User Tools

Site Tools


it_tips:ssh

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
it_tips:ssh [2017/05/03 13:33]
florido [Using user ssh key pair to login]
it_tips:ssh [2017/05/03 17:40] (current)
florido [SSH key pair quick setup]
Line 11: Line 11:
 In some cases this file does not exist, you can create it for example by issuing <​code:​bash>​touch ~/​.ssh/​config</​code>​ In some cases this file does not exist, you can create it for example by issuing <​code:​bash>​touch ~/​.ssh/​config</​code>​
  
-This file is very useful to create ssh shortcuts to servers and add specific options for each server. In what follows I show some examples of how this can be used.+This file is very useful to create ssh shortcuts to servers and add specific options for each server. In what follows I show some examples of how this can be used. You can edit the file with any text editor of your choice, it's a simple text file.
  
 ===== Speedup connection using tunneling ===== ===== Speedup connection using tunneling =====
Line 69: Line 69:
 :​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!:​ :​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!:​
  
-This tutorial ​is nice: +I will give you a set of quick steps how to setup ssh keys. But it is important that one understands ​the concepts behind, so please read the sections ​below.
- +
-https://​wiki.archlinux.org/​index.php/​SSH_Keys +
- +
- +
-:!: the below part of the document is work in progress:!:+
  
 ==== What is SSH PKI ==== ==== What is SSH PKI ====
  
-SSH key pair is a form of PKI, Public Key Infrastructure. In this technology every user or machine has a pair of keys:+SSH key pair is a form of PKI, Public Key Infrastructure((PKI overview, https://​www.tutorialspoint.com/​cryptography/​public_key_infrastructure.htm)). In this technology every user or machine has a pair of keys:
   * A **Public** key that can be shared with everyone and copied on servers   * A **Public** key that can be shared with everyone and copied on servers
   * A **Private** key that should be kept secure at all times and only readable by your user   * A **Private** key that should be kept secure at all times and only readable by your user
  
-These user keys are usually stored in the user's ''​~/​.ssh/''​ folder, the default names are ''​id_rsa''​ (private) and ''​id_rsa.pub''​ (public). But one can choose any location and any name.+=== Host keypairs ===
  
-The machine keys are usually stored in the ''/​etc/​ssh/''​ system folder, and they are generated at installation time by the OpenSSH scripts. They are of different kinds as they support different encryption schemas,+The machine ​or host keys are usually stored in the ''/​etc/​ssh/''​ system folder, and they are generated at installation time by the OpenSSH scripts. They are of different kinds as they support different encryption schemas,
 their names being like ssh_host_<​schema>​ (private) and ssh_host_<​schema>​.pub (public). their names being like ssh_host_<​schema>​ (private) and ssh_host_<​schema>​.pub (public).
 In the example below, note how the private key is readable and writable ONLY by root while all the ''​.pub''​ ones are readable by everyone (but not writable!) In the example below, note how the private key is readable and writable ONLY by root while all the ''​.pub''​ ones are readable by everyone (but not writable!)
Line 108: Line 103:
 </​code>​ </​code>​
  
-Every time a user connects to a server, the server presents ​the fingerprint and the user is requested to acknowledge he/she/ze is aware of trusting that fingerprint. The sysadmin has a list of trustworthy fingerprints,​ so if you're unsure, ask me!+==== What happens when connecting to a server ==== 
 + 
 +Every time a user connects to a server, the server presents ​its key fingerprint and the user is requested to acknowledge he/she/ze is aware of trusting that fingerprint. The sysadmin has a list of trustworthy fingerprints,​ so if you're unsure, ask me!
  
