SSH Keys

From athena

(Quick and dirty copy of astronomy's wiki article until I get access to copy the source. Original at:

http://librarian.phys.washington.edu/astro/index.php/SSH_Keys )

1 Introduction
2 Generating ssh keys: ssh-keygen
3 It's time to ssh into the remote system!
- 3.1 ssh-agent and ssh-agent forwarding
4 Caveats and common problems

[edit] Introduction

You've probably seen IT staff and power unix users zipping around systems without typing their password every time they've logged in. Or, you may have used a computational cluster where "blank" ssh keys were used to get you between the cluster heads and each of the nodes. In this tutorial, you'll be walked through how to generate keys, install them on a remote client, and use ssh agents to store the key to do your own power unix-foo.

[edit] Generating ssh keys: ssh-keygen

The command to generate ssh keys is ssh-keygen. You can get a quick reminder on how to use ssh-keygen by simply typing ssh-keygen -h. For our purposes, let's start with generating an ssh key with "-t rsa" (encryption using RSA) and "-b 1024" (1024 bits.)

desktop:~ richardc$ ssh-keygen -t rsa -b 1024
Generating public/private rsa key pair.
Enter file in which to save the key (/astro/users/richardc/.ssh/id_rsa): 
Created directory '/astro/users/richardc/.ssh'.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /astro/users/richardc/.ssh/id_rsa.
Your public key has been saved in /astro/users/richardc/.ssh/id_rsa.pub.
The key fingerprint is:
49:d8:9a:76:c1:fa:3e:a7:7a:c3:68:02:e3:ef:87:ff richardc@desktop.local
desktop:~ richardc$

As you can see above, the user typed a passphrase twice. After you type an appropriate passphrase (see notes below) your private key (id_rsa) is stored in the .ssh directory in your home directory as well as your public key (id_rsa.pub).

[edit] Quick Note on passphrases

PLEASE DO NOT USE EMPTY PASSPHRASES!!! This is security risk for you and your fellow compatriots. A typical passphrase is like a clever sentence that has over 5 words, first letter capitalized, and punctuation where necessary. Other folks have other preferences. Ideally, you want at least a 16 character passphrase for "good" security practices. Passphrases should not be the same as your login password for similar security concerns.

[edit] Configuring your public key on a remote host

ssh uses the public key/private key interaction to authenticate who you are instead of typing your password. Therefore, we need to put the public key on the remote server or desktop you may be logging into. The easier way to do this is to scp said file.

scp ~/.ssh/id_rsa.pub richardc@remote.astro.washington.edu:

This command copies id_rsa.pub to the home directory of your remote account. We're now going to check to make sure there's a .ssh folder, and then append this key to the end of your authorized_keys file in the folder. If there is not existing authorized_keys file, appending it will create it.

[richardc@remote ~]$ ls -lad .ssh
drwx------  2 richardc astro 4096 Sep  7 15:31 .ssh
[richardc@remote ~]$ cat id_rsa.pub >> .ssh/authorized_keys 
[richardc@remote ~]$

If you know you have multiple entries in your .ssh/authorized_keys file, you may want to make sure there are new lines (or carriage returns) at the end of each entry.

[edit] Using ssh agents on linux

By default, most modern Linux systems start an ssh agent process when you log in via an X11 session. (If you log in remotely to a desktop or server this is not the case.) You can check to see if an ssh-agent is running. Below the agent is running on the user's desktop. Note that you see the agent and also the process grep searching for the agent. (If the agent wasn't running, you'd see just the grep ssh-agent.)

[richardc@desktop ~]$ ps aux | grep ssh-agent
richardc      17049  0.0  0.0  3660  624 ?        Ss   09:25   0:00 ssh-agent
richardc      17052  0.0  0.0  3464  432 pts/0    S+   09:25   0:00 grep ssh-agent
[richardc@desktop ~]$

If you don't have an agent running, start one now.

[richardc@desktop ~]$ ssh-agent
setenv SSH_AUTH_SOCK /tmp/ssh-MfsLZ17048/agent.17048;
setenv SSH_AGENT_PID 17049;
echo Agent pid 17049;
[richardc@desktop ~]$

You'll notice that ssh-agent returns to standard out a list of environment variables. You need to be sure to set these environment variables before you can start adding your ssh keys to this agent. Either copy and paste them back into the console or redirect them to a file for later use.

[richardc@desktop ~]$ setenv SSH_AUTH_SOCK /tmp/ssh-MfsLZ17048/agent.17048;
[richardc@desktop ~]$ setenv SSH_AGENT_PID 17049;
[richardc@desktop ~]$ echo Agent pid 17049;
Agent pid 17049
[richardc@desktop ~]$

or...

[richardc@desktop ~]$ ssh-agent > my-agent-today
[richardc@desktop ~]$ source my-agent-today
[richardc@desktop ~]$

Now that an agent is running, you need to add the ssh key you've generated. To do so, simply run ssh-add. ssh-add checks the ~/.ssh directory and accesses the private keys in this directory.

[richardc@desktop ~]$ ssh-add
Enter passphrase for /astro/users/richardc/.ssh/id_rsa: 
Identity added: /astro/users/richardc/.ssh/id_rsa (/astro/users/richardc/.ssh/id_rsa)
[richardc@desktop ~]$

[edit] Using ssh agents on MacOS X

MacOS X users can use ssh-agent as described above for linux users, but you also have a simpler option: the program SSH Agent. This provides a nice graphical user interface allowing you to easily activate and deactivate your key(s). It also will generate keys for you.

Note that when your keys are activated your computer is a open portal to many other computers. To increase security:

   * Disable your keys while you are out of your office for any length of time (e.g. while at lunch). SSH Agent makes this very easy: right-click on the dock icon and select Deactivate All Identities.
   * Do not put your public key pass phrase(s) into your keychain.
   * Do not assume the screen saver password is secure. It is easy to break through.

[edit] It's time to ssh into the remote system!

If all has gone well, you're ready to ssh into the remote system!

[richardc@desktop ~]$  ssh remote.astro.washington.edu -l richardc
Last login: Sat Sep  8 09:53:59 2007 from dslhome-destkop.sea1.dsl.speakeasy.net
DISPLAY: Undefined variable.
[richardc@remote ~]$

Voila! But wait, there's more...

[edit] ssh-agent and ssh-agent forwarding

If you're one of the fortunate users who's operating system automatically started the ssh-agent, future terminal sessions (xterms) you launch will allow you to use the ssh-agent. If not, you'll need to make every new terminal session aware of the ssh-agent. If you redirected the output of the ssh-agent to a file, you'll need to source the file in the new terminal you launch.

Another cool trick is to forward your ssh-agent. Some of us want to log into multiple desktops and servers without typing a password. You can use the flag "-A" as shown below to carry your ssh-agent data to the next host.

[richardc@desktop ~]$  ssh -A remote.astro.washington.edu -l richardc

It's recommended to add this to alias in your dot files if you plan on using it extensively.

[edit] Caveats and common problems

Be sure that you make sure your .ssh directory and authorized_keys file are not group or world read, write, or executable.

chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys

Check to make sure that each key in the authorized_keys file is not broken by a line, but each key is separated by a new line (or carriage return).
ssh has a verbose mode that can be helpful at times, add a "-v" to the command line. If you want more verbosity, add a "-vv"