Agenda: exercise-ssh-key.html

<h1>SSH Exercises</h1>

<h2>Index</h2>
<ul>
        <li><b><a href="#SSH">SSH with private/public key authentication</a></b></li>
        <li><b><a href="#Windows">For laptops running Windows</a></b></li>
        <ul>
                <li>1. Generate an ssh public/private key pair</li>
                <li>2. Copy the PUBLIC key onto your Unix server</li>
                <ul>
                        <li>Copy-paste</li>
                        <li>Alternative way (if you're having problems with copy-paste)</li>
                </ul>
                <li>3. Login using your private key</li>
                <li>4. Use a passphrase agent</li>
                </ul>
        <li><b><a href="#LinuxUnix">For laptops running Linux (or BSD or OSX)</a></b></li>
        <ul>
                <li>1. Generate an ssh public/private key pair</li>
                <li>2. Copy the PUBLIC key onto your Unix server</li>
                <ul>
                        <li>Copy-paste</li>
                </ul>
                <li>3. Login using your private key</li>
                <li>4. Use a passphrase agent</li>
                </ul>
        <li><b><a href="#root">Copy your public keys to the root account</a></b></li>
        <li><b><a href="#additional">Additional information [not part of exercises]</a></b></li>
                <ul>
                <li>Disable Password Access to your Machine</li>
                        <ul>
                                <li>Connect Only with SSH Keys</li>
                        </ul>
                <li>Agent forwarding</li>
                <li>Advanced: X11 forwarding and port forwarding</li>
                </ul>
        </ul>   

<p>In these exrcises we'll show how you can eliminate passwords by using ssh key
authentication and make this process more convenient.</p>

<p>Choose the version of the exercises depending on what OS you are running on
your laptop.</p>

<a id="SSH"></a>
<h1>SSH with private/public key authentication</h1>

<p>Remember: the <code>$</code> character before commands indicates that they are to be
run as your normal login user, not as root.</p>

<a id="Windows"></a>
<h1>For laptops running Windows</h1>

<p>Download the following onto your desktop or into a downloads folder:</p>

<ul>
<li>putty.exe</li>
<li>pageant.exe</li>
<li>puttygen.exe</li>
<li>pscp.exe</li>
<li>psftp.exe</li>
</ul>

<p>For this class you can download each of these items by going to:</p>

<blockquote>
<a href="http://wsnoc.nsrc.org/wiki/Putty">http://wsnoc.nsrc.org/wiki/Putty</a>
</blockquote>

<p>Outside of class you can go to <a href="http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html">http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html</a> 
(Or you can try the installer bundle which gets them all)</p>

<h2>1. Generate an ssh public/private key pair</h2>

<p>Double-click on <code>puttygen.exe</code></p>

<p>At the bottom of the dialog box, under "Parameters":</p>

<ul>
<li>Make sure the type of key to generate is "SSH-2 RSA" (near center-bottom of screen)</li>
<li>Set the number of bits to 2048 (bottom right of the screen)</li>
</ul>

<p>Click on "Generate". Move the mouse randomly over the blank area until the
progress bar reaches 100%</p>

Now you will have some additional fields in the puttygen.exe window:

<pre><code>
Key comment:                    [Your Name &lt;your@email.address&gt;   ]
Key passphrase:                 [chooose a passphrase             ]
Confirm passphrase:             [choose same passphrase           ]
</code></pre>

<p>The passphrase is used to keep your private key encrypted on disk. It can be
pretty much anything you want and as long as you want - including spaces -
but if you forget it, your key becomes worthless.  For now pick something
that you will easily remember.  You can change it at any time you want in
the future.</p>

<p>Click "Save public key". Give a filename of "id_rsa.pub" (please save
files into the same directory as where the executables are)</p>

<p>Click "Save private key". Give a filename of "id_rsa.ppk"</p>

<p>Use the mouse to highlight all the text in the box "Public key for pasting
into OpenSSH authorized_keys file", and copy it to the clipboard.</p>

