Secure access to NetStorage
Configure secure access to NetStorage by using Secure Shell (SSH) keys. You can create a key using any tool that produces keys in the OpenSSH format.
What is secure access?
Upload accounts can be configured to access NetStorage via "secure" means and this is the recommended practice. You need to generate an OpenSSH-compatible key and associate the public instance of that key with an upload account that has been configured to access the desired storage group. Once you've done this, you can use these secure protocols (”access methods”) with NetStorage: SFTP, SecureCopy, Secure-Rsync and the NetStorage CMShell.
Before you begin
Many of the tools used to create an SSH key are pre-installed with Linux, Unix, and MacOS systems. If you're using Windows, install a terminal session emulator such as Cygwin, or the PuTTY client to help generate keys.
Cygwin is a full terminal emulator that lets you issue Unix-based commands from a prompt. Visit the Cygwin site and get these packages:
- Net → OpenSSH: This includes OpenSSH binaries such as ssh, scp, ssh-keygen, and sftp. This is also required to use the secure Rsync access method.
- Net → Rsync: This includes the Rsync binary.
PuTTY is a collection of tools, including a user interface that lets you generate SSH keys. Visit the PuTTY site to get these binaries:
putty.exe: This is the PuTTY SSH client itself.
pscp.exe: This is an SCP client provided by PuTTY.
psftp.exe: This is an SFTP client provided by PuTTY.
puttygen.exe: This is an Open-SSH key generation utility provided by PuTTY.
Step 1: Generate an SSH key
Create unique keys for each protocol ("access method") you'll use to access NetStorage. This provides better security and prevents accidental deletion of other system keys.
|Key generation utility||How to generate the key|
|ssh-keygen. This is a command you run from a terminal
session to create an RSA-format 2048 bit key.
Example creation of an SSH key
This example creates an SSH key that we want to use with the SFTP access method. We note this by including the optional “-C <comment>.” It places the key on your local machine in the “AccessMethods” directory. The “AccessMethods” directory is optional, but we recommend using a subdirectory like this. This way you won't inadvertently overwrite an existing key.
Note: Depending on your system environment, you may need to create destination directories if they don't already exist.
|PuTTYgen. This is typically for use with Windows systems, but the command-line version is also available for Linux and Mac-based systems.||
Note: NetStorage uses the OpenSSH format for private and public keys.
Step 2: Apply the SSH key
You apply the public instance of an SSH key to the appropriate upload account in the NetStorage Groups UI.
- In the Access Methods content panel for an upload account, access the SSH and Aspera tab.
- Click +Add SSH Key.
- Populate the fields as
- SSH Key. Input a valid OpenSSH-compatible “public” key here. You must have the “public” instance of the key file open to access its content to copy/paste its entire contents into this field. (Open it in a text editor.)
- Notes (Optional). Input any key-related information you feel is relevant in this field.
- Click +Add SSH Key to complete the process. A new entry for the key is shown in the SSH Authentication table.
- Click +Add SSH Key again to add an additional key, and repeat steps 3 - 4.
As discussed in Step 1. Generate an SSH key, we recommend that you generate and apply a unique SSH key for each access method you'll be using.
Later, when you're actually accessing the storage group, you use the private instance of the key to sync with the stored public instance. You can do this via a supported SSH client component, or the key may be called out in the syntax of an individual protocol command.
SSH Keys and Aspera Upload Acceleration
While you can manually generate an SSH key and apply it for use with Aspera, we recommend that you use the utility offered in the Aspera Client application to generate the key. Other operations must be performed in the Aspera Client to configure it, and using it to generate the SSH key simplifies the entire process. If you choose the manual method, you must have access to the public key and be able to copy/paste its contents into the Aspera Client.
Step 3: Configure your OpenSSH client
Secure access methods (SFTP, SecureCopy, CMShell, and Secure-Rsync) require a compatible OpenSSH client configuration. Use these steps to configure your OpenSSH client:
- Locate your SSH client
- Common Unix SSH
Current user: ~/.ssh/config System wide: /etc/ssh/ssh_config
- Common Windows
Current user: C:\users\%username%\.ssh\config System wide: C:\ProgramData\ssh\ssh_config
- Common Unix SSH config locations:
- Add these entries to your SSH
Host *.upload.akamai.com HostKeyAlgorithms +ssh-dss
Step 4. When you want to connect to NetStorage
- Use your SSH client to connect to
NetStorage using the
sshacsusername. Each access method uses your domain-prefix and a protocol-specific upload domain. This example shows an SFTP connection:
SFTP example: sftp -i <private key> sshacs@[domain-prefix].sftp.upload.akamai.com
- NetStorage responds with its
public DSA key.
Contrary to the RSA-format secure connection from your client to NetStorage, the secure connection back to your client uses a DSA-format SSH key. Along with an authenticity message, you'll receive a DSA public key fingerprint and be prompted to accept it. Enter "y" or "yes" to accept and add it as a known system on your client.
The authenticity of host '[domain-prefix].sftp.upload.akamai.com (IP-Address)' can't be established. DSA key fingerprint is SHA256:[HASH]. Are you sure you want to continue connecting (yes/no)? yesNote: This confirmation message displays whenever connecting to an upload domain or IP for the first time.
The connection is successful.
Connected to sshacs@[domain-prefix].sftp.upload.akamai.com