 When a fingerprint is accepted, it is stored in the user's home folder inside the file ''​~/​.ssh/​known_hosts''​ in encrypted form: When a fingerprint is accepted, it is stored in the user's home folder inside the file ''​~/​.ssh/​known_hosts''​ in encrypted form:
Line 116: Line 113:
 </​code>​ </​code>​
  
-As you can see the above is not human readable. But if you want to know if you've trusted a machine, you can do for example:+As you can see the above is not human readable. But if you want to know if you've trusted a machine, you can do for example ​((Extract fingerprints from known_hosts,​ https://​superuser.com/​questions/​529132/​how-do-i-extract-fingerprints-from-ssh-known-hosts)):
 <​code:​bash>​ssh-keygen -lf ~/​.ssh/​known_hosts -F watto <​code:​bash>​ssh-keygen -lf ~/​.ssh/​known_hosts -F watto
 # Host watto found: line 274 type RSA # Host watto found: line 274 type RSA
 2048 2f:​21:​6b:​19:​fc:​fc:​9d:​62:​8f:​88:​c2:​2b:​c4:​d6:​0c:​70 |1|vyeQU5q0QfKZzq9/​helQLGGK9s4=|ZN50r7hlYRTlCeSEXzzz+80XZKw= (RSA) 2048 2f:​21:​6b:​19:​fc:​fc:​9d:​62:​8f:​88:​c2:​2b:​c4:​d6:​0c:​70 |1|vyeQU5q0QfKZzq9/​helQLGGK9s4=|ZN50r7hlYRTlCeSEXzzz+80XZKw= (RSA)
 </​code>​ </​code>​
 +
 +==== User keypairs ====
 +
 +These user keys are usually stored in the user's ''​~/​.ssh/''​ folder, the default names are ''​id_rsa''​ (private) and ''​id_rsa.pub''​ (public). But one can choose any location and any name.
 +
 +A user key can have a password or not. :!: **It is strongly discouraged to use passwordless keys. Should your private key get stolen, this will generate an enormous security breach.** :!:
 +
 +The password is used to "​unlock"​ the key, that is, to allow the ssh client (more precisely, the ssh-agent )to use it to connect on the user's behalf.
  
