This article discusses the creation of a Private key (typically id_rsa) in a JKS keystore for Public-Private Key Authentication. Think of Public-Private Key Authentication like a lock (the Public key on the Telnet Host) and a key for that lock (the Private key used by the telnet client). When you connect with StayLinked using a Private key in a JKS keystore to a Telnet server with a User ID that has the matching Public key in its "authorized_keys" file (located in /root/.ssh for the root user), it will let the user in without a password.
Once you create the .jks file, it needs to be placed in the ..\Stay-Linked folder. It's also very important to set the specific Emulation Properties described below otherwise it will not work.
Below we describe how to create the JKS Keystore on Linux. Please note the following parameters:
- The following steps were done with Java 8 on CentOS 8 and RHEL 7.6 with the root user profile, using PuTTY to enter the commands.
- For Steps 2, 3, and 4 to work, it is necessary to change directory to the location of the id_rsa file. This often is the ../.ssh directory provided in the ssh-keygen command. For Linux logged on as Root this would be /root/.ssh
- This procedure has also been confirmed to work on Windows 11 to connect to CentOS 8 and RHEL 7.6 using OpenSSH_for_Windows_8.6p1 (Step 1 with a path of "%SYSTEMROOT%\System32\OpenSSH\"), and Win64 OpenSSL v3.1.2 (Step 2 and 3 with a path of "C:\Program Files\OpenSSL-Win64\bin"), and Java 8 build (Step 4 with a path of "C:\Program Files\Semeru\jre-8.0.362.9-openj9\bin") to generate the files. Please let StayLinked Support know if you need any additional assistance.
Manual Creation of JKS KeyStore File
Step 1: Use OpenSSH to generate a PEM formatted Public-Private key pair. The following command will generate a 2048-bit RSA Public-Private key pair. You can reduce this to 1024, but we suggest not going any lower. When this command is run, it will ask you to provide an optional passphrase (slpass will be used in our example).
NOTE: If a private key is already provided, this step will be skipped.
ssh-keygen -m PEM -t rsa -b 2048
NOTE: If a PuTTY ppk file is provided, you can extract the id_rsa from it by following the instructions at the end of the KB article.
NOTE: If you rename the generated id_rsa.pub to authorized_keys that will set the Public key for the ../.ssh folder where authorized_keys resides.
Step 2: Use OpenSSL to create a PEM certificate from the Private id_rsa key previously generated. If you are provided a private key other than id_rsa, replace the 'id_rsa' in the following command with the name of the provided key. This step will require the passphrase, if any, for the Private key (slpass in our example).
NOTE: The commands for steps 2 and 3 need to be run in the folder with the id_rsa file.
openssl req -new -x509 -key id_rsa -out cert.pem -days 365
NOTE: The command will ask for misc. details to go in the PEM cert (these are functionally not important, so Enter can be pressed multiple times).
Step 3: Use OpenSSL to create an encrypted PKCS12 keystore from the Private key and PEM cert. If you are provided the private key, replace the 'id_rsa' with the name of the provided key.
openssl pkcs12 -inkey id_rsa -in cert.pem -export -out ks.p12
NOTE: If the id_rsa key has a password from step 1 and 2, you will be required to put in the passphrase for the Private key (slpass in our example).
NOTE: You MUST provide a password for the exported PKCS #12 keystore to be used in Step 6 (exppass used in this example).
NOTE: When the PKCS #12 is created, the Private key and PEM cert get added as a Personal Certificate with an Alias of '1'
Step 4: Use java to migrate the PKCS12 keystore to a JKS keystore.
keytool -importkeystore -srckeystore ks.p12 -destkeystore keystore.jks
NOTE: You MUST provide a password for the exported JKS keystore to be used in Step 6 (jkspass used in this example).
Step 5: Remove the keystore.jks from the machine that generated it and place it in the root of the StayLinked server folder (../stay-linked).
Step 6: In the Administrator, add the following Emulation Properties along with standard SSH properties. These can be found under Emulation Settings -> Telnet Host Groups -> Telnet Host -> Host Entry -> Emulation Properties
- SSH Public Key Alias (the value is "1" as described above)
- SSH Public Key Alias Password (Alias password is set in the 3rd step… "exppass" in our example NOTE: JKS files created with Java versions other than 8 may require the Keystore Password from the 4th step instead)
- SSH Public Keystore File Path ("keystore.jks" in our example)
- SSH Public Keystore Password (Keystore password is set in the 4th step… "jkspass" in our example)
- Use SSH Public Key Authentication (Set to "True"), not needed for VT-SMARTTE
NOTE: The file names and passwords do not have to match the example above and will depend on what was done in Step 3 and 4.
Exporting the Private key from a ppk file
This can be done fairly simply using PuTTYgen (PuTTY Key Generator).
In the interface click on "load" and load the ppk (PuTTY Private Key) file.
Once it is loaded, click on "Conversions" on the top, and "Export OpenSSH key". A Private key file that can be used in Step 2 of the above process, Manual Creation of JKS KeyStore File, will be created. NOTE: Do not use "Export OpenSSH key (force new file format)", it will not import using the command in Step 2.
Share the post "SSH Public-Private Key Authentication"