A step-by-step guide for enabling EFS keystore access while OpenSSH Public Key Authentication is used
In general, the Encrypted Files System (EFS) support on AIX enables individual users on the system to encrypt their data and also access it through keyed protection. Users will be able to setup keys and assign a default key for EFS. These keys are stored in cryptographically protected key store and upon successful login, the user's keys are loaded into the kernel and associated with the kernel processes.
Private keys are associated to users and groups. These keys are stored in keystores and are protected by passwords. A user keystore contains the user's private key and also password to open the user's group keystores; the group keystores contain the groups' private keys.
When a process opens a keystore, either at user login time or using a specific EFS user command, the keys contained in this keystore (and related keystores) are loaded in the kernel and associated with the process credentials. Later on,when the process needs to open an EFS protected file, these credentials are tested. If a key matching the file protection is found, then the process is able to decrypt the file key and therefore the file content.
Keystore creation or opening can happen at login time, by the way of an EFS LAM (old) or PAM (new) module. These modules, as well as the commands (for example, chmod) make calls to some EFS APIs provided by a libefs.a library. Two user commands exist, efsmgr and efskeymgr, to give some control over EFS to the user and administrator.
The server uses a separate public and private key to establish this connection. Also, as SSH key pairs are used to authenticate users on a server, each user will have their own public and private keys for this purpose. Generating a SSH key pair. OpenSSH comes with a tool called ssh-keygen to generate key pairs. By default, it uses 2048-bit RSA. How to configure ssh-agent on AIXPlease read the article How to configure ssh-agent on AIX More on UnixMantra. Generating public/private rsa key pair. Generate the host keys for the SSH server based on the protocol that you plan to use. (Host keys allow a client to verify the identity of the server.) The key files must be stored in the IBM-1047 (EBCDIC) code set.
Create a user on the client side and generate keys for this user. Public-private key pairs can be generated using the ssh-keygen command.
On the server side, go to /etc/ssh/sshd_config file to set PubkeyAuthentication yes.
On the client side, go to /etc/ssh/ssh_config file and set 'AllowPKCS12keystoreAutoOpen yes'.
On the server side, go to /etc/ssh/sshd_config file and set 'AllowPKCS12keystoreAutoOpen yes'.
Generate keys with the following command using a user created as follows:
The command ssh-keygen prompts for passphrase. This passphrase will be used to encrypt the private-key file on the client side. Even ssh-keygen command will accept the empty passphrase, in which case, private-key file will not be encrypted.
Copy the public keys on to the server in the file ~/.ssh/authorized_keys.
Similarly, any number of a Client user's public key can be copied in the file ~/.ssh/authorized_keys file on server user account.
EFS has to be enabled on the server side using the efsenable command. This creates an admin keystore. The keystore gets created for a user in two cases.
The path where user keystore gets created on the system is /var/efs/users/<userlogin>/keystore.
The format of user keystore is in PKCS#12 which contains public and private objects. Private objects are protected by user access key. This user access key is nothing but a hash of a user-defined password (either login password or another password specific to EFS).
Public key cookie needs to be created and inserted into the keystore on server side. User invokes the efskeymgr command to insert the cookie. A public key cookie is the passwd encrypted with users public key.
The following steps show how to create a keystore for a user and insert the public key cookies.
When all the previous configuration setting are complete, run the ssh to log onto the remote machine using the public key authentication.
Run the following command to log on to the remote machine:
The OpenSSH client user ram is all set for Public Key authentication to user laxman on the OpenSSH server with EFS login. Verify the same with ssh login from client:
This setup can be used along with DB2 UDB DPF for which OpenSSH public key authentication can be used. The DB2 tables are encrypted using EFS.
Check if all the configurations listed above have been performed. Check if the public key cookie is inserted properly byefskeymgr command by verifying the keystore file size before and after the insertion. Enable debug for sshd and check if any failures. Also, verify once with password authentication if the account login and efs login succeed.
Users must generate a public/private key pair when their site implementshost-based authentication or user public-key authentication. For additionaloptions, see the ssh-keygen(1) manpage.
Determine from your system administrator if host-based authenticationis configured.
Start the key generation program.
where -t is the type of algorithm, one of rsa, dsa, or rsa1.
Specify the path to the file that will hold the key.
Bydefault, the file name id_rsa, which represents an RSAv2 key, appears in parentheses. You can select this file by pressing the Return key. Or, you can type an alternative file name.
The file name of the public key is created automatically by appendingthe string .pub to the name of the private key file.
Type a passphrase for using your key.
This passphraseis used for encrypting your private key. A null entry is stronglydiscouraged. Note that the passphrase is not displayed when youtype it in.
Retype the passphrase to confirm it.
Check the results.
Check that the path to the keyfile is correct.
At this point, you have created a public/private key pair.
Choose the appropriate option:
If your administrator has configuredhost-based authentication, you might need to copy the local host's publickey to the remote host.
You can now log in to the remote host.For details, see How to Log In to a Remote Host With Solaris Secure Shell.
Type the command on one line with no backslash.
Here we are going to introduce the latest completely working CALL OF DUTY:GHOSTS keygen and crack both which allows you to play game completely free. Call of duty ghost cd key generator.
When you are prompted, supply your login password.
If your site uses user authentication with public keys, populateyour authorized_keys file on the remote host.
Copy your public key to the remote host.
Type thecommand on one line with no backslash.
When you are prompted, supply your login password.
Whenthe file is copied, the message “Key copied” is displayed. Dreamspark.
(Optional) Reduce the prompting for passphrases.
For a procedure, see How to Reduce Password Prompts in Solaris Secure Shell. For more information, see the ssh-agent(1) and ssh-add(1) man pages.
In the following example, the user cancontact hosts that run v1 of the Solaris Secure Shell protocol. To be authenticated by v1hosts, the user creates a v1 key, then copies the public key portion to theremote host.