User Tools

Site Tools


it_tips:ssh

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
it_tips:ssh [2017/05/03 13:41]
florido
it_tips:ssh [2017/05/03 17:40] (current)
florido [SSH key pair quick setup]
Line 69: Line 69:
 :​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!:​ :​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!::​!:​
  
-This tutorial ​is nice: +I will give you a set of quick steps how to setup ssh keys. But it is important that one understands ​the concepts behind, so please read the sections ​below.
- +
-https://​wiki.archlinux.org/​index.php/​SSH_Keys +
- +
- +
-:!: the below part of the document is work in progress:!:+
  
 ==== What is SSH PKI ==== ==== What is SSH PKI ====
Line 82: Line 77:
   * A **Private** key that should be kept secure at all times and only readable by your user   * A **Private** key that should be kept secure at all times and only readable by your user
  
-These user keys are usually stored in the user's ''​~/​.ssh/''​ folder, the default names are ''​id_rsa''​ (private) and ''​id_rsa.pub''​ (public). But one can choose any location and any name.+=== Host keypairs ===
  
-The machine keys are usually stored in the ''/​etc/​ssh/''​ system folder, and they are generated at installation time by the OpenSSH scripts. They are of different kinds as they support different encryption schemas,+The machine ​or host keys are usually stored in the ''/​etc/​ssh/''​ system folder, and they are generated at installation time by the OpenSSH scripts. They are of different kinds as they support different encryption schemas,
 their names being like ssh_host_<​schema>​ (private) and ssh_host_<​schema>​.pub (public). their names being like ssh_host_<​schema>​ (private) and ssh_host_<​schema>​.pub (public).
 In the example below, note how the private key is readable and writable ONLY by root while all the ''​.pub''​ ones are readable by everyone (but not writable!) In the example below, note how the private key is readable and writable ONLY by root while all the ''​.pub''​ ones are readable by everyone (but not writable!)
Line 108: Line 103:
 </​code>​ </​code>​
  
-Every time a user connects to a server, the server presents ​the fingerprint and the user is requested to acknowledge he/she/ze is aware of trusting that fingerprint. The sysadmin has a list of trustworthy fingerprints,​ so if you're unsure, ask me!+==== What happens when connecting to a server ==== 
 + 
 +Every time a user connects to a server, the server presents ​its key fingerprint and the user is requested to acknowledge he/she/ze is aware of trusting that fingerprint. The sysadmin has a list of trustworthy fingerprints,​ so if you're unsure, ask me!
  
 When a fingerprint is accepted, it is stored in the user's home folder inside the file ''​~/​.ssh/​known_hosts''​ in encrypted form: When a fingerprint is accepted, it is stored in the user's home folder inside the file ''​~/​.ssh/​known_hosts''​ in encrypted form:
Line 121: Line 118:
 2048 2f:​21:​6b:​19:​fc:​fc:​9d:​62:​8f:​88:​c2:​2b:​c4:​d6:​0c:​70 |1|vyeQU5q0QfKZzq9/​helQLGGK9s4=|ZN50r7hlYRTlCeSEXzzz+80XZKw= (RSA) 2048 2f:​21:​6b:​19:​fc:​fc:​9d:​62:​8f:​88:​c2:​2b:​c4:​d6:​0c:​70 |1|vyeQU5q0QfKZzq9/​helQLGGK9s4=|ZN50r7hlYRTlCeSEXzzz+80XZKw= (RSA)
 </​code>​ </​code>​
 +
 +==== User keypairs ====
 +
 +These user keys are usually stored in the user's ''​~/​.ssh/''​ folder, the default names are ''​id_rsa''​ (private) and ''​id_rsa.pub''​ (public). But one can choose any location and any name.
 +
 +A user key can have a password or not. :!: **It is strongly discouraged to use passwordless keys. Should your private key get stolen, this will generate an enormous security breach.** :!:
 +
 +The password is used to "​unlock"​ the key, that is, to allow the ssh client (more precisely, the ssh-agent )to use it to connect on the user's behalf.
  
