Generating private/public SSH2 key pair for server cluster

0 votes
asked Sep 13, 2011 by Louise (120 points)
edited Sep 23, 2011

We are researching the use of a server cluster for FTP using a SAN and two servers for failover. We will need to generate a public/private key pair for SSH2 for this new cluster. (The public key will be provided to a customer in order to access their FTP site.) Are there special considerations for generating a key pair for a cluster versus a single server we need to be aware of? Does the ~/.ssh/authorized_keys file need to be used and saved in a particular place? Any information would be helpful.

Thanks, Louise

Applies to: Rebex SFTP

1 Answer

0 votes
answered Sep 13, 2011 by Lukas Pokorny (103,130 points)
edited Sep 23, 2011

This might be more of a server-related question, but let's discuss the keys first to make sure we understand each other:

a) Is this SSH2 public/private key pair supposed to be the SSH server key used to authenticate the SSH server to the client?

- or -

b) Is the SSH2 public/private key pair supposed to be a client key, used to authenticate an SSH/SFTP client (such as Rebex SFTP) to an SSH server?

I'm asking because at first, it looks like "a)" (server keys), where private part of the keypair is only kept at the server and the public part (or its fingerprint) is provided to clients in order to make it possible for them to verify that they are in fact connecting to the correct servers (they "authenticate the server"). On the other hand, "b)" (client keys) are used to authenticate clients to the server (instead of usual password-based authentication), their private parts are only kept at the client machines and their public parts are stored at the server (~/.ssh/authorized_keys in case of OpenSSH).

commented Sep 13, 2011 by Louise (120 points)
edited Sep 13, 2011

Option "b)". We are the client grabbing files from an FTP site using SSH and we provided the public key and the public IP address of our server to the FTP site owner. In addition, we login using a username and password and we use the private key with passcode as part of the login. (Our server is a hyper-v on node 2 of an NLB cluster.)

commented Sep 14, 2011 by Lukas Pokorny (103,130 points)
edited Sep 14, 2011

A client key can be used with multiple machines without any problems, which means there are no special considerations for generating the keypair in this case. The FTP site owner should just make sure that all server instances in the cluster are aware of the key. In case of OpenSSH's and it's ~/.ssh/authorized_keys file, it might be quite simple if all the instances use the same filesystem with user data - the authorized_keys file is stored i the .ssh subdirectory of the user's home directory.

commented Sep 22, 2011 by Louise (120 points)
edited Sep 22, 2011

So, just to make sure there is no confusion - we, the client, are using a cluster with SAN and 2 nodes for failover. We need to generate a public/private key pair for the cluster. The public key and a public IP address for the cluster will be sent to the FTP site owner so we, the client, will be recognized. As the client, do we also have to make sure all server instances are aware of the public/private key pair? How do we do that? Thanks!

commented Sep 23, 2011 by Lukas Pokorny (103,130 points)
edited Sep 23, 2011

By "server instances", do you mean "machines running Rebex SFTP client" in this case? In that case, the private key is would be most likely stored in a short encrypted file you have to load before connecting to the SFTP site. Alternatively, it might be stored in a database blob as binary data. Essentially, you have to make sure the key can be accessed by applications running on both machines - you have to load it into SshPrivateKey class before calling Sftp object's Login method (see http://www.rebex.net/sftp.net/tutorial-sftp.aspx#public-key-authentication) for details.

...