The SSH authorized_keys stored in the /root/.ssh directory are lost after restarting the NetScaler appliance, or the authorized_keys stored in the /nsconfig/ssh directory are not working.

To resolve this issue, edit the /nsconfig/ssh/authorized_keys file and copy or append client keys to the file. If the key was created using a password, then you must connect to the NetScaler appliance using an SSH utility after appending the key to the authorized_keys file and log on as nsroot with the password used to create the key. The subsequent logons using the key no longer require manual password entry.

1. To verify the permissions on the /flash directory, run the following command:
   root@ns# ls -al /flash

2. If the directory has write permission to all users, then the following is the first entry in the sample output of the command:

   drwxrwxrwx 6 root wheel 512 Jul 13 14:00

3. To change the permissions to make the directory write only for the owner, run the following command:
   root@ns# chmod 755 /flash

   Note: If there is a HA cluster with two NetScalers then run the chmod 755 command on the Primary first. If you run the command first on the Secondary then the permissions revert back to 777.

4. The preceding command restores the directory to the proper permission settings, as shown in the following sample output:

   drwxr-xr-x 6 root wheel 512 Jul 13 14:00

5. It might also be necessary to change permissions on the /flash/nsconfig directory as well by running the following command:
   root@ns# chmod 755 /flash/nsconfig

Problem Cause

Any data stored in a volatile file system space, the file system other than /flash and /var, is lost when you restart the appliance. Therefore, if you have stored any authorized_keys files in the /root file system, the files are lost when you restart the appliance.

To make the authorized_keys file persistent across the restarts of the appliance, you must store the file in the /nsconfig/ssh directory, which is a symbolic link to the /flash/ssh directory. The NetScaler appliance uses a proprietary build of sshd that searches the /nsconfig/ssh for the authorized_keys file. Therefore, you do not need any modification to the sshd_config file.

If you have stored the keys in the /nsconfig/ssh directory and the keys do not appear to be working, then check the directory permissions for the /flash directory. An erroneous build might have caused the /flash directory to have full read-write-execute permissions (777). The NetScaler sshd server does not use these keys if the containing folder has write permission to all users.

Note: The authorized_keys are supported only for the nsroot account.

Adding authorized client keys neither change the default nsroot account password nor prevent the keyboard-interactive logon using the nsroot account. It is advisable that any changes to the password of the nsroot account be stored in a safe place to prevent a system lock-out.