Hi Roger,

These keys are for SSH key exchange. You'll need to upload the public keys found on the remote server.

Generation and location of these keys depends on operating system and options used during generation and this is a configuration consideration for the remote system, not ADDM, and not appropriate for us to document these processes.

The keys (if they don't exist from the installation process) are normally generated by running the command `ssh-keygen` as the user you're creating the keys for. For example, if you choose to generate keys using DSA, the process will generate 2 files, id_dsa and id_dsa.pub, in the ~/.ssh directory (that's a tilde if not drawn correctly). The id_dsa file, the private key, is the file you would upload to ADDM so that ADDM can automatically connect without a password. The contents of the public key (id_dsa.pub) are then placed in the ~/.ssh/authorized_keys file of the target.

A quick search found this link which describes the process in a little more detail: https://www.digitalocean.com/community/tutorials/how-to-set-up-ssh-keys--2

For more information I'd check the administration manuals of the operating system for the targets. I think ssh-keygen pretty much works on most systems.

HTH.

*edit: correct public/private key confusion

Most systems i've interacted with use the openssh version of ssh.  These are all pretty much the same regardless of the linux / unix package

theres numerous links online for setting up passwordless ssh authentication.  the command you need to run is ssh-keygen.

ex:

     ssh-keygen -t rsa

this link SSH/OpenSSH/Keys - Community Help Wiki is a good tutorial and has solid information. there are others out there that just give a "run these commands" approach.  The single most important thing to understand is to protect your private key and set a strong passphrase

This is not quite right.

You upload the private key to ADDM and put the public key in ~/.ssh/authorized_keys on the remote system you want to log onto.

Hi Andrew,

Currently, we are having BMC Discovery 11.1.0.2 and was trying to discover ADDM appliance using SSK Key.

Have generated public/private key pair using DSA, have stored content of public key to ~/ .ssh/authorized_keys, but while uploading private key & passphrase to ADDM it is enforced to add username and password as well for the server. I could see to execute some privileged commands we need username and password.

But my concern is like we use SSH keys provide a more secure way of logging into a server with SSH than using a password alone because passwords can be cracked. Then why it is enforced to use username and password? Why we cant use only ssh key for discovering basic information of server? Anyhow username and password works as a fallback method of SSH key and required to execute only privilege commands

Thanks in advance !!

While it will force you to have a username if you untick the password then it should not force you to have a password.

The reason why you may want one is if you are sshing with a key using a non-privileged account and set up PRIV functions to use sudo. Then the system gets asked for a username and password.

I tried a couple of times where have uploaded SSH private key, put the passphrase, select SSH authentication as Key only where have uptick the password field for authentication and then click on apply. As soon as I clicked on apply,  next page is throwing an error as Value is missing for username

As I said - in my previous comment. It requires the username.

Andrew,

Could you please help me to understand Do we need to generate the ssky key on our appliance .So that we can keep the private key in the credential vault and share the corresponding public key to the server Team so that they configured on the remote machine.

Technically is does not matter where you generate the keys. You need to load the private key into the vault which is most easily done on the credential page.

So for example, if you want an RSA key you run ssh-keygen -t rsa to get a public (id_rsa.pub) and private (id_rsa) key.

Added id_rsa.pub to .ssh/authorized_keys on the machine you are trying to discovery to the home directory of the user.

Uploaded  id_rsa into a credential on an appliance, provided no passphrase and put the same user in the username.

You mean Technically is does not matter where you generate the keys?