<p>Exit puttygen.</p>

<p>NOTE: Key generation is a one-off exercise. The more you deploy your public
key, the more work it will be if you were to lose it and have to start again
with a new one.  We suggest you keep a secure backup of it somewhere, e.g. 
on a CD-ROM, a safe USB key that you lock away, an encrypted file somewhere else, etc.</p>

<h2>2. Copy the PUBLIC key onto your Unix server</h2>

<p>You have two ways of doing this.</p>

<h3>Copy-paste</h3>

<p>Use putty.exe to make a normal ssh connection to your MacMini as the 'nsrc'
user. Your MacMini should be accessible as s1.ws.nsrc.org, but you use the IP address if 
necessary of 10.10.0.241.</p>

<p>You will likely see a window about the server's host key not being cached in the registry. In 
order to connect click on "Yes" to continue. Do you understand what this meant?</p>

<p>Check so if there is a .ssh directory already in the home directory for the nsrc user:</p>

<pre><code>ls -la</code></pre>

<p>If you do not see the directory, then you are the first one to connect. Create the .ssh 
directory like this:</p>

<pre><code>$ mkdir .ssh
$ chmod 700 .ssh
</code></pre>

<p>Now you will paste the key you copied to your clipboard earlier in to a file called 
.ssh/authorized_keys. The way we do this ensures that the text you paste will go on the end of the 
file so you don't overwrite the public keys that your classmates are placing in this file as well</p>

<pre><code>$ cat &gt;&gt;.ssh/authorized_keys
*** PASTE KEY FROM CLIPBOARD ***
*** If the cursor is still at the end of the line, hit Enter ***
*** hit ctrl-D ***
</code></pre>

<p>The key consists of one very long line, which looks like</p>

<pre><code>ssh-rsa &lt;lots of base64 data&gt; &lt;comment&gt;
</code></pre>

<p>As a quick check that it hasn't been corrupted, count the lines in the file:</p>

<pre><code>$ wc -l .ssh/authorized_keys
1 .ssh/authorized_keys
</code></pre>

<p>If you don't see "1", then you'll need to fix it (possibly with an editor). You can ask 
an instructor for help. Don't delete the file!</p>

<p>Now let's be sure that the file .ssh/authorized_keys ahs the right permissions set, otherwise the 
ssh server on your MacMini will not allow you to connect using your private key. To do this do:</p>

<pre><code>$ chmod 600 .ssh/authorized_keys
</code></pre>

<p>Now log out of your MacMini</p>

<pre><code>$ exit
</code></pre>

<h3>Alternative way (if you're having problems with copy-paste)</h3>

<p>Double-click on psftp.exe. Open a connection to your server, and upload
your public key:</p>

<pre><code>psftp&gt; open s1.ws.nsrc.org
login as: nsrc
nsrc@s1.ws.nsrc.org's password: &lt;usual one&gt;
Remote working directory is /home/nsrc
psftp&gt; put id_rsa.pub
local:id_rsa.pub =&gt; remote:/home/nsrc/id_rsa.pub
psftp&gt; quit
</code></pre>

<p>Unfortunately, this public key is not in the format which openssh requires,
so now login again using putty.exe to connect to the server again as the user nsrc. First 
we need to see if the .ssh directory exists in the nsrc user home directory:</p>

<pre><code>ls -la</code></pre>

<p>If you do not see the directory, then you are the first one to connect. Create the .ssh 
directory like this:</p>

<pre><code>$ mkdir .ssh
$ chmod 700 .ssh
</code></pre>

<p>Now you can use the following command to convert the id_rsa.pub key file you uploaded to the
home directory and place this key at the end of a file called authorized keys in the .ssh 
directory:</p>

<pre><code>$ ssh-keygen -i -f id_rsa.pub &gt;&gt;.ssh/authorized_keys
</code></pre>

<p>Now let's be sure that the file .ssh/authorized_keys has the right permissions set, otherwise the 
ssh server on your MacMini will not allow you to connect using your private key. To do this do:</p>

