This article contains information about securing administrative access to the NetScaler appliance by using the public key authentication mechanism of Secure Shell (SSH).

Requirements

To complete the procedure in this document, the NetScaler appliance must have the following tools:

• An SSH client capable of public key authentication, such as OpenSSH or PuTTY

• A suitable key pair

Background

The SSH utility consists of various authentication mechanisms, such as password, keyboard-interactive, and public key. By default, passwords are used for authentication. However, you can significantly enhance security by generating a key pair and using it to authenticate users. This ensures that an unauthorized user must have an access to not only the private key but also the password used to encrypt it. You can also store the private key on a smart card and thereby, use true two-factor authentication.

---

Instructions

To secure administrative access to the NetScaler appliance by using the public key authentication mechanism of SSH, complete the following procedure:

1. If it does not exist, create the /nsconfig/ssh/authorized_keys file.

2. Run the following command to set permissions for the file:
   # chmod 644 /nsconfig/ssh/authorized_keys

3. Run the following command to append the public key to the /nsconfig/ssh/authorized_keys file:
   # cat id_rsa.pub >> /nsconfig/ssh/authorized_keys

4. Configure the SSH client to use public key authentication and make the private key file available to it.

5. Connect to the NetScaler appliance by using the SSH utility and ensure that the user is asked for the passphrase used to encrypt the private key file instead of the nsroot password.

6. As an optional step, change the root password to a completely random, complex password, and store the password at a secure location.

7. As an optional step, disable the password authentication by copying the /etc/sshd_config file to the /nsconfig/ directory and setting the PasswordAuthentication parameter to no. NOTE: We highly recommend you do Not do this optional step as it can cause HA sync failures.

Points to Note:

Consider the following when making the changes:

• Citrix Technical Support does support “SSH key-based authentication for local system users” feature. Since it is documented, additional customization outside the scope is also not supported.

• If you notice the following error message, you must set the StrictModes parameter to no in the /nsconfig/sshd_config file.
  Authentication refused: bad ownership or modes for directory /flash/nsconfig

• Any change to the /nsconfig/sshd_config file requires restarting the NetScaler appliance or a SIGHUP signal for the /usr/sbin/sshd process. Citrix recommends that you use the console for changes relating to the SSH daemon.
  
  
  Configuration steps:
  ==================
  
  Step 1 :  Create ssh key pair to take SSH session to NetScaler
  -------------------------------------------------------------------------
  I have created the key pair on NetScaler running the below commands :
   
  root@NetScaler# ssh-keygen -t rsa -C ankit@123
  Generating public/private rsa key pair.
  Enter file in which to save the key (/root/.ssh/id_rsa): ankit
  Enter passphrase (empty for no passphrase): (SET PASSPHRASE HERE)
  Enter same passphrase again: (ENTER THE PASSPHRASE HERE)
  Your identification has been saved in ankit.
  Your public key has been saved in ankit.pub.
  The key fingerprint is:
  3c:a3:d1:52:c1:91:eb:d3:8c:43:f8:06:a9:86:01:42 ankit@123
  The key's randomart image is:
  +--[ RSA 2048]----+
  |.E     .oo       |
  |o       o.       |
  |..     o..       |
  |  .   ++o        |
  |   o .o=S+       |
  |  . o  +Boo      |
  |   .  .. o       |
  |                 |
  |                 |
  +-----------------+
  
  The key pair can also be generated using putty : http://support.citrix.com/article/CTX109009
   
  Step 2 :   Run the following commands to append the public key of the client to the authorized_keys file:
  --------------------------------------------------------------------------------------------------------------------------------
  root@NetScaler# cat ankit.pub >> /nsconfig/ssh/authorized_keys
  root@NetScaler# chmod 0644 authorized_keys
   
   
  Step 3 :  To convert the OpenSSH key to Putty format
  -----------------------------------------------------------------
  
  
  
  Please note that the private key should be saved with extension “.ppk”
   
   
  Step 4  : To access the NetScaler using this key file :
  -----------------------------------------------------------------

• Take putty session to the NetScaler on SSH :
• 

• Browse the private key with .ppk extension :
•  
• 

This completes the test and we are able to take the SSH session to NetScaler using key.
 
 

• To ensure that the changes persist even after restarting the appliance, complete the following procedure:

 
            Copy the authorized_keys file from the /root/.ssh directory to the /nsconfig/ssh/ directory.
 
                    In the rc.netscaler file, append the following entries:
                         mkdir /root/.ssh
                         cp /nsconfig/ssh/authorized_keys /root/.ssh/
 
            refer : http://support.citrix.com/article/CTX120804  


Note: If the SSH Key fail authentication still fails after above configuration.
Change the file permission from 644 to 755 in step no. 2


 

This document contains information about securing administrative access to the NetScaler appliance by using the public key authentication mechanism of Secure Shell (SSH).

Citrix Documentation - Accessing an Appliance by Using SSH Keys and No Password

CTX109008 – How to Create a Key Pair for SSH Authentication by Using the ssh-keygen Utility

CTX109009 – How to Create a Key Pair for SSH Authentication by Using the PuTTYgen Utility

CTX114020 – The SSH authorized_keys Are Not Working

CTX121051 – How to Configure an SSH Access from a Primary NetScaler Appliance to a Secondary NetScaler Appliance with Private-Public keys

CTX120804 – How to Access the NetScaler Appliance by using the SSH Keys