Implementing Public SSH Key for secure Linux (UNIX family) monitoring

Enhance security and optimize monitoring workflows by deploying public SSH Key authentication on Unix family systems—learn how in this step-by-step guide.

Unix and Linux systems can be monitored using traditional passwords or the more secure SSH keys. SSH keys eliminate the need to send passwords over the network, reducing the risk of brute-force attacks, and making managing multiple servers easier.

This guide shows how to create and implement an SSH key in NetCrunch, using a Rocky 9 node as an example. Steps may vary slightly depending on your Unix system.

Generating SSH key and providing it to NetCrunch

1. Log in as your Linux user to the Rocky 9 node you want to monitor, and use the SSH-keygen command to generate your SSH-key files. Note that id_rsa is a private one, and id_rsa.pub is a public one. In this example, we'll set a blank password, but you may add a password in your production network scenario.

2. Next, create the "authenticated_keys" file on this node. To do it, copy the contents of the id_rsa.pub file to the "authorized_keys" file: 'cat id_rsa.pub > authorized_keys'. The default location of the id_rsa is in the hidden folder .ssh and also the authorize_keys file has to be in this .ssh subfolder of the user's home folder.

3. Set the proper rights to the .ssh folder and the "authorized_keys" file: chmod 700 .ssh for the folder and chmod 600 .ssh/authorized_keys for the "authorized_keys" file.

Adding a single monitored node using SSH-key authentication to NetCrunch

Now we have the private key ready to be copied into the NetCrunch administration console to monitor the Rocky 9 node. You may copy the content as text or load the entire id_rsa file into NetCrunch. Here's how:

A. If the node is not in the NetCrunch Atlas yet, you can add it manually and set the device type to "LINUX"

In the next window (as below), set the Authentication type to Public/Private key credentials. Enter the (Linux) username and the Private Key (located in the id_rsa file). If you set a password during key generation, fill in the Private Key Password field as well.

After everything is set, press Next and finish the configuration. The node will now be monitored using SSH key authentication.

B. If the node is already part of the NetCrunch Atlas, you can switch its monitoring authentication from user/password credentials to SSH public key credentials on this particular node.

Here's how to do it:

Go to the settings window of the node. Click on the gear icon next to the "Linux" section of the window. Just like in the previous steps, switch Authentication to Custom Node Public Key Credentials

Provide Private Key along with the user and (optionally) password for this private key.

Configuring public/private keys credentials for multiple Linux nodes in NetCrunch

If you want to use public/private keys as the default for monitoring multiple or all Linux nodes, this can be set in the "Atlas Configuration Wizard" or the "Options".

You can access it from the top menu at Settings Monitoring Monitoring Credentials Manager or by using the Settings tab and searching for Monitoring Credentials Manager

Follow the first two steps of the wizard. During the "Credentials" step, switch to Linux and select the "Public key authentication" tab.

Use the [...] button to select your file with the SSH key.

Continue through the rest of the wizard, and the SSH key will now be used as the default method for monitoring Linux systems.

Remember to provide your generated public key to all Linux machines that you want to monitor using SSH-key authentication. For this purpose, create the "authenticated_keys" file containing your public key on each machine. This file should be located in the subfolder .ssh of the user's home folder, as described in Step 3 (the user that is used for NetCrunch monitoring).

linux monitoringprivate keyssh key