User Tools

Site Tools


it_tips:ssh

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
it_tips:ssh [2017/05/03 10:07]
florido
it_tips:ssh [2017/05/03 15:40] (current)
florido [SSH key pair quick setup]
Line 11: Line 11:
 In some cases this file does not exist, you can create it for example by issuing <​code:​bash>​touch ~/​.ssh/​config</​code>​ In some cases this file does not exist, you can create it for example by issuing <​code:​bash>​touch ~/​.ssh/​config</​code>​
  
-This file is very useful to create ssh shortcuts to servers and add specific options for each server. In what follows I show some examples of how this can be used.+This file is very useful to create ssh shortcuts to servers and add specific options for each server. In what follows I show some examples of how this can be used. You can edit the file with any text editor of your choice, it's a simple text file.
  
 ===== Speedup connection using tunneling ===== ===== Speedup connection using tunneling =====
Line 28: Line 28:
 HostName hostA.matfys.lth.se HostName hostA.matfys.lth.se
 User <​username on hostA.matfys.lth.se>​ User <​username on hostA.matfys.lth.se>​
-ForwardX11 yes  ​# this is equivalent to ssh -X hostA.matfys.lth.se+# this line below is equivalent to ssh -X hostA.matfys.lth.se 
 +ForwardX11 yes  ​
  
 # directly access hostB.matfys.lth.se # directly access hostB.matfys.lth.se
Line 68: Line 69:
 :​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!:​ :​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!:​
  
-This tutorial ​is nice: +I will give you a set of quick steps how to setup ssh keys. But it is important that one understands ​the concepts behind, so please read the sections ​below.
- +
-https://​wiki.archlinux.org/​index.php/​SSH_Keys +
- +
- +
-:!: the below part of the document is work in progress:!:+
  
 ==== What is SSH PKI ==== ==== What is SSH PKI ====
  
-SSH key pair is a form of PKI, Public Key Infrastructure. In this technology every user or machine has a pair of keys:+SSH key pair is a form of PKI, Public Key Infrastructure((PKI overview, https://​www.tutorialspoint.com/​cryptography/​public_key_infrastructure.htm)). In this technology every user or machine has a pair of keys:
   * A **Public** key that can be shared with everyone and copied on servers   * A **Public** key that can be shared with everyone and copied on servers
   * A **Private** key that should be kept secure at all times and only readable by your user   * A **Private** key that should be kept secure at all times and only readable by your user
  
-These user keys are usually stored in the user's ''​~/​.ssh/''​ folder, the default names are ''​id_rsa''​ (private) and ''​id_rsa.pub''​ (public). But one can choose any location and any name.+=== Host keypairs ===
  
-The machine keys are usually stored in the ''/​etc/​ssh/''​ system folder, and they are generated at installation time by the OpenSSH scripts. They are of different kinds as they support different encryption schemas,+The machine ​or host keys are usually stored in the ''/​etc/​ssh/''​ system folder, and they are generated at installation time by the OpenSSH scripts. They are of different kinds as they support different encryption schemas,
 their names being like ssh_host_<​schema>​ (private) and ssh_host_<​schema>​.pub (public). their names being like ssh_host_<​schema>​ (private) and ssh_host_<​schema>​.pub (public).
 In the example below, note how the private key is readable and writable ONLY by root while all the ''​.pub''​ ones are readable by everyone (but not writable!) In the example below, note how the private key is readable and writable ONLY by root while all the ''​.pub''​ ones are readable by everyone (but not writable!)
Line 107: Line 103:
 </​code>​ </​code>​
  
-Every time a user connects to a server, the server presents ​the fingerprint and the user is requested to acknowledge he/she/ze is aware of trusting that fingerprint. The sysadmin has a list of trustworthy fingerprints,​ so if you're unsure, ask me!+==== What happens when connecting to a server ==== 
 + 
 +Every time a user connects to a server, the server presents ​its key fingerprint and the user is requested to acknowledge he/she/ze is aware of trusting that fingerprint. The sysadmin has a list of trustworthy fingerprints,​ so if you're unsure, ask me!
  
