HAProxy ALOHA Documentation 13.5

SSH Public Key Access

By default, you can access an HAProxy ALOHA host by logging in with ssh and providing the credentials admin / admin.

As an alternative, you can configure SSH public key access. SSH public key access is more secure than regular password access, and it's more convenient because you don't have to enter a password each time.

Configuring the Client

  1. If you do not already have an SSH key, create one with the ed25519 algorithm:

    $ ssh-keygen -t ed25519 -C "name@example.com"

    When prompted for a file and passphrase, accept the default values.

    Create an SSH key for user admin.

    $ ssh-keygen -t ed25519 -C "admin@example.com"
    Generating public/private ed25519 key pair.
    Enter file in which to save the key (/home/admin/.ssh/id_ed25519):
    Enter passphrase (empty for no passphrase):
    Enter same passphrase again:
    Your identification has been saved in /home/admin/.ssh/id_ed25519
    Your public key has been saved in /home/admin/.ssh/id_ed25519.pub
    The key fingerprint is:
    SHA256:1ZRgPRTwaUDAsC1dn1C7BZMh3rIBwSdsxqLk486FnCI admin@example.com
    The key's randomart image is:
    +--[ED25519 256]--+
    |      .*++X*O=   |
    |    . .+O=.X=*   |
    |   o .o+oo= X..  |
    |    +  . . = o   |
    |   o +  S . .    |
    |E . = .          |
    | . + .           |
    |    o            |
    |                 |
    +----[SHA256]-----+
  2. Ensure the permissions are correct on your private key file.

    $ cd ~
    $ chmod 600 .ssh/id_ed25519
  3. Upload your public key to the HAProxy ALOHA host.

    Upload the public key file to the HAProxy ALOHA host at IP address 192.168.0.100:

    $ scp .ssh/id_ed25519.pub admin@192.168.0.100:/tmp/
    admin@192.168.0.100's password: ***
    id_ed25519.pub                                      100%    393     0.4KB/s         00:00

Configuring the HAProxy ALOHA Host

To complete the configuration, perform the following steps on the HAProxy ALOHA host.

  1. Log in to the HAProxy ALOHA host.

    Log in to the host at IP address 192.168.0.100:

    $ ssh admin@192.168.0.100
    
    admin@192.168.0.100's password: ***
    
    admin@ALOHA1:~$
  2. Add the new key by concatenating it to the end of the authorized keys file, /etc/ssh/authorized_keys/admin:

    root@ALOHA1:~# cat /tmp/id_ed25519.pub | sudo tee -a /etc/ssh/authorized_keys/admin
  3. Make the file readable by owner and group:

    root@ALOHA1:~# chmod 440 /etc/ssh/authorized_keys/admin

You can now make an SSH connection to the load balancer, and you will not be prompted to enter a password.

To give other users access to the host, add their public keys in the same way.

Optional: Disable SSH Password Login

Optionally, you can disable the default login behavior. With this configuration, users having a public key on the HAProxy ALOHA host can login without entering a password.

After verifying that SSH public key login works correctly, perform these steps on the HAProxy ALOHA host.

  1. In the Tools tab File Manager, navigate to /etc/ssh and click the sshd_config file to open it for editing.

  2. Change PasswordAuthentication to no:

    PasswordAuthentication no
  3. Click Save.

  4. On the Services tab, locate sshd and click Restart restart_icon.

  5. On the Setup tab, go to the Configuration section and click Save.


Next up

LDAP Authentication