7Um/ iM1JMxry4h9Rl13onYOuJVZkDB9wnJiztSu/Wl9Eqbt59TU1vGmp/4ulWS3PISl7bxs+l43HzsrjM4dTs2efQ7sLWoW86CDlL7Je4va65/aopvifxKZeZkT0srB3L8VzHKw9 +NJOumy1CI3DIBiICURJd4WZ10IH5TFUDRaUFAc/trzW1gvJY/Whp892tPHekyP32hOZNIc7oDPx2boZauJVR6/BHmKpmLlhkPpEqfZP8JW+JNsNnLr9BEmwJXaEpwnua1BU ii8FWhen you are done specifying all other environment creation parameters, create the environment:
CODEdelphix environment create *> commitIf you are creating a Unix cluster, the procedure to start editing the SSH verification settings for the first node in that cluster is similar to the single-host case. For example:
CODEdelphix> environment create delphix environment create *> set type=OracleClusterCreateParameters delphix environment create *> edit nodes delphix environment create nodes *> add delphix environment create nodes 0 *> edit delphix environment create nodes 0 *> edit hostParameters.host.sshVerificationStrategy # configure SSH verification settings
Note that only one node (host) can be specified and configured when creating a Unix cluster environment. The SSH verification settings for the remaining hosts can only be specified afterward by editing them via "host select <hostname> update", once the corresponding nodes have been discovered or added. See the next section.
Configuring SSH host verification for existing hosts
For any Unix environment host, whether it is single or part of a cluster, you can set up or change its configuration for SSH verification after the environment has been added by editing the host. For example:
delphix> host select example.environment.host update sshVerificationStrategy
delphix host'example.environment.host' update sshVerificationStrategy *> edit sshVerificationStrategy
# configure SSH verification settingsTesting SSH host verification
It is possible to configure an SSH key or fingerprint when performing a connectivity test to a Unix host. This can be done without even creating an environment for that host. For example:
delphix> connectivity ssh
# configure address and credentials
...
delphix connectivity ssh *> edit sshVerificationStrategy
# configure SSH verification settingsSSH host verification errors
When the Delphix server initiates an SSH connection to a host, if SSH host verification is configured (i.e. the verification strategy is not the default SshAcceptAlways), the server will first check the key presented by the host. Only if this check passes, the server will attempt to authenticate. Therefore, a host key verification failure will be reported as "Unrecognized key or fingerprint" to the user before any authentication failure. For example:
delphix connectivity ssh *> set credentials.password=<BAD PASSWORD>
delphix connectivity ssh *> set sshVerificationStrategy.rawKey=<BAD KEY>
delphix connectivity ssh *> commit
Error: Unrecognized key or fingerprint returned by host "example.environment.host".
Action: Contact your administrator as this could be a man-in-the-middle attack. Otherwise, correct the host's ssh key/fingerprint config
uration.
delphix connectivity ssh *> set sshVerificationStrategy.rawKey=<GOOD KEY>
delphix connectivity ssh *> commit
Error: Unable to authenticate to host "example.environment.host" using username "myusername".
Action: Check the username and password and try again.