| Issue Number | 4154 |
|---|---|
| Summary | Investigate Access to SFTP Server Using SSH Keys |
| Created | 2016-09-15 16:55:59 |
| Issue Type | Inquiry |
| Submitted By | Englisch, Volker (NIH/NCI) [C] |
| Assigned To | Englisch, Volker (NIH/NCI) [C] |
| Status | Closed |
| Resolved | 2016-12-20 10:58:19 |
| Resolution | Fixed |
| Path | /home/bkline/backups/jira/ocecdr/issue.194161 |
With the removal of the eDir system the PDQ partners will need to connect to the FTP server using a different type of authentication. CBIIT recommended connectivity using SSH Keys as one possible option.
We need to investigate how feasible and user friendly this option would be for our PDQ partners, both connecting individually as well as those connecting automatically.
Adding ~BKline and ~henryec as watchers.
Using an SSH key with FileZilla seems to be fairly easy, even for our not-so-technical users. An existing key can be stored within FileZilla from the program's Settings window. However, the key file must exist. FileZilla does not create the SSH key.
We should check with the CBIIT team if it's possible to test a SSH key setup on our FTP server.
I've spend some time reading about the ssh-keys setup and I tested this private/public keys solution which is actually very easy on Linux systems:
$ ssh-keygen
$ ssh-copy-id [user@]hostnameI was able to setup a connection between our CDR-Linux server and my
server at home (kepler). Because I have multiple user accounts on kepler
I was also able to install the ssh-key pair to connect from my NIH
account to a different username.
I was also able to setup a connection between our CDR-Linux-DEV server
and the CDR-Linux-QA server.
Creating a ssh-keys pair on my workstation was possible using
PuttyGen but I haven't been able to use the created public key
when connecting to kepler.
I'm assuming that the installation of the public key for the partners will need to be done by CBIIT because one needs to enter the password when copying the key using ssh-copy-id but the password won't exist. We will also need to identify how easy it will be to change the public key. This will need to be done if the local server of an organization changes, I believe. If I remember correctly, a hostname with multiple IP address entries in the authorized_keys file will prevent the user from logging on. If the user will have to supply a notarized copy of a photo ID along with a new public key we may need to think about a more user friendly solution.
Creating a ssh-keys pair on my workstation was possible using PuttyGen but I haven't been able to use the created public key when connecting to kepler.
The public key file copied to my server had extra newline characters. Once those were removed I was able to connect via Putty-ssh and FileZilla from my workstation.
Moved to "Release Independent" sprint – not because we're confident that CBIIT's assistance will not be required, but because the timetable for the rollout of this change will be driven by events unconnected with our release schedule.
The PDQ partners have been notified about the change which is in effect since yesterday. Some partners have already converted their account based on instructions provided by CBIIT.
Except for the support for partners having trouble following the instructions there is nothing more to be done for this ticket.
This ticket can be closed. PDQ content partners are using ssh keys for login at this point.
Elapsed: 0:00:00.001321