Published on

Business Central SSH Key-Based Authentication

Authors

Do you know it is possible to authenticate to Business Central Storage (niogit) using SSH Key-Based Authentication? If you don't, let's learn how we can do it on this post.

Business Central storage internally is git-based and we also expose cool additional features to more advanced use cases. One of these hidden gems of Business Central is SSH Key-Based Authentication, pretty useful for your CI/CD.

To start using SSH Key-Based Authentication in Business Central, under the project settings menu, you can copy the URL for doing SSH operations over your project:

ssh1

For instance, to do a git clone of this project, you can do the following command:

git clone ssh://{user}@localhost:8001/MySpace/Course_Scheduling

ssh2

But can we do it using my SSH Keys and without having to type the password?

Business Central SSH Key-Based Authentication

Yes, and it's super simple. Go under the BC settings menu (cog icon), click on 'SSH Keys', and add your public RSA ssh keys there.

ssh3

As soon as you add your public RSA ssh key for Business Central, you can do a git clone operation without having to inform the user and password:

ssh4

If you don't have ssh keys, you can create it with the following command:

ssh-keygen -t rsa -m PEM

ssh5

Note: You don't need to provide any passphrases. Keep in mind there are multiple configurations to create your ssh keys. This is just an example of the command.

Advanced Options

In most of the use cases, users should associate ssh keys to BC users via Business Central UI. But you can also add them manually over the Business Central Key store directory (for instance, in an automated way via i.e. Ansible).

By default, BC uses ".security" directory created on the same directory where you launched wildfly/eap. But this can be also configured with a system property "appformer.ssh.keys.storage.folder". The SSH public keys are stored in the securityFolderPath/pkeys/userName/ folder structure.

ssh6

As example, this is the command to me to use /folder/security as my personalized key folder:

./standalone.sh -c standalone-full.xml -Dappformer.ssh.keys.storage.folder=/folder/security

To add a new key for a specific user, create a folder inside this directory with the exact user name and add its public keys there. Remember always to restart Business Central if you are doing this process manually. (Note: BC auto-updates SSH Keys if you add it via UI).

Using a specific key different from the logged user ssh key

Sometimes, you want to use a different ssh key to auth on Business Central. Let's see how to do it:

'c git' aka Command Line Git

'C git' is the tool most people use to perform git operations on Linux and OSX. What we want to achieve here is to execute the following command with a specific ssh key.

git clone ssh://dora@localhost:8001/MySpace/Course_Scheduling

In order to achieve this using 'C git', run the following command:

GIT_SSH_COMMAND="ssh -i /Users/ederign/dora/dora_ssh_keys/dora_rsa -F /dev/null" git clone ssh://dora@localhost:8001/MySpace/Course_Scheduling

We are using localhost here because I'm running Business Central on my local machine. You will need to change this for the same domain that you are trying to connect via ssh.

On this example, GIT_SSH_COMMAND is used to personalize the 'ssh' command used by git. The -i option specifies the identify file (private key) used and -F cleanup any personalized config file in your environment. If you want to do any other git command, follow the same pattern:

GIT_SSH_COMMAND="ssh -i /Users/ederign/dora/dora_ssh_keys/dora_rsa -F /dev/null" git {command here}

via jgit

You can do the same type of integration using JGit. An executable sample can be found on this gist.

https://gist.github.com/ederign/7326e16c8adcdd5724e0da5b812af1fe#file-jbang-java-L30

We used JBang to create a simple executable for this script. To install JBang, please use these instructions. After installing it and download our script, you will need to change line 30 for the path of your RSA file. In my case, I changed the line for the following content:

defaultJSch.addIdentity("/Users/ederign/dora/dora_ssh_keys/id_rsa");

After this, save the file and do a clone using:

jbang jbang.java ssh://dora@localhost:8001/MySpace/Course_Scheduling

If you need any further questions, please let us know in the comment section!

[kie]