We have a number of different packages for installing scripts that provide integration with OpenSSH server's public key authentication and the JADAPTIVE Key Server.
The easiest method to configure an OpenSSH server is to use the AuthorizedKeysCommand and AuthorizedKeysCommandUser configuration settings supported by OpenSSH since version 6.8. Our packages will install the necessary scripts and make the configuration change required to support this method if your server is running OpenSSH 6.8 or greater.
If you are installing on a server with an earlier version of OpenSSH you will not be able to use the AuthorizedKeysCommand option; however, you can still install the package to take advantage of the manual synchronization scripts. This just requires a little more setup on each account you want to configure for key management.
Pre-requisites
The scripts require curl to execute HTTPS requests. You should install this prior to attempting to install these scripts
Debian/Ubuntu
apt-get install curl
Centos/Redhat
yum install curl
Download & Installation
We have provided shortcut links to the latest packages on your key server. Both packages have a dependency on Curl and the OpenSSH server.
Debian/Ubuntu
Download the package from https://<hostname>/scripts/jadaptive.deb or from our cloud server https://gateway.jadaptive.com/scripts/jadaptive.deb
Install using:
dpkg -i jadaptive-keyserver-scripts-<version>.deb
Centos/Redhat
Download the package from https://<hostname>/scripts/jadaptive.rpm or from our cloud server https://gateway.jadaptive.com/scripts/jadaptive.rpm
Install using:
rpm -i jadaptive-keyserver-scripts-<version>.noarch.rpm
Testing Curl
Once the scripts are installed you need to configure the key server location. Before you edit the configuration, it is recommended you test the curl command against your key server. If you are not running a valid SSL certificate you may need to adjust the configuration. We recommend at all times that you maintain a valid SSL certificate on your key server.
Execute the following command
curl https://<keyserver>/ping
This should result in a response like follows:
curl https://ks1/ping
PONG
If you receive errors relating to the certificate like below you should in the first instance fix the certificate issue on your key server by installing an up-to-date SSL certificate.
curl https://ks1/ping
curl: (60) SSL certificate problem: certificate has expired
More details here: https://curl.haxx.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
If you need to bypass this you can check again using the -k switch to ignore certificate errors
curl -k https://ks1/ping
PONG
If you need to use the -k switch then make a note to adjust the ALLOW_INSECURE_GATEWAY option in the next section.
Configuration
You should now edit the /etc/default/jadaptive-keyserver file.
nano /etc/default/jadaptive-keyserver
Change the GATEWAY_HOST environment variable to point to the hostname of your key server.
If you noted earlier that you need to set ALLOW_INSECURE_GATEWAY you should change this to y
# Configuration for jadaptive-keyserver-scripts
#
# Gateway host
#
# The default hostname or IP address of the gateway from which to retrieve keys.
#
GATEWAY_HOST=ks1
# Allow incorrect SSL certificates when connecting to the
# GATEWAY_HOST.
#
# Default: N
# Recommended: N - To avoid MITM. The gateway is your trusted keystore!
#
ALLOW_INSECURE_GATEWAY=n
Finally, you can now test the keyserver scripts
Execute the following command for an account you want to manage keys for
keyserver-sync /root root
Then login to the Key Server Administration CLI and execute
remote-accounts
You should now see this account and host in the remote-accounts listing
# remote-accounts
Account Hostname
------- --------
root ks1
You are now ready to start configuring access as described in our article Configuring a Remote Account.