<pre><code>$ chmod 600 .ssh/authorized_keys
</code></pre>

<p>We should remove our id_rsa.pub file sitting in the /home/nsrc directory:</p>

<pre><code>$ rm id_rsa.pub
</code></pre>

<p>Now log out of your MacMini:</p>

<pre><code>$ exit
</code></pre>


<h2>3. Login using your private key</h2>

<p>Start putty.exe again. Enter the hostname as usual, but before clicking
Open, browse in the left hand column to Connection > SSH > Auth</p>

<pre><code>[-] Connection
     |
    [-] SSH
     |  |- Keyex
     |  |- Auth    &lt;--- CLICK HERE
</code></pre>

<p>Next to "Private key for authentication", click Browse. Find your
id_rsa.ppk file, open it, then go back to the Open option to start the connection. Remember 
Host Name or IP address is s1.ws.nsrc.org or 10.10.0.241</p>

<p>You should be prompted for your username as before (nsrc), but then
instead of being prompted for a password, you are asked for the passphrase
for your private key. Enter it, and you should be logged in.</p>

<p>This is quite painful (both locating the private key and entering the
passphrase), so as the final step of the exercise we're going automate it
using an agent.</p>

<h2>4. Use a passphrase agent</h2>

<p>Run <code>pageant.exe</code></p>

<p>It runs in the background, and adds an icon to your task tray (a PC with
a black hat at an angle). You may need to select "Show hidden icons"
to see it.</p>

<p>Right-click on the icon, and select "Add Key". Browse to your id_rsa.ppk
and open it. You will be prompted for the passphrase - enter it. (If you
make a mistake, you'll be prompted again until you get it right)</p>

<p>Now run putty.exe again, enter your hostname, click Open, and enter your
username (sysadm).  You should be logged in immediately, with no prompt for
either a password or a passphrase!</p>

<p>Try logging in again. Also try using psftp.exe (when it runs, enter
"open wsnoc.nsrc.org" to start a connection). No passphrase is needed
until you tell Pageant to forget the private key. This can save quite a bit of time 
if you are making multiple ssh connections.</p>

<p>With Putty you save preconfigured sessions to save steps as well as play with many other 
available options. Feel free to do this if you wish at your leisure.</p>

<a id="LinuxUnix"></a>
<h1>For laptops running Linux (or BSD or OSX)</h1>

<h2>1. Generate an ssh public/private key pair</h2>

<p><b>WARNING!</b>: If you already have a public/private key that you use, then skip the first 
exercise and go directly to exercise 2.</p>

<p>Note that the "~" character represents the path to your home directory on your laptop.</p>

<pre><code>$ ssh-keygen -t rsa -b 2048
Generating public/private rsa key pair.
Enter file in which to save the key (~/.ssh/id_rsa): &lt;HIT ENTER&gt;
Created directory '~/.ssh'.
Enter passphrase (empty for no passphrase): &lt;CHOOSE PASSPHRASE&gt;
Enter same passphrase again: &lt;SAME PASSPHRASE&gt;
Your identification has been saved in ~/.ssh/id_rsa.
Your public key has been saved in ~/.ssh/id_rsa.pub.
The key fingerprint is:
32:2b:e3:0e:14:fb:60:38:a6:e2:73:95:53:9d:a8:0f userid@yourlaptopname
</code></pre>

<p>The passphrase is used to keep your private key encrypted on disk. It can be
pretty much anything you want and as long as you want - including spaces -
but if you forget it, your key becomes worthless.  For now pick something
that you will easily remember.  You can change it at any time you want in
the future (using <code>ssh-keygen -p</code>)</p>

<p>NOTE: Key generation is a one-off exercise. The more you deploy your public
key, the more work it will be if you were to lose it and have to start again
with a new one.  We suggest you keep a secure backup of it somewhere, e.g. 
on a CD-ROM, a safe USB key that you lock away, an encrypted file somewhere else, etc.</p>

<h2>2. Copy the PUBLIC key onto your Unix server</h2>

<p>First we need to see if ssh has been set up on your MacMini and your nsrc account is ready 
to accept public keys. To do this do:</p>