 When a fingerprint is accepted, it is stored in the user's home folder inside the file ''​~/​.ssh/​known_hosts''​ in encrypted form: When a fingerprint is accepted, it is stored in the user's home folder inside the file ''​~/​.ssh/​known_hosts''​ in encrypted form:
Line 115: Line 113:
 </​code>​ </​code>​
  
-As you can see the above is not human readable. But if you want to know if you've trusted a machine, you can do for example:+As you can see the above is not human readable. But if you want to know if you've trusted a machine, you can do for example ​((Extract fingerprints from known_hosts,​ https://​superuser.com/​questions/​529132/​how-do-i-extract-fingerprints-from-ssh-known-hosts)):
 <​code:​bash>​ssh-keygen -lf ~/​.ssh/​known_hosts -F watto <​code:​bash>​ssh-keygen -lf ~/​.ssh/​known_hosts -F watto
 # Host watto found: line 274 type RSA # Host watto found: line 274 type RSA
Line 121: Line 119:
 </​code>​ </​code>​
  
 +==== User keypairs ====
 +
 +These user keys are usually stored in the user's ''​~/​.ssh/''​ folder, the default names are ''​id_rsa''​ (private) and ''​id_rsa.pub''​ (public). But one can choose any location and any name.
 +
 +A user key can have a password or not. :!: **It is strongly discouraged to use passwordless keys. Should your private key get stolen, this will generate an enormous security breach.** :!:
 +
 +The password is used to "​unlock"​ the key, that is, to allow the ssh client (more precisely, the ssh-agent )to use it to connect on the user's behalf.
 +
 +==== Using user ssh key pair to login ====
 +
 +In order for the user key to work, the machine where one has to login needs to trust that key.
  
 The overall mechanism is as follows. A user willing to connect to a server has to The overall mechanism is as follows. A user willing to connect to a server has to
   - Copy his/her/hir **public** key to that server   - Copy his/her/hir **public** key to that server
-  - Instruct the server that such key is trustworthy by modifying the ~/​.ssh/​authorized_keys file +  - Instruct the server that such key is trustworthy by modifying the ''​~/​.ssh/​authorized_keys'' ​file 
-  - run an ssh-agent on his/her/hir local machine that will take care of authenticating the user to the server when logging in. Usually this is automatically started by the ssh client if the user is using PKI.+  - run an ''​ssh-agent'' ​on his/her/hir local machine that will take care of authenticating the user to the server when logging in. Usually this is automatically started by the ssh client if the user is using PKI.
  
