# Track4Agenda: exercise-ssh-key.htm

File exercise-ssh-key.htm, 34.5 KB (added by trac, 3 years ago)
Line
1<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
2<html xmlns="http://www.w3.org/1999/xhtml">
4  <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
5  <meta http-equiv="Content-Style-Type" content="text/css" />
6  <meta name="generator" content="pandoc" />
7  <title>SSH with private/public key authentication</title>
8  <style type="text/css">code{white-space: pre;}</style>
11<body>
13<h1 class="title">SSH with private/public key authentication</h1>
14</div>
15<div id="TOC">
16<ul>
17<li><a href="#introduction"><span class="toc-section-number">1</span> Introduction</a><ul>
18<li><a href="#goals"><span class="toc-section-number">1.1</span> Goals</a></li>
19<li><a href="#notes"><span class="toc-section-number">1.2</span> Notes</a></li>
20</ul></li>
21<li><a href="#for-laptops-running-windows"><span class="toc-section-number">2</span> For laptops running Windows</a><ul>
22<li><a href="#generate-an-ssh-publicprivate-key-pair"><span class="toc-section-number">2.1</span> 1. Generate an ssh public/private key pair</a></li>
23<li><a href="#copy-the-public-key-onto-your-unix-server"><span class="toc-section-number">2.2</span> 2. Copy the PUBLIC key onto your Unix server</a><ul>
24<li><a href="#copy-paste"><span class="toc-section-number">2.2.1</span> Copy-paste</a></li>
25<li><a href="#alternative-way-if-youre-having-problems-with-copy-paste"><span class="toc-section-number">2.2.2</span> Alternative way (if you're having problems with copy-paste)</a></li>
26</ul></li>
28<li><a href="#use-a-passphrase-agent"><span class="toc-section-number">2.4</span> 4. Use a passphrase agent</a></li>
29</ul></li>
30<li><a href="#for-laptops-running-linux-or-bsd-or-osx"><span class="toc-section-number">3</span> For laptops running Linux (or BSD or OSX)</a><ul>
31<li><a href="#generate-an-ssh-publicprivate-key-pair-1"><span class="toc-section-number">3.1</span> 1. Generate an ssh public/private key pair</a></li>
32<li><a href="#copy-the-public-key-onto-your-unix-server-1"><span class="toc-section-number">3.2</span> 2. Copy the PUBLIC key onto your Unix server</a></li>
34<li><a href="#use-a-passphrase-agent-1"><span class="toc-section-number">3.4</span> 4. Use a passphrase agent</a></li>
35</ul></li>
37<li><a href="#agent-forwarding"><span class="toc-section-number">4.1</span> Agent forwarding</a></li>
39</ul></li>
40</ul>
41</div>
44<p>In this exercise we'll show how you can eliminate passwords by using ssh key authentication.</p>
46<ul>
47<li>Commands preceded with &quot;$&quot; imply that you should execute the command as a general user - not as root.</li> 48<li>Commands preceded with &quot;#&quot; imply that you should be working as root.</li> 49<li>Commands with more specific command lines (e.g. &quot;rtrX&gt;&quot; or &quot;mysql&gt;&quot;) imply that you are executing commands on remote equipment, or within another program.</li> 50</ul> 51<p>Choose the version of the exercises depending on what OS you are running on your laptop.</p> 52<h1 id="for-laptops-running-windows"><a href="#for-laptops-running-windows"><span class="header-section-number">2</span> For laptops running Windows</a></h1> 53<p>Download the following onto your desktop or into a downloads folder:</p> 54<ul> 55<li>putty.exe (you should already have this)</li> 56<li>psftp.exe</li> 57<li>pageant.exe</li> 58<li>puttygen.exe</li> 59</ul> 60<p>from http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html (Or you can try the installer bundle which gets them all)</p> 61<h2 id="generate-an-ssh-publicprivate-key-pair"><a href="#generate-an-ssh-publicprivate-key-pair"><span class="header-section-number">2.1</span> 1. Generate an ssh public/private key pair</a></h2> 62<p>Double-click on <code>puttygen.exe</code></p> 63<p>At the bottom of the dialog box, under &quot;Parameters&quot;:</p> 64<ul> 65<li>Make sure the type of key to generate is &quot;SSH-2 RSA&quot;</li> 66<li>Set the number of bits to 2048</li> 67</ul> 68<p>Click on &quot;Generate&quot;. Move the mouse randomly over the blank area until the progress bar reaches 100%</p> 69<pre><code> Key comment: [Your Name &lt;your@email.address&gt; ] 70 Key passphrase: [chooose a passphrase ] 71 Confirm passphrase: [choose same passphrase ]</code></pre> 72<p>The passphrase is used to keep your private key encrypted on disk. It can be pretty much anything you want and as long as you want - including spaces - but if you forget it, your key becomes worthless. For now pick something that you will easily remember. You can change it at any time you want in the future.