Secure SSH Authentication with NetScaler. Public-private key pair configuration.
More from the Lab!
- Building a Dual-Xeon Citrix Lab: Part 1 – Considerations
- Building a Dual-Xeon Citrix Lab: Part 2 – Hardware
- Building a Dual-Xeon Citrix Lab: Part 3 – Windows and Hyper-V installation
- Lab: Part 4 – Hyper-V Networking
- Lab: Part 5 – NetScaler 11 Architecture and Installation
- Lab: Part 6 – Configure NetScaler 11 High Availability (HA Pair)
- Lab: Part 7 – Upgrade NetScalers in HA
- Lab: Part 8 – Save, Backup and Restore NetScaler 11 configuration
- Lab: Part 9 – Install Microsoft SQL Server 2014 (Dedicated)
- Lab: Part 10 – Citrix Licensing demystified
- Lab: Part 11 – Install XenDesktop 7.6
- Lab: Part 12 – Setup NetScaler 11 Clustering (TriScale)
- Lab: Part 13 – Configure Published Applications with XenDesktop 7.6
- Lab: Part 14 – Citrix StoreFront 3.x
- Lab: Part 15 – Configure SSL in StoreFront
- Lab: Part 16 – StoreFront load balancing with NetScaler (Internal)
- Lab: Part 17 – Optimize and secure StoreFront load balancing with NetScaler (Internal)
- Lab: Part 18 – Secure LDAP (LDAPS) load balancing with Citrix NetScaler 11
- Lab: Part 19 – Configure Active Directory authentication(LDAP) with Citrix NetScaler 11
- Lab: Part 20 – RDP Proxy with NetScaler Unified Gateway 11
- Lab: Part 21 – Secure SSH Authentication with NetScaler (public-private key pair)
- Lab: Part 22 – Ultimate StoreFront 3 customization guide
- Lab: Part 23 – Securing Citrix StoreFront DMZ deployment
- Lab: Part 25 – Upgrade to Citrix StoreFront 3.7
- Lab: Part 26 – Install/Upgrade Citrix XenDesktop 7.11
- Lab: Part 27 – Getting started with Microsoft Azure
- Lab: Part 28 – Getting started with Citrix Cloud
- Lab: Part 29 – Configure XenDesktop And XenApp Service with Microsoft Azure and Citrix Cloud
- Lab: Part 30 – Configure Identity and Access Management in Citrix Cloud with Microsoft Azure AD
- Lab: Part 31 – Configure NetScaler Gateway Service for XenApp and XenDesktop Service in Citrix Cloud
- Lab: Part 32 – Configure MCS with XenDesktop and XenApp Service in Citrix Cloud
- Lab: Part 33 – Configure Azure Quick Deploy with XenDesktop and XenApp Service in Citrix Cloud
- Lab: Part 34 – Configure Site Aggregation for Citrix Workspace in Citrix Cloud with XenDesktop 7.x located on-premises
- Lab: Part 35 – Configure a Hybrid NetScaler MA Service environment in Citrix Cloud
- Lab: Part 36 – Configure ShareFile in Citrix Cloud with StorageZones on-premises
- Lab: Part 37 – Upgrade NetScaler HA pair with NetScaler MA Service in Citrix Cloud
- Lab: Part 38 – How to Configure Full VPN Setup with Citrix NetScaler in CLI
- Lab: Part 39 – Configure Multi-Factor Authentication with Azure MFA Service and Citrix Workspace
- Lab: Part 40 – Getting Started with Citrix App Layering
- Lab: Part 41 – Configure Citrix App Layering
- Lab: Part 42 – OS Layer with Citrix App Layering
- Lab: Part 43 – Platform Layer with Citrix App Layering
- Lab: Part 44 – Application Layers with Citrix App Layering
- Lab: Part 45 – Layered Image Deployment with Citrix App Layering
- Lab: Part 46 – Elastic deployment with Citrix App Layering
- Lab: Part 47 – User Layers with Citrix App Layering
- Lab: Part 48 – Windows 10 and PVS with Citrix App Layering
The following article describes the steps to secure SSH authentication with NetScaler 11 VPX.
Lab configuration
- 2 NetScalers configured in HA located in DMZ
- NS01 – NSIP: 192.168.1.199
- NS02 – NSIP: 192.168.1.200
- HA IP: 192.168.1.201
- MobaXterm and Putty installed on the Client
Generate public-private key pair with NetScaler
Connect to your NetScaler, and type the following commands:
|
1 2 |
mkdir /root/.ssh cd /root/.ssh |
The command above will create a new folder /root/.ssh and will move the current folder in it.
