Using SSH keys
You can use private RSA keys for UNIX-based systems to connect with a specific user. To do so, you must create a user and an RSA key. If you already have a Discovery user that you want to connect to the system (or an LDAP user), start by generating an RSA key.
Create a Discovery user
Log in to the UNIX system with permissions to create a user, then use the following commands to create a user:
- Create a user with the login name
discousr
and a default home directory:user add discousr -m
- Change the password for the user:
passwd discousr
- Add the user to the shudders group:
adduser discousr sudo
- Change to the created user:
su - discousr
Generate an RSA key
The Discovery SFTP_RSA export type doesn't support .ppk files.
Before you create a key, you need to create a file named authorized_keys inside your ~/.ssh folder of the remote host that will contain the public key (the id_rsa.pub file). If the file already exists, you can append the new public key.
cat $HOME/.ssh/id_rsa.pub >> authorized_keys
To generate an RSA key:
- Use the following commands:
- Generate the RSA key files:
ssh-keygen -t rsa -m PEM
- Create your private RSA key. This file will be used by the Discovery tool:
$HOME/.ssh/id_rsa
- Create your public RSA key:
$HOME/.ssh/id_rsa.pub
- Generate the RSA key files:
- Copy the public RSA key (this is also required for connecting to the host):
ssh-copy-id discousr@localhost
- Copy the private RSA key file to the system that is running the Discovery tool. For example, create a subfolder to C:\Program Files\Discovery\rsakeys\. You also should rename the id_rsa file (such as discousr_id_rsa) so you can identify the key file for each credential.
- Use the private RSA key file as described in Set up Discovery - Credentials.
Known limitations
When you configure the Discovery tool or Collector with the export type SFTP_RSA, you might need to generate a key using the ssh-keygen
command. If the algorithm is not accepted by the target system, you may encounter an error similar to this one:
Jul 07 11:42:34 <hostname> sshd[5626]: userauth_pubkey: key type ssh-rsa not in PubkeyAcceptedAlgorithms [preauth]
Assets Discovery uses the latest version of the SSH.NET library. Check out the list of supported host key algorithms:
- ssh-ed25519
- ecdsa-sha2-nistp256
- ecdsa-sha2-nistp384
- ecdsa-sha2-nistp521
- ssh-rsa
- ssh-dss
If the ssh-rsa algorithm isn't supported, use one of the other supported algorithms to generate a new key. For example, you can run the following command:
ssh-keygen -t ssh-ed25519 -m PEM