 ==== Using user ssh key pair to login ==== ==== Using user ssh key pair to login ====
Line 136: Line 141:
   * ''​ssh-agent''​ : takes care of remembering which key as been used for which host, remembers key password   * ''​ssh-agent''​ : takes care of remembering which key as been used for which host, remembers key password
  
 +==== SSH key pair quick setup ====
 +
 +We will generate a public/​private key pair called //​myid_rsa//​ and //​myid_rsa.pub//​ and copy it to a machine called ''​watto.matfys.lth.se''​ in order to login to it.
 +
 +  - Generate a private/​public keypair **with password** and strong encryption((NIST complexity recommendations,​ http://​nvlpubs.nist.gov/​nistpubs/​SpecialPublications/​NIST.SP.800-57Pt3r1.pdf)):​ Command: <​code:​bash>​ ssh-keygen -b 4096 -f ~/​.ssh/​myid_rsa</​code>​Result:<​code:​bash>​
 +Generating public/​private rsa key pair.
 +Enter passphrase (empty for no passphrase): ​
 +Enter same passphrase again: ​
 +Your identification has been saved in /​nfs/​users/​floridop/​.ssh/​myid_rsa.
 +Your public key has been saved in /​nfs/​users/​floridop/​.ssh/​myid_rsa.pub.
 +The key fingerprint is:
 +2d:​1d:​94:​b9:​71:​35:​59:​f8:​79:​26:​92:​b5:​a3:​f5:​d4:​e3 pflorido@tjatte.hep.lu.se
 +The key's randomart image is:
 ++--[ RSA 4096]----+
 +|          .o .o+.|
 +|         .+ . +. |
 +|          .+ o oo|
 +|         o..o =o*|
 +|        S o  +.*o|
 +|         ​. ​ .  E.|
 +|                 |
 +|                 |
 +|                 |
 ++-----------------+
 +</​code>​
 +  - Make sure the permissions are correct: Commands:<​code:​bash>​chmod 600 ~/​.ssh/​myid_rsa;​ chmod 644  ~/​.ssh/​myid_rsa.pub;​ ls -ltrah ~/​.ssh/​myid_rsa*</​code>​Result:<​code:​bash>​
 +-rw------- 1 pflorido hep 3,3K maj  3 13:59 /​nfs/​users/​floridop/​.ssh/​myid_rsa
 +-rw-r--r-- 1 pflorido hep  751 maj  3 13:59 /​nfs/​users/​floridop/​.ssh/​myid_rsa.pub
 +</​code>​
 +  - Copy the key to the target server, say watto: Command:<​code:​bash>​ssh-copy-id -i ~/​.ssh/​myid_rsa pflorido@watto.matfys.lth.se</​code>​Result:<​code:​bash>​
 +/​usr/​bin/​ssh-copy-id:​ INFO: attempting to log in with the new key(s), to filter out any that are already installed
 +/​usr/​bin/​ssh-copy-id:​ INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
 +Password: ​
 +
 +Number of key(s) added: 1
 +
 +Now try logging into the machine, with:   "​ssh '​pflorido@watto.matfys.lth.se'"​
 +and check to make sure that only the key(s) you wanted were added.
 +</​code>​
 +  - Add the key to the agent keyring:​Command:<​code:​bash>​ssh-add ~/​.ssh/​myid_rsa</​code>​Result:<​code:​bash>​
 +Enter passphrase for /​nfs/​users/​floridop/​.ssh/​myid_rsa: ​
 +Identity added: /​nfs/​users/​floridop/​.ssh/​myid_rsa (/​nfs/​users/​floridop/​.ssh/​myid_rsa)
 +</​code>​
 +  - Try to login to the server **using the identity created**: Command:<​code:​bash>​ssh -i ~/​.ssh/​myid_rsa.pub pflorido@watto.matfys.lth.se</​code>​
 +
 +You can now create entries in your ''​~/​.ssh/​config''​ file to use tunnelling as described in [[#Speedup connection using tunneling]],​ and the agent should automatically forward your keys.
 +
 +===== Debugging SSH problems and useful commands =====
 +
 +The best to debug is to enable ssh verbose mode:
 +
 +<​code:​bash>​ssh -vv pflorido@watto.matfys.lth.se</​code>​
 +
 +==== See which keys are tried by the agent ====
 +
 +<​code:​bash>​ssh-add -l</​code>​
 +
 +==== Delete a key from the agent keyring ====
 +
 +<​code:​bash>​ssh-add -d ~/​.ssh/​myid_rsa</​code>​
 +
 +==== Check if the agent is running ====
 +
 +<​code:​bash>​ps aux | grep ssh-agent</​code>​
 +
 +==== Remove an offending key from known_hosts ====
 +
 +<​code:​bash>​ssh-keygen -R <​hostname></​code>​
 +
 +==== Remove an offending key from known_hosts ====
  
 +<​code:​bash>​ssh-keygen -R <​hostname or IP></​code>​
 ====== References ====== ====== References ======
  
 +  * Arch linux SSH PKI tutorial, https://​wiki.archlinux.org/​index.php/​SSH_Keys ​
it_tips/ssh.1493811660.txt.gz · Last modified: 2017/05/03 13:41 by florido