SSH

Introduction

ssh keys can be used to replace password authentication with ssh so that you may log in without entering a password or to limit a login to running a specific command. if you are planning to use scripts that require ssh access and do not want to embed passwords in the script then ssh keys are an alternative that is easier to maintain

To use password-less logins (ie log in with a key file) you will need to dot he following * Generate a key pair * Copy the public key to the servers you wish to log into * Use an ssh agent or ensure the keys are in the correct location

these steps are details below

Basic Security

There are some basic things that you need to be aware of when dealing with key based security. these are listed below to help you avoid any potential pitfalls

  • A key file is the equivalent of a password, make sure the permissions on the files are correct and avoid making the files publicly accessible (eg placing them on an http server)
  • Where possible always use passwords on key files. if you don’t want to enter a password to unlock the key file for every login then use the ssh-agent below
  • If using ssh-keys for automatic login with scripts try and limit the ssh command to only running specific commands (See links below or refer to the sshd man page)
  • Under gnome on unix and clones you can use the seahorse package to unlock your passwords on login
  • if you are using linux without gnome there are pam packages to automatically unlock your key files when you log in (gnome-keyring-pam under fedora)

Generating Keys

To use an ssh key file you will first need to generate a public and a private key, often referred to as a key pair. the public key is used by others to work out who you are and does not need to be secured. while the private key is similar to the password for that keypair/identity and should not be distributed to others. these key fils by default are generated in your home directory in the “.ssh” folder. by default this file is called id_rsa for rsa keys and id_dsa for dsa keys. ssh will look for these files by default and use them if they are present or will fall back to looking for an ssh-agent and then normal password authentication if any key fails or a keyfile is not found

To generate a key pair with reasonable defaults use the following command

::
ssh-keygen -C “Automatic Login” -b 2048 -t rsa

this will prompt you for the filename to save the key to, hit enter to accept the defaults. You will then be prompted to enter a password for the ssh key file, to keep things simple use your ldap password. a complete session is listed below.

::
user@example:~$ ssh-keygen Generating public/private rsa key pair. Enter file in which to save the key (/home/user/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/user/.ssh/id_rsa. Your public key has been saved in /home/user/.ssh/id_rsa.pub. The key fingerprint is: b2:61:30:97:6b:b5:c6:9b:10:ce:a5:fe:12:fb:27:fd user@example.com The key’s randomart image is: +–[ RSA 2048]—-+ | | | . | | o + o | | * B . | | @ S | | +.* o | | ooo. | | o.. o | | ooo .E | +—————–+ user@example:~$</pre>

Note

the randomart (visual fingerprint) is only available with newer versions of the ssh tools

Putting Keys on the Server

Openssh provides a helper script to copy your ssh public keys to the remote server, it will append the key to the authorized_keys file, check the permissions and perform some other basic checks to ensure the ssh key works

to copy your key use the following command

::
ssh-copy-id [-i <pub key file>] <server>

if your public/private key are not called id_rsa.pub and id_rsa respectively and are not located in the .ssh directory in your home folder then you will need to specify the path to the public key file with the “-i” flag

ssh-agent

If you are using more than one key or do not wish to enter the password more than once you will need to use a ssh-agent which will load keys (decrypting them with a password you supply if required) and attempt to log in with each key until the correct one is found falling back to password authentication if a suitable key is not found)

the ssh-agent consists of two parts, a daemon that listens for outgoing key requests (ssh-agent) and a program to add keys to the agent (ssh-add)

Starting ssh-agent

You will need to ensure you have an ssh-agent running. most Graphical logins on linux computers will load this up by default int he background for you however if you are using a different operating system you may have to manually start the ssh-agent, two methods are shown below and will need to be added to your login scripts

::
eval $(ssh-agent)

or

::
eval ssh-agent

avoid adding these to your .bashrc file otherwise a separate ssh-agent will be started for every terminal you open and will not share keys. see the ibm links in the url sections below for “keychain” which is a platform independent (BSD/Unix/Linux) wrapper around ssh-agent designed to fix this issue.

ssh-add

Once the ssh-agent is loaded you will need to add keys for it to remember to its keychain so it can log in on your behalf, to do this a program called ssh-add is installed as part of the basic OpenSSH tools. ssh-add will allow you to list, add and delete keys as well as lock the keychain, these options are explained below

Listing Keys

To list the fingerpreints of all the keys loaded into the agent use

::
ssh-add -l

If you need to add a key to the authorized_keys file and do not have the public key handy you may generate public key from the private key loaded in the agent using the command below, this will list all your keys in a format suitable for insertion in authorized_keys

::
ssh-add -L

You will then be able to take this output and copy it into the file by hand of write the output to a file and use the ssh-copy-id command as shown above

Adding keys

The following command can be used to add a key to the agent, <key file> is the private key file (not the public key, ie files ending in “.pub”).

::
ssh-add <key file>

This will prompt you for a password for the key file if the key is password protected and then add it to the current ssh-agent instance allowing you to log in without typing in your password.

Deleting Keys

Passwords can be forgotten with the “-d” (single key) or “-D” (all keys) flags

To forget all keys use

::
ssh-add -D

To remove a single key, list the fingerprints witht he “-l” flag as shown above and then use

::
ssh-add -d <fingerprint>

Notes

  • ssh keys should always be password protected or secured
  • if root logins are required try and limit them using ssh keys and by only allowing specific commands
  • Using a custom ssh config file can cut down on the amount of typing to log into a server (eg “ssh freya” to log into freya)
  • SSH Fingerprints for servers can be loaded into DNS (SSHFP record) to avoid having to add new hosts to the known hosts file
  • You do not need one key pair per server and can reuse the same keypair by copying your public key to other servers