Logging In to the CLI of the Storage System Using a Public Key
Public key authentication uses a pair of associated public and private keys to authenticate users, instead of using usernames and passwords. This section uses PuTTY as an example to describe how to generate public and private keys as well as configure public key authentication to log in to the CLI.
Prerequisites
- Only a super administrator has the permission to modify users' authentication mode for logging in to the CLI.
- Public key authentication for logging in to the CLI is configured for local users only, not for domain users.
Precautions
- After a private key is generated, keep it secure.
- Change the public key periodically. Use the new private-public key pair for login authentication to improve system security.
Procedure
- The super administrator generates a private-public key pair for a local user.
- Run the puttygen.exe file.
Go to the PuTTY Key Generator main window, as shown in Figure 2-6.
- In the Parameters area in the lower part of the page, set Type of key to generate to SSH-2 RSA or SSH-2 DSA, and set Number of bits in a generated key to an integer from 2048 to 8192.
- Click Generate and move the cursor over the blank area in the lower part of the Key area to generate a public key.
The public key will be displayed in the area, as shown in Figure 2-7.
- Copy and save the public key to the local path.
- (Optional) In Key passphrase, enter a password to encrypt the private key. In Confirm passphrase, enter the password again.
For the security of the private key file, you are advised to configure a secure password to encrypt the private key file.
- The method to generate the private key file varies with the tool used to log in to the CLI.
- If you use PuTTY to log in to the CLI, click Save private key and save the private key file to the local path, as shown in Figure 2-8.
- If you use the other tools to log in to the CLI, choose Conversions > Export OpenSSH key and save the private key file to the local path, as shown in Figure 2-9.
- Run the puttygen.exe file.
- The super administrator modifies the login authentication mode of local users.
- Log in to the CLI of the storage system as the super administrator.
- Run the change user_ssh_auth_info general user_name=test123 auth_mode=publickey command to modify users' modification mode to public key. user_name indicates the user name of the login authentication mode to be modified.
- Copy the locally saved public key to Public key on the CLI as instructed, and press Enter.
After executing the command successfully, users map the private key to the public key to log in to the CLI.
admin:/>change user_ssh_auth_info general user_name=test123 auth_mode=publickey CAUTION:Only public keys generated using the SSH-2 RSA/DSA encryption algorithm and using keys whose lengths range from 2048 to 8192 bits are supported. Public key:ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQPLuhb/KuHbyZi1n7yX6N3v5KG0JX8XdDnX0dfhN4yP7V+WXeqRt93YGepnsxIuvve1QCms3jxT8uy2kDMwRY6opLRV2qh5QCk1M54owpdnjwphs1g2oKyddt5iZ7xl0svZU7gfR2qP4WgGI8lBa9rA8bQlZWOd+mW6OJ80Wey37FcyZwNJpRNciTWfg2ju2sQuuvmtmum8hALQu930LbRWmTTtP33IAW/a1LMXjeEj49yhAAfL5OXVvyGMvDi3UfZJmWUZMF6eAG8joSiM50K8QuW7YUzW43t1LAXfGa7wBsp2u6HvckMXxzyr/3tanHkc1nuGZ55+Byw9mbnNn2Z root@Storage Command executed successfully.
- Local users configure PuTTY and log in to the storage system.
- Start PuTTY.
Go to the PuTTY Configuration dialog box.
- Click Session. In the right pane, type the IP address of a storage system's management network port in the Host Name (or IP address) text box. Set Port and Connection type to 22 and SSH respectively.
- Choose Connection > Data. In the Login details text box in the right pane, type the user name of the login authentication mode to be modified.
- Choose Connection > SSH > Auth. In the right pane, click Browse. Select and open the locally saved private key file.
- Click Open to log in to the CLI.
If the password of the private key is encrypted in 1.e, type the password when logging in to the CLI, and then press Enter.
Using username "test123". Authorized users only. All activities may be monitored and reported. Authenticating with public key "imported-openssh-key" Passphrase for key "imported-openssh-key": Last login: XX XX XX XX:XX:XX XXXX from 192.168.18.158 WARNING: You have accessed the system. You are required to have a personal authorisation from the system administrator before you use this computer. Unauthorised access to or misuse of this system is prohibited. System Name : Huawei.Storage Health Status : Normal Running Status : Normal Total Capacity : 4.247TB SN : XXXXXXXXXX Location : Product Model : XXXX Product Version : XXXX Time : XXXX-XX-XX/XX:XX:XX UTC+08:00 Patch Version : test123:/>
- Start PuTTY.
Follow-up Procedure
To modify a user's login authentication mode to the Username+Password mode, run the change user_ssh_auth_info general user_name=test123 auth_mode=password command and use the original password to log in to the CLI of a storage system.