Now to create the keys with the ssh-keygen command below:
|
1 |
- f attribute is for the file name
- b attribute specifies the encryption strength
- t attribute specifies the encryption
- P attribute is the passphrase (optional)
- C attribute is optional but help to identify the keys
My suggestion is to use RSA 2048.
The passphrase attribute is optional but it is highly recommended to protect your private key with a password. You’ll enter the passphrase to unlock the private key but you would usually only do this once a day. The passphrase protects you because if someone manages to obtain a copy of your private key, they won’t be able to use it unless they also know your passphrase.
In /root/.ssh, 2 files are now available. The first file is the private key and the second is the public key.
Convert private key to Putty format
Now transfer the private key (filename=nico) to your client. You need to convert that key because Putty does not support OpenSSH format.
Download Putty key generation here: Putty Key Generator 0.66 or from the editor.
Open Putty Key Generator.
Import private key (nico) previously generated on the NetScaler.
Enter your passphrase (Ex: Password1).
To convert the key in the Putty format, select Save private key and enter the new filename.
The new format of the key is .ppk (Putty Private key).
The private key is now ready.
Authorize the key
Back on the primary NetScaler, run the following commands to append the public key of the client to the authorized_keys file:
|
1 2 3 |
cd /root/.ssh cat nico.pub >> /nsconfig/ssh/authorized_keys chmod 644 /nsconfig/ssh/authorized_keys |
You can check the permissions of the file with the following command:
|
1 |
ls -l /nsconfig/ssh/authorized_keys |
authorized_keys file content:
|
1 |
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDBgitWOm+HSyGBjRe2RTB90YW5WLosFk4nZ8J2VfQT6wkRAkNbDNy18p8ieh5yBLEPgu71Ce4dSXK1/0o60XZMtfWXtycxWS1fd0nslBr8yxnxteQMY5FpIaRXbpstB1azTagDOtrELm/q9RYU+xzYqYZPNq3JzEOOyjWxH9Lk+HCWEtoUWUI20/wFiIq1XeYmbfsyy2F+xwOuewOwbJ1fdQi6wTdgh9s9Opfrfuk2/h4UO1LAw9umybteeMfKali/5BwWErSSESbZFWxgi6id8IdUfmLJTbLuTm96m8bRBtmYIsC2ExuzUxR4AVQNClUnbAExUofKWbXeYk/QIQnh nicolas@citrixguru.com |
The directory /root/.ssh should be as below:
Copy the configuration in the nsconfig file:
|
1 2 3 |
cp nico.pub /nsconfig/ssh/ cp nico /nsconfig/ssh/ cp authorized_keys /nsconfig/ssh/authorized_keys |
The ssh folder in nsconfig should be as below:
Sync configuration to all NetScalers
You need to manually copy your keys and the Authorized_keys files on all NetScalers.
|
1 2 3 |
scp /root/.ssh/authorized_keys nsroot@192.168.1.199:/nsconfig/ssh/ scp /root/.ssh/nico nsroot@192.168.1.199:/nsconfig/ssh/ scp /root/.ssh/nico.pub nsroot@192.168.1.199:/nsconfig/ssh/ |
On the primary NetScaler, go to /flash/nsconfig and update the rc_netscaler file with the following:
|
1 2 |
mkdir /root/.ssh cp /nsconfig/ssh/authorized_keys /root/.ssh/ |
The file is sync across all the appliances part of the HA and will copy the Authorized_keys file during the boot of the NetScaler. Reboot the secondary NetScaler to validate that the authorized_keys file is still present in /root/.ssh/ after the reboot.
Testing
Download Putty here: Putty 0.66 or from the editor.
Open Putty or an alternative (Ex: MobaXterm).
Go to Connection > SSH > Auth and select the previously generated private key located on your client.
Enter your passphrase.
Same with the secondary NetScaler (to validate the rc_netscaler configuration).
You can also test with the following commands:
- From the primary appliance, run the following command:
1ssh nsroot@<NS02-NSIP> - From the secondary appliance, run the following command:
1ssh nsroot@<NS01-NSIP>
Change NSROOT password in command line
|
1 |
set system user nsroot <PASSWORD> |
Disable Password Authentication
Copy the /etc/sshd_config file to the /nsconfig/ directory and set the PasswordAuthentication parameter to no.
