Configure the SSH server and client

Perform the following tasks to configure the SSH server and client:

Extract the SSH client public key from the zip file.
Convert the SSH client public key file from DER to PEM format.
Configure the SSH client public key on the SSH server and disable non-key-based authentication modes.

Extract the public key

Perform the following steps to extract the SSH client public key from the zip file:

Open a terminal session and go to the location of the SSH client public key zip file exported from the CryptoHub.

Run the following command to extract the SSH client public key from the zip file, modifying the file name to match the actual name of your file.

Shell

unzip archive171924.zip

You should see the following output:

None

Archive:  archive171924.zip
 extracting: SSH.pub

The SSH.pub file is in DER format, meaning the public key is binary encoded.

Convert the public key file

This section uses OpenSSL to convert the SSH.pub file from DER to PEM format. PEM is a method of encoding binary data as a string (also known as ASCII armor). Perform the following steps to convert the SSH client public key file from DER to PEM format:

Run the following OpenSSL command to convert the public key exported from the CryptoHub in DER format to PEM format (as required for the ssh-keygen command in the next section):

Shell

openssl rsa -inform DER -outform PEM -in SSH.pub -out SSH_pubkey.pem -pubin

Configure the public key

Perform the following steps to configure the SSH client public key on the SSH server and disable non-key-based modes of authentication:

SSH requires a specific format for the public keys used within an SSH session. Run the following ssh-keygen command to convert the SSH_pubkey.pem file from the previous command to the required SSH public key format and add it to the ~/.ssh/authorized_keys file:

Shell

ssh-keygen -f SSH_pubkey.pem -i -m PKCS8 >> ~/.ssh/authorized_keys

Run the following command to open the SSH daemon configuration file:

Editing this file requires sudo privileges.

Shell

sudo vim /etc/ssh/sshd_config

Inside the file, confirm the following directive is present:

Text

PubkeyAuthentication yes

Optionally, you can also set the following directives to make the SSH daemon only respond to SSH keys:

Text

PasswordAuthentication no
ChallengeResponseAuthentication no

Save and close the file when finished. To implement these changes, restart the SSH service.On Ubuntu or Debian machines, run the following command:

Shell

sudo systemctl restart sshd

On CentOS or Fedora machines, run the following command:

Shell

sudo service sshd restart

Service guides

Certificate Authority

Certificate management

Certificate validation

Cloud key management

Code signing

Credential management

Data protection

Data storage

Database

Digital signing

DNS

Endpoint management

Firewall

Generic

IT automation and orchestration

Key management

Privileged access management

Secrets management

SSH

TLS offloading

Virtualization

VPN

Extract the public key

Convert the public key file

Configure the public key

Service guides

Certificate Authority

Certificate management

Certificate validation

Cloud key management

Code signing

Credential management

Data protection

Data storage

Database

Digital signing

DNS

Endpoint management

Firewall

Generic

IT automation and orchestration

Key management

Privileged access management

Secrets management

SSH

TLS offloading

Virtualization

VPN

Documentation Index

​Extract the public key

​Convert the public key file

​Configure the public key

Extract the public key

Convert the public key file

Configure the public key