FILE:  @(#) 1.1 07/08/09 23:59:39 README.ssh

SSH AND RAZOR

The Razor 5.2 release introduces two elements that rely upon ssh.  The Razor remote command-line extends 
a subset of the Razor 'local' command-line to remote users via ssh.  The ssh tool provides an alternative
approach to authenticating remote users against the local password file via 'rexec'.


OVERVIEW

The basic idea is to have each remote user create a public/private key pair as well as a passphrase. The 
private key is retained on the host from which the remote Razor Versions, Issues, or Threads client will 
be run.  The corresponding public key is installed on the Razor License Manager host.  The user will 
provide the (optional) passphrase to indicate that they are the rightful owner of the keys.


Through the use of an ssh agent, the remote Razor user can avoid having to authenticate themselves multiple
times as they attempt to connect to remote Razor servers via remote command-line, Versions, Threads, and/or
Issues.


SSH SETUP

Each remote Razor user must create a public/private key pair.  Most non-Windows platforms include a variant
of the OpenSSH toolset.  This toolset includes utilities for generating a key pair.  The most common utility
is the 'ssh-kegen' tool.

Here's how the utility is used to generate a public/private key pair incorporating RSA encryption:

glscg5:brian$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/Users/brian/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): <<ENTER YOUR PASSPHRASE>>
Enter same passphrase again: <<ENTER YOUR PASSPHRASE>>
Your identification has been saved in /Users/brian/.ssh/id_rsa.
Your public key has been saved in /Users/brian/.ssh/id_rsa.pub.
The key fingerprint is:
27:1d:93:55:bc:1a:51:ea:85:ef:08:ce:39:97:5f:4a brian@glscg5.local

Let's review what we have.  The 'public' key has been saved as 'id_rsa.pub'.  This key will need to be installed
on the Razor License Manager host.  The corresponding private key has been saved as 'id_rsa'.  This key is
NOT to be distributed.  The private key is also protected with the passphrase that you have provided.

glscg5:brian$ cat id_rsa
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,3F220DB6D177D05E

bSSVN+KIAP2ApLE5pG6gsUVEXweH2IFtPw3DFnC+BB4DVweqia0F/OTyDETqX7Jb
8ACkU3DH1fz+wewQ2Bli7eV5DWK6RckgEurc8EKGc+OtjjXNcqaK1Eq64naoTEms
9Iyx/+KVVI4wpdMGHHg127Q5jtHZ9cnqUeAzCCCUUZDHcjzk/7l6c+RuCF/3Sx73
DP+erBi4aVhPYAS/c+2c5ytKPOnGnQIjZFQnXUaSVhZAExFCZo5f+Be+l5xqD2Yr
at33iX5izooVLGQZXQ+7VcLlkqGHpViYBnj6nAktz/r+nWgtaeJLwvgL0ToNxqTf
FLV64TkX+q/4lpwWyoBulWGovbwJmDMkiG7bOey0juBSVXzVmxop8lj6vkHwf4b0
bUPzSUS1UWr7Xn1E5sQv1XeS0p/7J6epCS7o4YR0eJp/I7wDJreLDOin42uhFsTm
pfP1CoYK7vrFKSYtmDppj9S2UfczrvdIwdo1h8qQ6GtyQhL6DKw1Xv+5c3dWYCKh
Uj9rT+WKgX2Kn9sU1P3mfhaQc1DYe4AvzipR1eLuhzaZPkt84DaWsaewtc/BVbJw
TTSgoyNrx5kKViLBupQG5ze8jw47S0+I3h0+YjiYH1mzs0VKu+Zsl46lAaNlxNCP
IV0ujqlIGeO4nMTnw+Ruhte7JQeHc/GOkaDJ00Ejb209xmmPbx01qBssczCsttIz
1aIlczX5f8+4JoKHZgk7PqA9ZIsf8HcsUwqE+Cqve65UasYMVuI0vzPNcNCycwOJ
4a+/QZ0Uf3EudFld7cr963rXQV/IFLv37pKnoMigbsICjZKuO7VP+2Dfg/BvMmaB
80v/94CNr7QFs7PbsgpvN7fPaXjW1w2sBVmN4sUIKKSRfp2r2/6gIiE4XpdohzOq
/G+v1Z6RD/JD6LlCytVLhxwYA3mFVZnzuA21MmRdqrzFfarOB64S6eTELiI5NW4M
13VDQ1AhYp5ln9xugSX7WKSb3iv0a19GFDMH8Z2Qo7Fx5Iq8qkC7XLZezad4LRkA
/1crA0rp+Pb4WNDSPXzu4+AfukDgU61iiUvWmSzr54j7lyZ6JJ9Rq6OmtDK/4G85
/knAFqN3FnyC49PesrFL2WD8nSf3HrxwKJVE8xxsecX3ln4nhkziXWRqdi/OcgRZ
lKfJiFemlLkYv97Qtpl10iFxsvhWpjPsMfNA432Z6hKI0Zf1JW/0znyLzhC0fiHd
hoE/r8i8sGmM5u9Wtu18YXfsIVxoIgPddpG2c37nTs40qQrUtww5n8a/EfRIne9O
nVfpba6CGKkju/yR/xFbar7PSWCNWCSt7YAEaCryYbgWy54e1bzMJwSrpYxZE5AS
dhLFHnDkJITPpqfFWQdxg+9VIAzyXwgfs7ppVLa4pikDDe7VWD00NacOU5S0jM2e
huVkkbx62TQd0e06Ym4Vml9h4J8t/vMVpg/SNhyhgLsEiOOmUcSwQpi2jS5p/E6K
IgVjgzMuKR1GhF+VNol6kiM7RUu+cz4guwQV1X6OahsmzvLErOXqXR9iTcbnKW78
CFRwSjks4kcDkCt8drRwUWilc2cYeZY7UUMvUe3dr5h6Ba6O/Je6ag==
-----END RSA PRIVATE KEY-----

