m (Text replacement - "Category:Linux{{Navbox Linux}}" to "{{Navbox Linux}}Category:Linux")
(4 intermediate revisions by the same user not shown)
Line 42: Line 42:
 
To login to a remote host without needing to enter a password, create a public/private key pair without a password.
 
To login to a remote host without needing to enter a password, create a public/private key pair without a password.
  
{{warning|Security Warning|Having an insecure private key is a security risk. You may wish to secure it with a password and then unlock it using a keyring / SSH agent. Read on for more information.}}
+
{{warning|Security Warning|Having an insecure private key is a security risk. You may wish to secure it with a password and then unlock it using a keyring / SSH agent. More on this in the next section. }}
  
 
{{highlight|lang=terminal|code=
 
{{highlight|lang=terminal|code=
Line 56: Line 56:
 
}}
 
}}
  
Step #1 is complete as we now have a private key on your machine located in {{code|~/.ssh/id_rsa}}. For Step #2, we will need to copy the contents of {{code|~/.ssh/id_rsa.pub}} into the remote machine's {{code|~/.ssh/authorized_keys}}. eg:
+
Copy the public key to the remote host you wish to log in. You can either do this the complicated way, or use {{code|ssh-copy-id}}:
 
 
 
{{highlight|lang=terminal|code=
 
{{highlight|lang=terminal|code=
cat ~/.ssh/id_rsa.pub {{!}} ssh username@remote_machine "cat >> ~/.ssh/authorized_keys && chmod 600 ~/.ssh/authorized_keys"
+
$ cat ~/.ssh/id_rsa.pub {{!}} ssh username@remote_machine "cat >> ~/.ssh/authorized_keys && chmod 600 ~/.ssh/authorized_keys"
 +
## or
 +
$ ssh-copy-id username@remote_machine
 
}}
 
}}
  
The above appends the contents of your {{code|id_rsa.pub}} into the remote machine's {{code|authorized_keys}} file and then sets permission. With this complete, Step #2 is complete and you should now be able to authenticate without using passwords.
+
Either command will append the contents of your public key into the remote machine's {{code|authorized_keys}} file and then sets permission. {{code|ssh-copy-id}} goes a step further by ensuring that the key doesn't already exist before adding it to the file. With this complete, you should now be able to authenticate using the private key.
  
 
{{highlight|lang=terminal|code=
 
{{highlight|lang=terminal|code=
Line 69: Line 70:
 
}}
 
}}
  
== SSH Agents ==
+
=== SSH Agents ===
 +
Using a private key without a passphrase may be a security risk since a compromised key will allow anyone access to all systems using this key.  One layer of security is to set a passphrase on the key.  While this defeats the point of logging in to a system without a password, this can be worked around using SSH agents. SSH agents will unlock your private key and store it in memory for subsequent use. You can also configure SSH agent to 'forget' or timeout your key after a certain period of time.
 +
 
 +
A helper program called Keychain available at https://funtoo.org/Keychain makes it easy to use SSH agent. Load it in your {{code|.bashrc}} file to automatically start a SSH agent on first log in and to unlock any SSH keys that you wish to use.
 +
{{highlight|lang=bash|code=
 +
# Attempt to load the keychain to unlock 'id_rsa' if on an interactive shell.
 +
if [ "$PS1" ]; then
 +
    eval `keychain --eval --agents ssh id_rsa`
 +
fi
 +
}}
 +
 
 +
Quick usage for {{code|keychain}}:
 +
{{highlight|lang=terminal|code=
 +
## To unlock a key for 60 minutes
 +
$ keychain --timeout 60 ~/.ssh/id_rsa
 +
 
 +
## To clear any keys
 +
$ keychain --clear
 +
 
 +
## To list the public key of unlocked SSH keys
 +
$ keychain -L
 +
 
 +
## To list the RSA fingerprint of unlocked SSH keys
 +
$ keychain -l
 +
 
 +
## Kill all agents
 +
$ keychain -k all
 +
}}
  
Using password-less keys above is not ideal since security is solely based on the private key being secret. Your entire system basically can be compromised by copying a single file. One way to harden the key-based authentication is to have a passphrase set for the private key, but doing so will cause SSH to prompt for your key password every time you try to connect. To get around this, we can use something called  SSH agents, which are programs that store your private keys. We can then use a keychain program to prompt for your password, then have these agents hold your key (and passphrase).  
+
=== Changing SSH Key Passphrase ===
 +
If you wish to secure your SSH key with a password or wish to change the password, use {{code|ssh-keygen -p}}.
 +
{{highlight|lang=terminal|code=
 +
## Pass '-f ~/.ssh/id_rsa' to avoid being prompted.
 +
$ ssh-keygen -p
 +
}}
  
To do this, you will need 2 files:
 
# keychain
 
# bashrc
 
  
... for now, just copy my profile [[Bash_Profile]]
 
  
 
[[Category:Todo]]
 
[[Category:Todo]]
 
{{Navbox Linux}}[[Category:Linux]]
 
{{Navbox Linux}}[[Category:Linux]]

Revision as of 13:24, 10 February 2020

see http://leo.steamr.com/2010/05/logging-in-via-ssh-keys/

Server Side - Host Keys

SSH host keys should be generated before starting the SSH server. The OpenSSH daemon will not start if the keys are missing or world readable. On a Linux system, they reside in /etc/ssh.

