SFTP Public-key Authentication Configuration using GoCommands¶
GoCommands provides a feature to configure public-key authentication for the Data Store's SFTP service. The copy-sftp-id
command uploads your local SSH public keys to the Data Store, enabling password-less authentication for the SFTP service.
Setting Up Public-key Authentication¶
-
Generate an SSH key (if needed):
ssh-keygen -t rsa -b 4096 -C "your_email@example.com"
This creates a private key
id_rsa
and a public keyid_rsa.pub
in the~/.ssh
directory. -
To copy all SSH public keys from your
~/.ssh
directory, run:gocmd copy-sftp-id
This command automatically detects all SSH public keys for the current local user in the
~/.ssh
directory at local machine and copies them to/iplant/home/<username>/.ssh/authorized_keys
in the Data Store. This process is similar to standard SSH public-key registration. -
To copy the specified SSH public key, use:
gocmd copy-sftp-id -i ~/.ssh/id_rsa.pub
This command copies only the SSH public key from the
~/.ssh/id_rsa.pub
file to/iplant/home/<username>/.ssh/authorized_keys
in the Data Store.
Advanced Configuration¶
For advanced usage, you can control public-key access by manually editing the /iplant/home/<username>/.ssh/authorized_keys
file in the Data Store. This process involves downloading the file, making changes, and then uploading it back. Here's how to do it:
-
Download the
authorized_keys
file:gocmd get /iplant/home/myUser/.ssh/authorized_keys .
-
Edit the file locally with a editor: Open it with a text editor (e.g.,
vi
,nano
):vi authorized_keys
Add parameters in
key=value
format before each SSH key. Example:expiry-time="20250320" from="10.11.12.13" ssh-rsa AAAAB3Nza... myUser
-
Upload the modified file back to the Data Store:
gocmd put authorized_keys /iplant/home/myUser/.ssh/
Available Parameters¶
Parameter | Description | Example |
---|---|---|
expiry-time |
Sets expiration date-time in YYYYMMDD , YYYYMMDDhhmm , or YYYYMMDDhhmmss format |
expiry-time="20250320" |
from |
Allows access from specific IP addresses. Use IP address, CIDR, or ! prefix to negate. Separate multiple entries with commas |
from="10.11.12.13,!10.11.12.14" |
home |
Sets a specific home collection path for SFTP access within the Data Store. Use absolute path of the collection in the Data Store | home=/iplant/home/myUser/sftp_home |