<pre><code>$ ssh nsrc@s1.ws.nsrc.org</code></pre>

<p>If you are prompted to say Yes or No to accepting the public key from the MacMini be sure to
answer "Yes" (you have to type "Yes" out fully). Do you understand what is happening? Now let's see 
if there is a ".ssh" directory in the nsrc home directory on your MacMini:</p>

<pre><code>ls -la</code></pre>

<p>If you do not see the directory, then you are the first one to connect. Create the .ssh 
directory and authorized_keys file. If you do see a ".ssh" directory, then please skip down 
to the "Copying your public key" step below. To create the directory and file do this:</p>

<pre><code>$ mkdir .ssh
$ chmod 700 .ssh
</code></pre>

<p>Now let's create an empty .ssh/authorized_keys file with the correct permissions so that as we 
place our public keys in the file things will work correctly</p>

<pre><code>$ touch .ssh/authorized_keys
$ chmod 600 .ssh/authorized_keys
</code></pre>

<p>Now log out of the MacMini to go back to your laptop</p>

<h3>Copying your public key</h3>

<p>The simplest way to copy the public key is with scp and the cat commnd. We do this
in this manner to avoid overwriting other people's public key in the authorized_keys file 
on our MacMinis.</p>

<p>From a terminal window on your laptop</p>

<pre><code>$ cd
$ cat .ssh/id_rsa.pub | ssh nsrc@s1.ws.nsrc.org 'cat &gt;&gt;.ssh/authorized_keys'
</code></pre>

<h2>3. Login using your private key</h2>

<p>Open an ssh connection to your server as normal:</p>

<pre><code>$ ssh nsrc@s1.ws.nsrc.org
</code></pre>

<p>This time, instead of being prompted for your password, you should be
prompted for the passphrase on your private key. Enter it. You should be
logged in.</p>

<h2>4. Use a passphrase agent</h2>

<p>Entering a passphrase every time you connect would be painful, but this
isn't necessary if you have an agent which decrypts the private key and
keeps it in memory.</p>

<p>If you are running under a modern graphical environment like Gnome or Mac OS X, you
probably already got a dialog box prompting you for a passphrase, and this
means you're already running an agent.  You should be able to logout and
login to the remote server, without being prompted for your passphrase
again.</p>

<p>If you don't have an agent, then you can start a new subshell with ssh-agent
as its parent:</p>

<pre><code>$ ssh-agent bash
$ ssh-add
... prompted for your passphrase
$
</code></pre>

<p>To see what identities (decrypted private keys) your agent has in memory:</p>

<pre><code>$ ssh-add -l
</code></pre>

<p>To forget all identities:</p>

<pre><code>$ ssh-add -d
</code></pre>

<p>(By the way, if you do the above command you will be prompted for your passphrase again the 
next time you connect to your MacMini.)</p>

<p>Now the agent will handle future connections for you.</p>

<p>If you are running an older graphical environment, and you normally start
X using <code>startx</code>, then start it using <code>ssh-agent startx</code> instead. Then type
'ssh-add' in an xterm.</p>

<a id="root"></a>
<h1>Copy your public keys to the root account</h1>

<p>Everyone can do this exercise. You should do this once everyone has copied their public 
key to the /home/nsrc/.ssh/authorized_keys files on your group's MacMini, so check with your neighbor's 
to see if they are done with that part of the exercises.</p>

<p>Log in to your MacMini as the user nsrc. Once you are logged in do the following. When 
prompted for a password use the same one you used originally to connect to the nsrc account:</p>

<pre><code>$ sudo su -
# cd /root
# mkdir .ssh
# chmod 700 .ssh
# cat /home/nsrc/.ssh/authorized_keys >> .ssh/authorized_keys
# chown root:root .ssh/authorized_keys
# chmod 600 .ssh/authorized_keys
</code></pre>

<p>If you wish to see how things look in the /root/.ssh directory do:</p>

<pre><code># ls -la .ssh</code></pre>

<p>Now you can log off from the MacMini and try connecting directly as the root user. You need to 
type exit twice as the sudo command opened a new shell on the MacMini:</p>

<pre><code># exit
$ exit
</code></pre>

<p>Now try connection to the MacMini as the root user (root@s1.ws.nsrc.org) and see if you are prompted 
for your passphrase, or if you log in without any prompt as your ssh agent program should take care 
of the private/public key exchange between your machine and the MacMini.</p>