Sources:
Citrix Documentation – Accessing an Appliance by Using SSH Keys and No Password
CTX109008 – How to Create a Key Pair for SSH Authentication by Using the ssh-keygen Utility
CTX109009 – How to Create a Key Pair for SSH Authentication by Using the PuTTYgen Utility
CTX114020 – The SSH authorized_keys Are Not Working
CTX121051 – How to Configure an SSH Access from a Primary NetScaler Appliance to a Secondary NetScaler Appliance with Private-Public keys
CTX120804 – How to Access the NetScaler Appliance by using the SSH Keys
More from the Lab!
- Building a Dual-Xeon Citrix Lab: Part 1 – Considerations
- Building a Dual-Xeon Citrix Lab: Part 2 – Hardware
- Building a Dual-Xeon Citrix Lab: Part 3 – Windows and Hyper-V installation
- Lab: Part 4 – Hyper-V Networking
- Lab: Part 5 – NetScaler 11 Architecture and Installation
- Lab: Part 6 – Configure NetScaler 11 High Availability (HA Pair)
- Lab: Part 7 – Upgrade NetScalers in HA
- Lab: Part 8 – Save, Backup and Restore NetScaler 11 configuration
- Lab: Part 9 – Install Microsoft SQL Server 2014 (Dedicated)
- Lab: Part 10 – Citrix Licensing demystified
- Lab: Part 11 – Install XenDesktop 7.6
- Lab: Part 12 – Setup NetScaler 11 Clustering (TriScale)
- Lab: Part 13 – Configure Published Applications with XenDesktop 7.6
- Lab: Part 14 – Citrix StoreFront 3.x
- Lab: Part 15 – Configure SSL in StoreFront
- Lab: Part 16 – StoreFront load balancing with NetScaler (Internal)
- Lab: Part 17 – Optimize and secure StoreFront load balancing with NetScaler (Internal)
- Lab: Part 18 – Secure LDAP (LDAPS) load balancing with Citrix NetScaler 11
- Lab: Part 19 – Configure Active Directory authentication(LDAP) with Citrix NetScaler 11
- Lab: Part 20 – RDP Proxy with NetScaler Unified Gateway 11
- Lab: Part 21 – Secure SSH Authentication with NetScaler (public-private key pair)
- Lab: Part 22 – Ultimate StoreFront 3 customization guide
- Lab: Part 23 – Securing Citrix StoreFront DMZ deployment
- Lab: Part 25 – Upgrade to Citrix StoreFront 3.7
- Lab: Part 26 – Install/Upgrade Citrix XenDesktop 7.11
- Lab: Part 27 – Getting started with Microsoft Azure
- Lab: Part 28 – Getting started with Citrix Cloud
- Lab: Part 29 – Configure XenDesktop And XenApp Service with Microsoft Azure and Citrix Cloud
- Lab: Part 30 – Configure Identity and Access Management in Citrix Cloud with Microsoft Azure AD
- Lab: Part 31 – Configure NetScaler Gateway Service for XenApp and XenDesktop Service in Citrix Cloud
- Lab: Part 32 – Configure MCS with XenDesktop and XenApp Service in Citrix Cloud
- Lab: Part 33 – Configure Azure Quick Deploy with XenDesktop and XenApp Service in Citrix Cloud
- Lab: Part 34 – Configure Site Aggregation for Citrix Workspace in Citrix Cloud with XenDesktop 7.x located on-premises
- Lab: Part 35 – Configure a Hybrid NetScaler MA Service environment in Citrix Cloud
- Lab: Part 36 – Configure ShareFile in Citrix Cloud with StorageZones on-premises
- Lab: Part 37 – Upgrade NetScaler HA pair with NetScaler MA Service in Citrix Cloud
- Lab: Part 38 – How to Configure Full VPN Setup with Citrix NetScaler in CLI
- Lab: Part 39 – Configure Multi-Factor Authentication with Azure MFA Service and Citrix Workspace
- Lab: Part 40 – Getting Started with Citrix App Layering
- Lab: Part 41 – Configure Citrix App Layering
- Lab: Part 42 – OS Layer with Citrix App Layering
- Lab: Part 43 – Platform Layer with Citrix App Layering
- Lab: Part 44 – Application Layers with Citrix App Layering
- Lab: Part 45 – Layered Image Deployment with Citrix App Layering
- Lab: Part 46 – Elastic deployment with Citrix App Layering
- Lab: Part 47 – User Layers with Citrix App Layering
- Lab: Part 48 – Windows 10 and PVS with Citrix App Layering
