Secure SSH Authentication with NetScaler

Secure SSH Authentication with NetScaler. Public-private key pair configuration.

More from the Lab!

 

The following article describes the steps to secure SSH authentication with NetScaler 11 VPX.

Lab configuration

  • 2 NetScalers configured in HA located in DMZ
  • NS01 – NSIP: 192.168.1.199
  • NS02 – NSIP: 192.168.1.200
  • HA IP: 192.168.1.201
  • MobaXterm and Putty installed on the Client

Generate public-private key pair with NetScaler

Connect to your NetScaler, and type the following commands:

The command above will create a new folder /root/.ssh and will move the current folder in it.

Now to create the keys with the ssh-keygen command below:

Generate Public and Private keys

  • f attribute is for the file name
  • b attribute specifies the encryption strength
  • t attribute specifies the encryption
  • P attribute is the passphrase (optional)
  • C attribute is optional but help to identify the keys

My suggestion is to use RSA 2048.

The passphrase attribute is optional but it is highly recommended to protect your private key with a password. You’ll enter the passphrase to unlock the private key but you would usually only do this once a day. The passphrase protects you because if someone manages to obtain a copy of your private key, they won’t be able to use it unless they also know your passphrase.

In /root/.ssh, 2 files are now available. The first file is the private key and the second is the public key.

Keys created
Keys created

Convert private key to Putty format

Now transfer the private key (filename=nico) to your client. You need to convert that key because Putty does not support OpenSSH format.

Download Putty key generation here: Putty Key Generator 0.66 or from the editor.

Open Putty Key Generator.

Putty key generator
Putty key generator

Import private key (nico) previously generated on the NetScaler.

Import private key
Import private key

Enter your passphrase (Ex: Password1).

Enter passphrase
Enter passphrase

To convert the key in the Putty format, select Save private key and enter the new filename.

Private key conversion
Private key conversion

The new format of the key is .ppk (Putty Private key).

Private key converted
Private key converted

The private key is now ready.

Authorize the key

Back on the primary NetScaler, run the following commands to append the public key of the client to the authorized_keys file:

You can check the permissions of the file with the following command:

authorized_keys file content:

The directory /root/.ssh should be as below:

.SSH directory
.SSH directory

Copy the configuration in the nsconfig file:

The ssh folder in nsconfig should be as below:

Keys copied
Keys copied

Sync configuration to all NetScalers

You need to manually copy your keys and the Authorized_keys files on all NetScalers.

On the primary NetScaler, go to /flash/nsconfig and update the rc_netscaler file with the following:

The file is sync across all the appliances part of the HA and will copy the Authorized_keys file during the boot of the NetScaler. Reboot the secondary NetScaler to validate that the authorized_keys file is still present in /root/.ssh/ after the reboot.

Testing

Download Putty here: Putty 0.66 or from the editor.

Open Putty or an alternative (Ex: MobaXterm).

Go to Connection > SSH > Auth and select the previously generated private key located on your client.

Private key in Putty
Private key in Putty

Enter your passphrase.

Connected on the Primary NetScaler via Putty
Connected on the Primary NetScaler via Putty

Same with the secondary NetScaler (to validate the rc_netscaler configuration).

Connected on the secondary NetScaler via Putty
Connected on the secondary NetScaler via Putty

You can also test with the following commands:

  • From the primary appliance, run the following command:
  • From the secondary appliance, run the following command:

Change NSROOT password in command line

Disable Password Authentication

Copy the /etc/sshd_config file to the /nsconfig/ directory and set the PasswordAuthentication parameter to no.

Sources:
Citrix Documentation – Accessing an Appliance by Using SSH Keys and No Password
CTX109008 – How to Create a Key Pair for SSH Authentication by Using the ssh-keygen Utility
CTX109009 – How to Create a Key Pair for SSH Authentication by Using the PuTTYgen Utility
CTX114020 – The SSH authorized_keys Are Not Working
CTX121051 – How to Configure an SSH Access from a Primary NetScaler Appliance to a Secondary NetScaler Appliance with Private-Public keys
CTX120804 – How to Access the NetScaler Appliance by using the SSH Keys

More from the Lab!