CLI cookbook: setting up SSH key authentication for UNIX environment users
This topic describes adding public-key authentication for a UNIX environment user, thus allowing the Delphix server to connect to your UNIX Environments without an explicit password. This method uses the Delphix CLI in order to set up the environment user and gather SSH keys.
UNIX host environments (and Oracle cluster environments) can have users configured to use SSH-key-based authentication instead of the traditional password authentication method.
Prerequisites
You must be able to log into the remote host (or all hosts of an Oracle cluster) and have write access to the
~/.ssh/authorized_keysfile within the desired user's home directory.
Option 1: system key
Within Delphix, there is a per-system SSH public key that can be placed into the ~/.ssh/authorized_keys file of the remote user. Once this has been done, the Delphix environment user can be configured to use the private key instead of an explicit password. Note that it is also possible to configure an environment to use this system key in the Delphix Management application by navigating to Manage > Environments and selecting Public Key as the Login Type for the environment. For details, see Managing Environments.
Get the current system public key:
CODEdelphix> system get sshPublicKey ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAse1M7uJX44lVPBljhnxB6MZUTx8VF6cupaVATg120lQonIqx29lP+Mwp0AWh7C983IDoYDo+AY7RXpcFP9nKksiJnGSGiK6wo9RIiqSnF1x/VXNkTt2/67RVofoiui4W5fuxD4hOIvoTr47Bg1hh9L6nhP0tnUvS/rusHFJ+ogxGHm46mwNlgUJUGmLTNao+W0YU693HRLukEch01t4k6olVGaC0eLjYlgBf0Z5XiIcBX6ZWqVHAhwMinVjAvmfQhirAgCI7gYrd5/PwNl/DC8xyhWuxd2jgA7sSPeRqWY0JHt/xcmdpIaPxTwtxQLKTnPxrFrQd+l4uf6LKxr5g7w== root@delphixAdd this key (starting with
ssh-rsa) to the remote user's~/.ssh/authorized_keysfile. You will need to get access to this file using an alternate authentication mechanism (such as logging in as the user with a password or logging in as an administrator). Depending on the target OS, you may need to do the following:If the directory does not exist:
CODE$ mkdir ~/.sshIf creating the file or directory as an administrator:
CODE# chown -R <username> <home>/.sshIf required by the host SSH configuration, ensure the directory is not world-readable:
CODE$ chmod 600 ~/.ssh/authorized_keys $ chmod 755 ~
Create or edit an environment user:
CODEdelphix> environment user createSet the user environment and name:
CODEdelphix environment user create *> set environment=environment1 delphix environment user create *> set name=usernameSet the user credential type to
SystemKeyCredential:CODEdelphix environment user create *> set credential.type=SystemKeyCredentialCommit the results:
CODEdelphix environment user create *> commit
Option 2: Per-environment key pair
Each environment user can also be configured to use an SSH key pair provided via the CLI or API.
Add the public key to the remote user's
~/.ssh/authorized_keysfile. You will need to get access to this file using an alternate authentication mechanism (such as logging in as the user with a password or logging in as an administrator). Depending on the target OS, you may need to do the following:If the directory does not exist:
CODE$ mkdir ~/.sshIf creating the file or directory as an administrator:
CODE# chown -R <username> <home>/.sshIf required by the host SSH configuration, ensure the directory is not world-readable:
CODE$ chmod 600 ~/.ssh/authorized_keys $ chmod 755 ~
Create or edit an environment user:
CODEdelphix> environment user createSet the user environment and name:
CODEdelphix environment user create *> set environment=environment1 delphix environment user create *> set name=usernameSet the user credential type to
KeyPairCredential:CODEdelphix environment user create *> set credential.type=KeyPairCredentialSet the private and public keys:
CODEdelphix environment user create *> set credential.privateKey="----BEGIN ..." delphix environment user create *> set credential.publicKey="ssh-rsa AA..."(these example values were trimmed for brevity)
Commit the results:
CODEdelphix environment user create *> commit