JFrog

    Cloud customer?
    Start for Free>
    Upgrade in MyJFrog >
    What's New in Cloud >






    Skip to end of metadata
    Go to start of metadata

    Overview

    JFrog Artifactory supports SSH authentication for Git LFS and theJFrog CLIusing RSA public and private keys. This allows these tools to exchange sensitive information with the Artifactory server that is authenticated via SSH. You will need to configure SSH keys to authenticate requests sent to the JFrog Platform from Git LFS client or from the JFrog CLI.

    There are two main facets of SSH authentication:

    Server authenticates itself to the client

    The server must be authenticated before you send it any confidential data. For example, you should not authenticate a user to the server with the user's password before the server has been authenticated. The server is authenticated in the following manner:

    When the SSH connection is established, the server sends its public key to the client, and the client matches the key to a list of known public keys stored in aknown_hostsfile (before the first ever connection to the server, you must obtain the server's public key by some other means and add it to theknown_hostsfile manually). This verifies that the server is indeed the owner of the stored public key, since only that server will have the corresponding private key. It also verifies that the server is known (and not an imposter) since its public key is stored in theknown_hostsfile.

    User authenticatesitselfto the server

    This process mirrors the process of the server being authenticated to the client. The user must first provide their public key to the server, which stores the key in the user's account authorization list. Then, when the user tries to log in, the server sends the user back their public key, and the user must show that they hold the corresponding private key.

    Limitation

    SSH is not supported on theArtifactory SaaScloud service.

    页面内容

    SSH Server Configuration

    To configure SSH authentication, you will need to execute the following main steps:

    1. Configure Server Authentication
    2. Configure User Authentication
    3. Configure the Git LFS or CLI Client

    Configuring Server Authentication

    1. In this step you will configure Artifactory's SSH authentication parameters. First you need to generate an SSH key pair for Artifactory. For example, on a Linux-based system, you could execute the following command.

      ssh-keygen -t rsa -C "server@domain.com"

    2. Next,to configure Artifactory for SSH authentication, go to theAdministrationmodule, selectArtifactory | |安全密钥管理and click theSSH Keystab.``

      JFrog Cloud New Interface (Beta)

      On the taskbar, click(Platform Configurations), and selectPlatform Security > Keys Management.到learn more, clickhere.

    4. Fill in the details for the Server Settings and the Server Keys.

      Enable SSH Authentication
      		 When checked, SSH authentication is enabled.
      Port
      		 The port that should be used for an SSH connection.
      Custom URL Base
      		 TheCustom Base URLthat should be used for SSH connections. Note that this is the same Custom URL Base configured in theAdministrationmodule underConfiguration | General.
      Public key/Private key
      		 The key pair used for authentication.

    Configuring User Authentication

    In this step, you will configure Artifactory with your public key so that you may be authenticated when sending requests to Artifactory from the Git LFS client or from the Artifactory CLI.

    First, you need to generate a key pair. For example, on a Linux-based system, you could execute the following command:

    ssh-keygen -t rsa -C "USER@domain.com"

    Your public and private keys should be created under the~/.sshfolder.

    Don't forget to update your public key

    Update your public key under theSSHsection of your User Profile.

    Configuring the Client

    To configure your Git LFS client, seeAuthenticating with SSH.


    Controlling Your SSH Server Security

    Controlling your SSH Server Security depends on your JFrog deployment:

    • In a Cloud deployment,contact JFrog support, to make the required changes to your SSH Server Security.
    • In a Self-Hosted deployment, you can control your SSH Server Security. Requires Platform Administrator permissions.

    You can now control ciphers, MACs, signatures, and key exchange algorithms that are accepted by the Artifactory SSH server.
    These values are left empty/null by default, and can have values delimited by comma (,) similarly to the correlating properties and will be applied only if the corresponding artifactory.ssh.*.algorithms is not set.

    Include Pattern System Properties

    From Artifactory 7.18.6, the following constant values have been added as 'Include Only' algorithms:

    • artifactory.ssh.cipher.algorithms=
    • artifactory.ssh.key.exchange.algorithms=
    • artifactory.ssh.mac.algorithms=
    • artifactory.ssh.signature.algorithms=

    Exclude Pattern System Properties

    The Exclude patterns are:

    • artifactory.key.exchange.black.list=...
    • artifactory.cipher.black.list=...

    从Artifactory 7.18.6 additional system properties were added to the exclude patterns.

    • artifactory.ssh.mac.black.list=...
    • artifactory.ssh.signature.black.list=...

    Supported Values By Algorithm Type

    Deprecated values are not loaded by default.

    Algorithm Type

    Values (loaded by default)

    Deprecated (not loaded unless configured by name)
    Cipher Algorithms
    • arcfour128
    • arcfour256
    • blowfish-cbc
    • 3des-cbc

    Key Exchange Algorithms
    • diffie-hellman-group-exchange-sha256
    • diffie-hellman-group18-sha512
    • diffie-hellman-group17-sha512
    • diffie-hellman-group16-sha512
    • diffie-hellman-group15-sha512
    • diffie-hellman-group14-sha256
    • diffie-hellman-group14-sha1
    • diffie-hellman-group-exchange-sha1
    • diffie-hellman-group1-sha1

    Message Authentication Codes (MAC) Algorithms
    • hmac-md5
    • hmac-md5-96
    • hmac-sha1-96

    Signature Algorithms
    • No labels
    Copyright © 2023 JFrog Ltd.