Using SSH keys
You can use private RSA keys for UNIX-based systems to connect with a specific user. To do so, you must create a user and an RSA key. If you already have a Discovery user that you want to connect to the system (or an LDAP user), start by generating an RSA key.
Discovery ユーザーを作成する
Log in to the UNIX system with permissions to create a user, then use the following commands to create a user:
- Create a user with the login name
discousr
and a default home directory:user add discousr -m
- Change the password for the user:
passwd discousr
- Add the user to the shudders group:
adduser discousr sudo
- Change to the created user:
su - discousr
RSA キーを生成する
The Discovery SFTP_RSA export type doesn't support .ppk files.
Before you create a key, you need to create a file named authorized_keys inside your ~/.ssh folder of the remote host that will contain the public key (the id_rsa.pub file). If the file already exists, you can append the new public key.
cat $HOME/.ssh/id_rsa.pub >> authorized_keys
To generate an RSA key:
- Use the following commands:
- Generate the RSA key files:
ssh-keygen -t rsa -m PEM
- Create your private RSA key. This file will be used by the Discovery tool:
$HOME/.ssh/id_rsa
- Create your public RSA key:
$HOME/.ssh/id_rsa.pub
- Generate the RSA key files:
- Copy the public RSA key (this is also required for connecting to the host):
ssh-copy-id discousr@localhost
- Copy the private RSA key file to the system that is running the Discovery tool. For example, create a subfolder to C:\Program Files\Discovery\rsakeys\. You also should rename the id_rsa file (such as discousr_id_rsa) so you can identify the key file for each credential.
- 「Discovery を設定する - 資格情報」で説明されているように、非公開 RSA キー ファイルを使用します。
既知の制限事項
When you configure the Discovery tool or Collector with the export type SFTP_RSA, you might need to generate a key using the ssh-keygen
command. If the algorithm is not accepted by the target system, you may encounter an error similar to this one:
Jul 07 11:42:34 <hostname> sshd[5626]: userauth_pubkey: key type ssh-rsa not in PubkeyAcceptedAlgorithms [preauth]
Assets Discovery uses the latest version of the SSH.NET library. Check out the list of supported host key algorithms:
- ssh-ed25519
- ecdsa-sha2-nistp256
- ecdsa-sha2-nistp384
- ecdsa-sha2-nistp521
- ssh-rsa
- ssh-dss
If the ssh-rsa algorithm isn't supported, use one of the other supported algorithms to generate a new key. For example, you can run the following command:
ssh-keygen -t ssh-ed25519 -m PEM