The purpose of host keys is to ensure that when the client connects to the server, it is actually the server the client intended to connect to.

Key Generation

There are 4 types of keys that can be generated for SSHv2 using the ssh-keygen utility: DSA, RSA, ECDSA, ED25519.

Usage example:

ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key
ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key

Key Fingerprint

To get the SSH fingerprint of a remote host, use the ssh-keyscan and ssh-keygen utilities:

ssh-keyscan $1 > $$.tmp 2> /dev/null 
ssh-keygen -E md5 -lf $$.tmp
rm $$.tmp

For example, a server would produce:

2048 MD5:76:12:f7:27:59:6d:97:e7:32:db:18:10:4e:df:9a:61 csa (RSA)
256 MD5:bf:ae:71:b2:c2:d0:4d:03:f4:fe:93:12:6f:b7:36:ae csa (ECDSA)
256 MD5:10:8d:0d:d6:16:f4:42:11:1c:c5:06:1c:16:e0:76:c9 csa (ED25519)

Client-Side

Introduction

SSH authentication is based on public key cryptography. The public and private key pair can be generated using one of 4 algorithms using SSHv2: DSA, RSA, ECDSA, and ED25519. SSHv2 is limited to only RSA1.

A client's public and private key pair should be stored in the ~/.ssh directory. By default, the SSH client will read the private key from ~/.ssh/id_rsa, ~/.ssh/id_dsa, ~/.ssh/id_ecdsa, or ~/.ssh/id_ed25519 unless otherwise specified using the -i option.

Authorization based on key authentication is set using the ~/.ssh/authorized_keys file which contains one public key per line. In other words, a user is granted access if their public key exists in the ~/.ssh/authorized_keys file.

Enabling Password-less Key Authentication

To login to a remote host without needing to enter a password, create a public/private key pair without a password.

Security Warning
Having an insecure private key is a security risk. You may wish to secure it with a password and then unlock it using a keyring / SSH agent. More on this in the next section.


# Generates the private/public key pair (~/.ssh/id_rsa, ~/.ssh/id_rsa.pub)
# Use empty pass phrase if you do not want to enter a password for the key.
ssh-keygen -t rsa

# set the permissions of the .ssh directory to 700.
chmod 700 ~/.ssh

# set the permissions of the keys so no one else can read them.
chmod 600 ~/.ssh/*

Copy the public key to the remote host you wish to log in. You can either do this the complicated way, or use ssh-copy-id:

$ cat ~/.ssh/id_rsa.pub | ssh username@remote_machine "cat >> ~/.ssh/authorized_keys && chmod 600 ~/.ssh/authorized_keys"
## or
$ ssh-copy-id username@remote_machine

Either command will append the contents of your public key into the remote machine's authorized_keys file and then sets permission. ssh-copy-id goes a step further by ensuring that the key doesn't already exist before adding it to the file. With this complete, you should now be able to authenticate using the private key.

ssh username@remote_machine
user@remote_machine$

SSH Agents

Using a private key without a passphrase may be a security risk since a compromised key will allow anyone access to all systems using this key. One layer of security is to set a passphrase on the key. While this defeats the point of logging in to a system without a password, this can be worked around using SSH agents. SSH agents will unlock your private key and store it in memory for subsequent use. You can also configure SSH agent to 'forget' or timeout your key after a certain period of time.

A helper program called Keychain available at https://funtoo.org/Keychain makes it easy to use SSH agent. Load it in your .bashrc file to automatically start a SSH agent on first log in and to unlock any SSH keys that you wish to use.

# Attempt to load the keychain to unlock 'id_rsa' if on an interactive shell.
if [ "$PS1" ]; then
    eval `keychain --eval --agents ssh id_rsa`
fi

Quick usage for keychain:

## To unlock a key for 60 minutes
$ keychain --timeout 60 ~/.ssh/id_rsa

## To clear any keys
$ keychain --clear

## To list the public key of unlocked SSH keys
$ keychain -L

## To list the RSA fingerprint of unlocked SSH keys
$ keychain -l

## Kill all agents
$ keychain -k all

Changing SSH Key Passphrase

If you wish to secure your SSH key with a password or wish to change the password, use ssh-keygen -p.

## Pass '-f ~/.ssh/id_rsa' to avoid being prompted.
$ ssh-keygen -p