Configuring Tasks - Keys and Certs - Importing SSH Client Keys

In addition to generating new SSH client keys, MOVEit Central can import existing keys that have been obtained from remote servers. The specifics of how servers generate and store SSH private keys vary from vendor to vendor. However, the most common SSH implementation, OpenSSH, generates its keys via "ssh-keygen" and stores the keys in files named $HOME/.ssh/id_dsa or $HOME/.ssh/id_rsa, where $HOME is the home directory of the user in question. Here's a sample Linux session which generates a key:

$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/fred/.ssh/id_rsa):
Created directory '/home/fred/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/fred/.ssh/id_rsa.
Your public key has been saved in /home/fred/.ssh/id_rsa.pub.
The key fingerprint is:
18:37:c3:bc:10:f0:c0:38:19:3e:80:7b:73:79:15:9c fred@linuxsrv1
$

To import such a key into MOVEit Central, transfer the key (the file that does not end in .pub) to the computer running MOVEit Central Admin. (You might use FTP or FTP over SSH to do this transfer.) Then in the Hosts tab, double-click on the SSH host name. In the Define SSH Host dialog, choose the "..." button next to "SSH Client Key". In the resulting Manage SSH Keys dialog, choose Import. In the Enter Name dialog, choose an arbitrary name for the key and click OK. (This name is used only as a label within MOVEit Central) Then, select the key file that you just transferred from the SSH server. If the key file was encrypted on the server (this is rare, and would have been specified when the user ran ssh-keygen), enter the encryption password when prompted. Otherwise, leave the password field blank and simply click OK.

The key will be imported into MOVEit Central. It can now be selected as the default SSH client key for this or any host, and can be selected as the SSH client key in tasks that override the default SSH client key for a host.

Configuring the key on the SSH server

Once a key has been created, the SSH server must be configured to authorize the key for logon. The procedure for this depends on the type of SSH software running on the server.

For OpenSSH, the OpenSSH version of the public key (one very long line of text) should be appended to the file ~/.ssh/authorized_keys on the user's UNIX machine.
For SSH.com, a line like "Key mykey.pub" should be appended to the file ~/.ssh2/authorization, and the file ~/.ssh2/mykey.pub should be created with the contents of the SSH format of the key.
For SSH.com Tectia Server, the SSH version of the public key should be uploaded to the user's authorized_keys directory on the server, with an arbitrary filename. This is typically $HOME/.ssh2/authorized_keys on Unix and %USERPROFILE%\.ssh2\authorized_keys on Windows.

For other servers, consult the documentation for that server.

PuTTY Key Generator

By default, the PuTTY Key Generator exports TWO files; one for a private key and one for a public key. However, to generate a file format for use in MOVEit Central's SSH client, you must opt to export your PuTTY key as an "OpenSSH Key" (using the "Conversions" menu, if available). The passphrase you designate in the provided fields will carry over to the exported OpenSSH key as well.

"ssh.com" Key Import

MOVEit Central allows the import of "ssh.com" keys, but such keys must NOT have been protected with a password; imports of "Password Protected ssh.com" keys will always fail. ("Blank password OpenSSH" and "Password Protected OpenSSH" keys can be imported without problems.)