<p>Once you are done you can log off.</p>

<hr />

<a id="additional"></a>
<h1>Additional information [not part of exercises]</h1>

<div align="center">
<p>This section is for reference only. We are <em>not</em> going to turn off password access at 
this time, so please do not do this exercise.</p>
</div>

<h2>Disable Password Access to your Machine</h2>

<h3>Connect Only with SSH Keys</h3>

<p>Only do this exercise if you have successfully copied your public key to your machine and you
are being prompted for your ssh private key passphrase when you log in and not your password.</p>

<p>Log in on your machine. Once logged in become the root user:</p>

<pre><code>$ sudo su -</pre></code>

<p>As the root user cat the authorized_keys file to the directory /root/.ssh. This wasy we ensure
we don't overwrite any other /root/.ssh/authorized_keys file that might already be in place.</p>

<pre><code># mkdir /root/.ssh
# chmod 700 /root/.ssh
# cat /home/nsrc/.ssh/authorized_keys &gt;&gt; /root/.ssh/authorized_keys
# chown root:root /root/.ssh/authorized_keys
# chmod 644 /root/.ssh/authorized_keys
</pre></code>

<p>Now log out of your machine and try to log back in, but this time as the "root" user, 
not as the "nsrc" user. If you are prompted for your ssh private key passphrase and not a 
password, then you are ready to disable password access to your machine.</p>

<p>Log in on your machine as the root user. Now we are going to edit the file /etc/ssh/sshd_config.</p>

<pre><code># vi /etc/ssh/sshd_config</pre></code>

<p>Insie the file look for the following line:</p>

<code>#PasswordAuthentication yes</code>

<p>Just after this line add a line that says:</p>

<code>PasswordAuthentication no</code>

<p>Save and exit from the file. The reload the ssh server:</p>

<pre><code># service ssh reload</pre></code>

<p>Before logging out we recommend you leave your current session open in case there are problems. You 
could lock yourself out of your machine. If you do let your instructor know. Now use ssh or putty on your laptop 
and try connecting to your server. You should get prompted for your ssh private key's passphrase and 
be able to log in. If you did, everthing is working. At this point all new users on your machine must 
use ssh keys to connect and not passwords. If you wish to verify this you can do the following:</p>

<pre><code># adduser testuser</pre></code>

<p>Answer the on-screen prompts. Once the user has been created and you have given it a new password of 
your choosing, try to open a new ssh session to your machine as that user. You should either be rejected 
or your password attempts will have not affect (depends on the ssh server version).</p>

<p>To log in as this user you would need to copy your public ssh key to their account as we did for 
your nsrc user. This <b>greatly</b> enhances the security of your system.

<h2>Agent forwarding</h2>

<p>Using an agent, you can access across multiple ssh hops without having to
copy your key or enter your passphrase anywhere.</p>

<p>If you enable "agent forwarding" when you login to host X, you can then
login from X to Y without any prompting (assuming Y has your public key in
authorized_keys).  The request to authenticate is forwarded securely back
along your original ssh session to the agent running on your workstation.</p>

<p>Under Unix:</p>

<pre><code>$ ssh -o ForwardAgent=yes user@host
</code></pre>

<p>If you do this frequently, it's easier to configure it in <code>.ssh/hosts</code></p>

<pre><code>host foo
hostname foo.example.com
user nsrc
ForwardAgent yes
</code></pre>

<p>Then you only have to type <code>ssh foo</code> to get a connection with those options.</p>

<h2>Advanced: X11 forwarding and port forwarding</h2>

<p>ssh can securely carry arbitrary forwarded TCP connections and X11 graphics.</p>

<pre><code>$ ssh -L8080:some.where:80 user@remote.host
... while ssh connection is open, a connection to 127.0.0.1 port 8080
... will be tunneled, and the far end will open a connection to
... some.where port 80

$ ssh -X user@remote.host
...
$ xclock   # graphical output redirected back through ssh tunnel
</code></pre>