 ==== Using user ssh key pair to login ==== ==== Using user ssh key pair to login ====
Line 133: Line 138:
 OpenSSH on linux provides a set of scripts for managing keys: OpenSSH on linux provides a set of scripts for managing keys:
   * ''​ssh-keygen'':​ does key management   * ''​ssh-keygen'':​ does key management
-  * ssh-copy-id : copies a key to a server and updates the //​authorized_keys//​ automatically +  * ''​ssh-copy-id'' ​: copies a key to a server and updates the //​authorized_keys//​ automatically 
-  * ssh-agent : takes care of remembering which key as been used for which host, remembers key password+  * ''​ssh-agent'' ​: takes care of remembering which key as been used for which host, remembers key password 
 + 
 +==== SSH key pair quick setup ==== 
 + 
 +We will generate a public/​private key pair called //​myid_rsa//​ and //​myid_rsa.pub//​ and copy it to a machine called ''​watto.matfys.lth.se''​ in order to login to it. 
 + 
 +  - Generate a private/​public keypair **with password** and strong encryption((NIST complexity recommendations,​ http://​nvlpubs.nist.gov/​nistpubs/​SpecialPublications/​NIST.SP.800-57Pt3r1.pdf)):​ Command: <​code:​bash>​ ssh-keygen -b 4096 -f ~/​.ssh/​myid_rsa</​code>​Result:<​code:​bash>​ 
 +Generating public/​private rsa key pair. 
 +Enter passphrase (empty for no passphrase):​  
 +Enter same passphrase again:  
 +Your identification has been saved in /​nfs/​users/​floridop/​.ssh/​myid_rsa. 
 +Your public key has been saved in /​nfs/​users/​floridop/​.ssh/​myid_rsa.pub. 
 +The key fingerprint is: 
 +2d:​1d:​94:​b9:​71:​35:​59:​f8:​79:​26:​92:​b5:​a3:​f5:​d4:​e3 pflorido@tjatte.hep.lu.se 
 +The key's randomart image is: 
 ++--[ RSA 4096]----+ 
 +|          .o .o+.| 
 +|         .+ . +. | 
 +|          .+ o oo| 
 +|         o..o =o*| 
 +|        S o  +.*o| 
 +|         ​. ​ .  E.| 
 +|                 | 
 +|                 | 
 +|                 | 
 ++-----------------+ 
 +</​code>​ 
 +  - Make sure the permissions are correct: Commands:<​code:​bash>​chmod 600 ~/​.ssh/​myid_rsa;​ chmod 644  ~/​.ssh/​myid_rsa.pub;​ ls -ltrah ~/​.ssh/​myid_rsa*</​code>​Result:<​code:​bash>​ 
 +-rw------- 1 pflorido hep 3,3K maj  3 13:59 /​nfs/​users/​floridop/​.ssh/​myid_rsa 
 +-rw-r--r-- 1 pflorido hep  751 maj  3 13:59 /​nfs/​users/​floridop/​.ssh/​myid_rsa.pub 
 +</​code>​ 
 +  - Copy the key to the target server, say watto: Command:<​code:​bash>​ssh-copy-id -i ~/​.ssh/​myid_rsa pflorido@watto.matfys.lth.se</​code>​Result:<​code:​bash>​ 
 +/​usr/​bin/​ssh-copy-id:​ INFO: attempting to log in with the new key(s), to filter out any that are already installed 
 +/​usr/​bin/​ssh-copy-id:​ INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys 
 +Password:  
 + 
 +Number of key(s) added: 1 
 + 
 +Now try logging into the machine, with:   "​ssh '​pflorido@watto.matfys.lth.se'"​ 
 +and check to make sure that only the key(s) you wanted were added. 
 +</​code>​ 
 +  - Add the key to the agent keyring:​Command:<​code:​bash>​ssh-add ~/​.ssh/​myid_rsa</​code>​Result:<​code:​bash>​ 
 +Enter passphrase for /​nfs/​users/​floridop/​.ssh/​myid_rsa:​  
 +Identity added: /​nfs/​users/​floridop/​.ssh/​myid_rsa (/​nfs/​users/​floridop/​.ssh/​myid_rsa) 
 +</​code>​ 
 +  - Try to login to the server **using the identity created**: Command:<​code:​bash>​ssh -i ~/​.ssh/​myid_rsa.pub pflorido@watto.matfys.lth.se</​code>​ 
 + 
 +You can now create entries in your ''​~/​.ssh/​config''​ file to use tunnelling as described in [[#Speedup connection using tunneling]],​ and the agent should automatically forward your keys. 
 + 
 +===== Debugging SSH problems and useful commands ===== 
 + 
 +The best to debug is to enable ssh verbose mode: 
 + 
 +<​code:​bash>​ssh -vv pflorido@watto.matfys.lth.se</​code>​ 
 + 
 +==== See which keys are tried by the agent ==== 
 + 
 +<​code:​bash>​ssh-add -l</​code>​ 
 + 
 +==== Delete a key from the agent keyring ==== 
 + 
 +<​code:​bash>​ssh-add -d ~/​.ssh/​myid_rsa</​code>​ 
 + 
 +==== Check if the agent is running ==== 
 + 
 +<​code:​bash>​ps aux | grep ssh-agent</​code>​ 
 + 
 +==== Remove an offending key from known_hosts ==== 
 + 
 +<​code:​bash>​ssh-keygen -R <​hostname></​code>​ 
 + 
 +==== Remove an offending key from known_hosts ====
  
 +<​code:​bash>​ssh-keygen -R <​hostname or IP></​code>​
 +====== References ======
  
 +  * Arch linux SSH PKI tutorial, https://​wiki.archlinux.org/​index.php/​SSH_Keys ​
it_tips/ssh.1493811193.txt.gz · Last modified: 2017/05/03 13:33 by florido