Secure access to NetStorage

Configure secure access to NetStorage by using Secure Shell (SSH) keys. You can create a key using any tool that produces keys in the OpenSSH format.

What is secure access?

Upload accounts can be configured to access NetStorage via "secure" means and this is the recommended practice. You need to generate an OpenSSH-compatible key and associate the public instance of that key with an upload account that has been configured to access the desired storage group. Once you've done this, you can use these secure protocols (”access methods”) with NetStorage: SFTP, SecureCopy, Secure-Rsync and the NetStorage CMShell.

Note: If you're using standard FTP or non-secure Rsync, you don't need an SSH key.

Before you begin

Many of the tools used to create an SSH key are pre-installed with Linux, Unix, and MacOS systems. If you're using Windows, install a terminal session emulator such as Cygwin, or the PuTTY client to help generate keys.

I want to use Cygwin

Cygwin is a full terminal emulator that lets you issue Unix-based commands from a prompt. Visit the Cygwin site and get these packages:

  • Net → OpenSSH: This includes OpenSSH binaries such as ssh, scp, ssh-keygen, and sftp. This is also required to use the secure Rsync access method.
  • Net → Rsync: This includes the Rsync binary.
I want to use PuTTY

PuTTY is a collection of tools, including a user interface that lets you generate SSH keys. Visit the PuTTY site to get these binaries:

  • putty.exe: This is the PuTTY SSH client itself.
  • pscp.exe: This is an SCP client provided by PuTTY.
  • psftp.exe: This is an SFTP client provided by PuTTY.
  • puttygen.exe: This is an Open-SSH key generation utility provided by PuTTY.

Step 1: Generate an SSH key

Create unique keys for each protocol ("access method") you'll use to access NetStorage. This provides better security and prevents accidental deletion of other system keys.

Note: Are you using Aspera Upload Acceleration? If so, see SSH Keys and Aspera Upload Acceleration, below before you create a key.
Key generation utility How to generate the key
ssh-keygen. This is a command you run from a terminal session to create an RSA-format 2048 bit key.
  • Linux/Unix/MacOS: These systems typically include ssh-keygen by default.
  • Windows: You use Cygwin to run this command.

Command format

ssh-keygen -t rsa -b 2048 -C "<Comment>" -f <output file>
Example creation of an SSH key

This example creates an SSH key that we want to use with the SFTP access method. We note this by including the optional “-C <comment>.” It places the key on your local machine in the “AccessMethods” directory. The “AccessMethods” directory is optional, but we recommend using a subdirectory like this. This way you won't inadvertently overwrite an existing key.

ssh-keygen -t rsa -b 2048 -C "NetStorage-SFTP" -f ./AccessMethods/SFTP
Note: Depending on your system environment, you may need to create destination directories if they don't already exist.
PuTTYgen. This is typically for use with Windows systems, but the command-line version is also available for Linux and Mac-based systems.
  1. Enter a Key comment to make the key easy to recognize, such as “NetStorage-SFTP-20200825”.
  2. Enter and confirm a passphrase. This is optional but recommended.
  3. Set the Type of key to generate to: RSA
  4. Set the Number of bits in a generated key to: 2048
  5. Click Generate.
  6. Export the OpenSSH private key. Save a NetStorage-compatible private key by opening the Conversions menu and choosing Export OpenSSH key.
  7. Copy the OpenSSH public key. Copy the content from the Public key for pasting field and paste it into a new plain-text file for later use. You use this when applying the SSH key to an upload account.
Note: NetStorage uses the OpenSSH format for private and public keys.
Export the OpenSSH private key


Copy the OpenSSH public key

Step 2: Apply the SSH key

You apply the public instance of an SSH key to the appropriate upload account in the NetStorage Groups UI.

  1. In the Access Methods content panel for an upload account, access the SSH and Aspera tab.
  2. Click +Add SSH Key.
  3. Populate the fields as follows:
    • SSH Key. Input a valid OpenSSH-compatible “public” key here. You must have the “public” instance of the key file open to access its content to copy/paste its entire contents into this field. (Open it in a text editor.)
    • Notes (Optional). Input any key-related information you feel is relevant in this field.
  4. Click +Add SSH Key to complete the process. A new entry for the key is shown in the SSH Authentication table.
  5. Click +Add SSH Key again to add an additional key, and repeat steps 3 - 4.

As discussed in Step 1. Generate an SSH key, we recommend that you generate and apply a unique SSH key for each access method you'll be using.



What about the private key?

Later, when you're actually accessing the storage group, you use the private instance of the key to sync with the stored public instance. You can do this via a supported SSH client component, or the key may be called out in the syntax of an individual protocol command.

SSH Keys and Aspera Upload Acceleration

While you can manually generate an SSH key and apply it for use with Aspera, we recommend that you use the utility offered in the Aspera Client application to generate the key. Other operations must be performed in the Aspera Client to configure it, and using it to generate the SSH key simplifies the entire process. If you choose the manual method, you must have access to the public key and be able to copy/paste its contents into the Aspera Client.

Step 3: Configure your OpenSSH client

Secure access methods (SFTP, SecureCopy, CMShell, and Secure-Rsync) require a compatible OpenSSH client configuration. Use these steps to configure your OpenSSH client:

Edit your SSH client config
  1. Locate your SSH client config.
    • Common Unix SSH config locations:
      Current user:  ~/.ssh/config
      System wide: /etc/ssh/ssh_config
    • Common Windows SSH config locations:
      Current user:  C:\users\%username%\.ssh\config
      System wide: C:\ProgramData\ssh\ssh_config
  2. Add these entries to your SSH client config:
    Host *.upload.akamai.com
      HostKeyAlgorithms +ssh-dss

Step 4. When you want to connect to NetStorage

  1. Use your SSH client to connect to NetStorage using the sshacs username. Each access method uses your domain-prefix and a protocol-specific upload domain. This example shows an SFTP connection:
    SFTP example: sftp -i <private key> sshacs@[domain-prefix].sftp.upload.akamai.com
  2. NetStorage responds with its public DSA key.

    Contrary to the RSA-format secure connection from your client to NetStorage, the secure connection back to your client uses a DSA-format SSH key. Along with an authenticity message, you'll receive a DSA public key fingerprint and be prompted to accept it. Enter "y" or "yes" to accept and add it as a known system on your client.

    The authenticity of host '[domain-prefix].sftp.upload.akamai.com (IP-Address)' can't be established.
    DSA key fingerprint is SHA256:[HASH].
    
    Are you sure you want to continue connecting (yes/no)? yes
    Note: This confirmation message displays whenever connecting to an upload domain or IP for the first time.

The connection is successful.

Connected to sshacs@[domain-prefix].sftp.upload.akamai.com