 OpenSSH on linux provides a set of scripts for managing keys: OpenSSH on linux provides a set of scripts for managing keys:
-  * ssh-keygen +  * ''​ssh-keygen'':​ does key management 
-  * +  * ''​ssh-copy-id''​ : copies a key to a server and updates the //​authorized_keys//​ automatically 
 +  * ''​ssh-agent''​ : takes care of remembering which key as been used for which host, remembers key password 
 + 
 +==== SSH key pair quick setup ==== 
 + 
 +We will generate a public/​private key pair called //​myid_rsa//​ and //​myid_rsa.pub//​ and copy it to a machine called ''​watto.matfys.lth.se''​ in order to login to it. 
 + 
 +  - Generate a private/​public keypair **with password** and strong encryption((NIST complexity recommendations,​ http://​nvlpubs.nist.gov/​nistpubs/​SpecialPublications/​NIST.SP.800-57Pt3r1.pdf)):​ Command: <​code:​bash>​ ssh-keygen -b 4096 -f ~/​.ssh/​myid_rsa</​code>​Result:<​code:​bash>​ 
 +Generating public/​private rsa key pair. 
 +Enter passphrase (empty for no passphrase):​  
 +Enter same passphrase again:  
 +Your identification has been saved in /​nfs/​users/​floridop/​.ssh/​myid_rsa. 
 +Your public key has been saved in /​nfs/​users/​floridop/​.ssh/​myid_rsa.pub. 
 +The key fingerprint is: 
 +2d:​1d:​94:​b9:​71:​35:​59:​f8:​79:​26:​92:​b5:​a3:​f5:​d4:​e3 pflorido@tjatte.hep.lu.se 
 +The key's randomart image is: 
 ++--[ RSA 4096]----+ 
 +|          .o .o+.| 
 +|         .+ . +. | 
 +|          .+ o oo| 
 +|         o..o =o*| 
 +|        S o  +.*o| 
 +|         ​. ​ .  E.| 
 +|                 | 
 +|                 | 
 +|                 | 
 ++-----------------+ 
 +</​code>​ 
 +  - Make sure the permissions are correct: Commands:<​code:​bash>​chmod 600 ~/​.ssh/​myid_rsa;​ chmod 644  ~/​.ssh/​myid_rsa.pub;​ ls -ltrah ~/​.ssh/​myid_rsa*</​code>​Result:<​code:​bash>​ 
 +-rw------- 1 pflorido hep 3,3K maj  3 13:59 /​nfs/​users/​floridop/​.ssh/​myid_rsa 
 +-rw-r--r-- 1 pflorido hep  751 maj  3 13:59 /​nfs/​users/​floridop/​.ssh/​myid_rsa.pub 
 +</​code>​ 
 +  - Copy the key to the target server, say watto: Command:<​code:​bash>​ssh-copy-id -i ~/​.ssh/​myid_rsa pflorido@watto.matfys.lth.se</​code>​Result:<​code:​bash>​ 
 +/​usr/​bin/​ssh-copy-id:​ INFO: attempting to log in with the new key(s), to filter out any that are already installed 
 +/​usr/​bin/​ssh-copy-id:​ INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys 
 +Password:  
 + 
 +Number of key(s) added: 1 
 + 
 +Now try logging into the machine, with:   "​ssh '​pflorido@watto.matfys.lth.se'"​ 
 +and check to make sure that only the key(s) you wanted were added. 
 +</​code>​ 
 +  - Add the key to the agent keyring:​Command:<​code:​bash>​ssh-add ~/​.ssh/​myid_rsa</​code>​Result:<​code:​bash>​ 
 +Enter passphrase for /​nfs/​users/​floridop/​.ssh/​myid_rsa:​  
 +Identity added: /​nfs/​users/​floridop/​.ssh/​myid_rsa (/​nfs/​users/​floridop/​.ssh/​myid_rsa) 
 +</​code>​ 
 +  - Try to login to the server **using the identity created**: Command:<​code:​bash>​ssh -i ~/​.ssh/​myid_rsa.pub pflorido@watto.matfys.lth.se</​code>​ 
 + 
 +You can now create entries in your ''​~/​.ssh/​config''​ file to use tunnelling as described in [[#Speedup connection using tunneling]],​ and the agent should automatically forward your keys. 
 + 
 +===== Debugging SSH problems and useful commands ===== 
 + 
 +The best to debug is to enable ssh verbose mode: 
 + 
 +<​code:​bash>​ssh -vv pflorido@watto.matfys.lth.se</​code>​ 
 + 
 +==== See which keys are tried by the agent ==== 
 + 
 +<​code:​bash>​ssh-add -l</​code>​ 
 + 
 +==== Delete a key from the agent keyring ==== 
 + 
 +<​code:​bash>​ssh-add -d ~/​.ssh/​myid_rsa</​code>​ 
 + 
 +==== Check if the agent is running ==== 
 + 
 +<​code:​bash>​ps aux | grep ssh-agent</​code>​ 
 + 
 +==== Remove an offending key from known_hosts ==== 
 + 
 +<​code:​bash>​ssh-keygen -R <​hostname></​code>​ 
 + 
 +==== Remove an offending key from known_hosts ====
  
-:!: the above part of the document is work in progress. :!:+<code:bash>​ssh-keygen -R <​hostname or IP></​code>​ 
 +====== References ======
  
 +  * Arch linux SSH PKI tutorial, https://​wiki.archlinux.org/​index.php/​SSH_Keys ​
it_tips/ssh.1493806034.txt.gz · Last modified: 2017/05/03 10:07 by florido