How to Secure SSH Access to the NetScaler Appliance with Public Key Authentication

This article contains information about securing administrative access to the NetScaler appliance by using the public key authentication mechanism of Secure Shell (SSH).

Requirements

• An SSH client capable of public key authentication, such as OpenSSH or PuTTY

• A suitable key pair

Background

The SSH utility consists of various authentication mechanisms, such as password, keyboard-interactive, and public key. By default, passwords are used for authentication. However, you can significantly enhance security by generating a key pair and using it to authenticate users. This ensures that an unauthorized user must have an access to not only the private key but also the password used to encrypt it. You can also store the private key on a smart card and thereby, use true two-factor authentication.

To secure administrative access to the NetScaler appliance by using the public key authentication mechanism of SSH, complete the following procedure:

1. If it does not exist, create the /nsconfig/ssh/authorized_keys file.

2. Run the following command to set permissions for the file:
   # chmod 644 /nsconfig/ssh/authorized_keys

3. Run the following command to append the public key to the /nsconfig/ssh/authorized_keys file:
   # cat id_rsa.pub >> /nsconfig/ssh/authorized_keys

4. Configure the SSH client to use public key authentication and make the private key file available to it.

5. Connect to the NetScaler appliance by using the SSH utility and ensure that the user is asked for the passphrase used to encrypt the private key file instead of the nsroot password.

6. As an optional step, change the root password to a completely random, complex password, and store the password at a secure location.

7. As an optional step, disable the password authentication by copying the /etc/sshd_config file to the /nsconfig/ directory and setting the PasswordAuthentication parameter to no.

Points to Note

Consider the following when making the changes:

• Customized SSH configuration is not supported by the Citrix Technical Support. Additionally, a bad configuration might result in a lockout, which might need Return Material Authorization (RMA) of the appliance.

• If you notice the following error message, you must set the StrictModes parameter to no in the /nsconfig/sshd_config file.
  Authentication refused: bad ownership or modes for directory /flash/nsconfig

• Any change to the /nsconfig/sshd_config file requires restarting the NetScaler appliance or a SIGHUP signal for the /usr/sbin/sshd process. Citrix recommends that you use the console for changes relating to the SSH daemon.

Citrix Documentation - Accessing an Appliance by Using SSH Keys and No Password

CTX109008 – How to Create a Key Pair for SSH Authentication by Using the ssh-keygen Utility

CTX109009 – How to Create a Key Pair for SSH Authentication by Using the PuTTYgen Utility

CTX114020 – The SSH authorized_keys Are Not Working

CTX121051 – How to Configure an SSH Access from a Primary NetScaler Appliance to a Secondary NetScaler Appliance with Private-Public keys

CTX120804 – How to Access the NetScaler Appliance by using the SSH Keys