glscg5:brian$ cat id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAsWR1H91G25o6QAaHcuxuIYPBamjvS0ZZAXhVG6YXI5uevv/rLKDkxqkwJs8cLvVfMpw7b40AERa1Tun8lOihZzuj3+LSr56ygI8M+6rFsz3/PXVXxsv0Kv+mGfpugGyYkZZChwOiSiVaywEGEZ5Ndz8STIj6BGCUh7/rkF81+h+V5JCb/B2FzH/huww/6EMu/x87qs+LFr/dll0RVwYmFdAoWude4Vm8mNVir23zwzgMJtqIVj//wShW6Pi7YOAF6swMGpLiZ2+QK8GRlGCA3OJfINtVqFM+Llt6hR8mRG7h6RtF7fXdoEXCoOV7vkzSV4Utu7TWU/EuXrLmSePGIQ== brian@glscg5.local

INSTALLING YOUR PUBLIC KEY

Your public key will need to be installed on the server that you will be connecting to via ssh. Authenticating
remote Issues, Versions, and/or Threads users against the local password file will require that you install
your public key on the Razor License Manager host.

Accessing your your Razor Database Manager via the Razor remote command-line will require that you install
your public key on the DB host.  If the Razor License and Database Managers are co-located you'll need to
install the key in a single location.

You'll want to make a copy of your public key (id_rsa.pub) and place it on the server.  You must have an
account on the server that you'll be connecting to via ssh.  Once you have your key file on the server 
you'll need to add its contents to your 'authorized_keys' file, i.e. $HOME/.ssh/authorized_keys.

If you've used ssh on the server file before then you'll already have an authorized_keys file.  You'll 
simply append your public key file to the authorized_keys file.  

If you've never used ssh on the server you'll have some additional setup work to do.  Let's look at what is
required:

$ cd $HOME
$ mkdir .ssh
$ chmod 700 .ssh
$ cd .ssh
$ cat id_rsa.pub >> authorized_keys
$ chmod 600 authorized_keys


CONFIGURING SERVER SSH POLICIES

You'll need to work with the server's system admin to enable support for ssh as applicable.  The
server's 'sshd_config' file is the place to start.  By convention all of the default values are 
commented out via "#" token.  

Here are the more notable entries from the sshd_config template:
PubkeyAuthentication yes
AuthorizedKeysFile   .ssh/authorized_keys
AllowUsers  <<Your account>>

You'll need to make your changes and restart the ssh daemon.


TEST DRIVING SSH

Once you've installed your public key and enabled ssh on the server you'll want to try to ssh into the
remote server to validate your setup.  There's no point trying to utilize the Razor remote command-line
or authenticate via ssh until you've convinced yourself that you ssh setup is working.

glscg5:brian$  ssh <<Razor LM server host>>
Enter passphrase for key '/Users/brian/.ssh/id_rsa':<<ENTER PASSPHRASE>>
Last login: Thu Aug  9 15:51:50 2007 from glscg5
[brian@GlscLinux ~]$

At this point you have a terminal on the remote Razor LM host.  

In the event that ssh fails, you'll want to work with server sys admin to troubleshoot.  There are a few
places to start.  

On the server side you'll want to:
- Review sshd_config file
- Review firewall configuration to verify that ssh is enabled
- Verify that the ssh daemon (sshd) is running
- Check the log files to see why access is denied

On the client side you'll want to:
- Review firewall configuration to verify that outgoing ssh connection is allowed
- Attempt to start the ssh connection using 'verbose' mode to see debugging info.  Use "ssh -v <<LM host>>"


CONFIGURING SSH-AGENT

When the remote Razor client attempts to authenticate the user via ssh there is not opportunity for the
user to enter the ssh passphrase.  Therefore, the user must setup an ssh agent to effectively cache the
passphrase ahead of time.  Once the agent is started it will step in and complete the ssh authentication on
your behalf without having to reenter the passphrase.  

The agent is started via the command-line.  The ssh-agent options  will vary depending upon the shell 
that the agent is launched from.  See the ssh-agent man pages for details.

When using a C-shell:
$ eval `ssh-agent -c`
Agent pid 7398

When using a Bourne-shell:
$ eval `ssh-agent -s`  
Agent pid 7399

Before the agent can step-in you need to authenticate yourself just once:
$ssh-add
Enter passphrase for /Users/brian/.ssh/id_rsa: <<ENTER PASSPHRASE>>
Identity added: /Users/brian/.ssh/id_rsa (/Users/brian/.ssh/id_rsa)

Confirm that the agent is holding our private key for public key authentication.
$ssh-add -l
2048 b4:0e:22:7a:86:15:a8:73:3f:81:22:4d:e7:f0:d0:a6 /Users/brian/.ssh/id_rsa (RSA)

Let's verify that the ssh agent is ready to step up.
glscg5:brian% ssh glsclinux
Last login: Thu Aug  9 21:47:20 2007 from glscg5

If all is well, you should be connected directly to the remote server without having to provide your
ssh passphrase.

At this point all ssh-aware applications including the Razor remote clients, Razor remote command-line
will work with the ssh agent to obtain the necessary authentication without bothering the user for
the passphrase.

It should be noted that the scope of the agent is limited to ssh-aware applications started from the
SAME terminal that the agent was started in.  If additional terminals are needed you'll need to start
an agent instance in each terminal.


USING SSH TO AUTHENTICATE REMOTE ISSUES, VERSIONS, THREADS USERS

By default the remote Issues, Versions, and Threads clients will seek authenticate against the local
password file using 'rexec' rather than ssh.  To override the default value, the 'RAZOR_USE_SSH_REMOTE_AUTH'
environment variable must be set prior to launching the Razor remote client(s).


FURTHER INFORMATION

The man pages for ssh, ssh-keygen, ssh-agent, ssh-add.
OpenSSH website (http://www.openssh.org)
SSH User Identities white paper (http://www.securityfocus.com/infocus/1810)
SSH and ssh-agent white paper (http://www.securityfocus.com/infocus/1812)