</p> 73<p>Click &quot;Save public key&quot;. Give a filename of &quot;id_rsa.pub&quot; (please save files into the same directory as where the executables are)</p> 74<p>Click &quot;Save private key&quot;. Give a filename of &quot;id_rsa.ppk&quot;</p> 75<p>Use the mouse to highlight all the text in the box &quot;Public key for pasting into OpenSSH authorized_keys file&quot;, and copy it to the clipboard.</p> 76<p>Exit puttygen.</p> 77<p>NOTE: Key generation is a one-off exercise. The more you deploy your public key, the more work it to be if you were to lose it and have to start again with a new one. I suggest you keep a secure backup of it somewhere, e.g. on a CD-ROM that you lock away.</p> 78<h2 id="copy-the-public-key-onto-your-unix-server"><a href="#copy-the-public-key-onto-your-unix-server"><span class="header-section-number">2.2</span> 2. Copy the PUBLIC key onto your Unix server</a></h2> 79<p>You have two ways of doing this.</p> 80<h3 id="copy-paste"><a href="#copy-paste"><span class="header-section-number">2.2.1</span> Copy-paste</a></h3> 81<p>Use putty.exe to make a normal ssh connection to your host as the 'sysadm' user.</p> 82<pre><code>$ cat &gt;&gt;.ssh/authorized_keys
83    *** PASTE KEY FROM CLIPBOARD ***
84    *** If the cursor is still at the end of the line, hit Enter ***
85    *** hit ctrl-D ***</code></pre>
86<p>The key consists of one very long line, which looks like</p>
87<pre><code>ssh-rsa &lt;lots of base64 data&gt; &lt;comment&gt;</code></pre>
88<p>As a quick check that it hasn't been corrupted, count the lines in the file:</p>
89<pre><code>$wc -l .ssh/authorized_keys 901 .ssh/authorized_keys</code></pre> 91<p>If you don't see &quot;1&quot;, then you'll need to fix it (possibly with an editor, or else just rm the file and start again)</p> 92<p>Now logout.</p> 93<h3 id="alternative-way-if-youre-having-problems-with-copy-paste"><a href="#alternative-way-if-youre-having-problems-with-copy-paste"><span class="header-section-number">2.2.2</span> Alternative way (if you're having problems with copy-paste)</a></h3> 94<p>Double-click on psftp.exe. Open a connection to your server, and upload your public key:</p> 95<pre><code>psftp&gt; open dmzN.ws.nsrc.org 96login as: sysadm 97sysadm@dmzN.ws.nsrc.org's password: &lt;usual one&gt; 98Remote working directory is /home/sysadm 99psftp&gt; put id_rsa.pub 100local:id_rsa.pub =&gt; remote:/home/sysadm/id_rsa.pub 101psftp&gt; quit</code></pre> 102<p>Unfortunately, this public key is not in the format which openssh requires, so now login again using putty.exe, and use the following command to convert it and put it in the right place.</p> 103<pre><code>$ ssh-keygen -i -f id_rsa.pub &gt;&gt;.ssh/authorized_keys</code></pre>
105<p>Start putty.exe again. Enter the hostname as usual, but before clicking Open, browse in the left hand column to Connection &gt; SSH &gt; Auth</p>
106<pre><code>    [-] Connection
107         |
108        [-] SSH
109         |  |- Keyex
111<p>Next to &quot;Private key for authentication&quot;, click Browse. Find your id_rsa.ppk file, open it, then click Open to start the connection.</p>
113<p>This is quite painful (both locating the private key and entering the passphrase), so as the final step of the exercise we're going automate it using an agent.</p>
114<h2 id="use-a-passphrase-agent"><a href="#use-a-passphrase-agent"><span class="header-section-number">2.4</span> 4. Use a passphrase agent</a></h2>
115<p>Run <code>pageant.exe</code></p>
116<p>It runs in the background, and adds an icon to your task tray (a PC with a black hat at a jaunty angle). You may need to select &quot;Show hidden icons&quot; to see it.</p>
117<p>Right-click on the icon, and select &quot;Add Key&quot;. Browse to your id_rsa.ppk and open it. You will be prompted for the passphrase - enter it. (If you make a mistake, you'll be prompted again until you get it right)</p>
118<p>Now run putty.exe again, enter your hostname, click Open, and enter your username (sysadm). You should be logged in immediately, with no prompt for either a password or a passphrase!</p>
119<p>Try logging in again. Also try using psftp.exe (when it runs, enter &quot;open dmzN.ws.nsrc.org&quot; to start a connection). No passphrase is needed until you tell Pageant to forget the private key.</p>
120<h1 id="for-laptops-running-linux-or-bsd-or-osx"><a href="#for-laptops-running-linux-or-bsd-or-osx"><span class="header-section-number">3</span> For laptops running Linux (or BSD or OSX)</a></h1>
121<h2 id="generate-an-ssh-publicprivate-key-pair-1"><a href="#generate-an-ssh-publicprivate-key-pair-1"><span class="header-section-number">3.1</span> 1. Generate an ssh public/private key pair</a></h2>
122<pre><code>$ssh-keygen -t rsa -b 2048 123Generating public/private rsa key pair. 124Enter file in which to save the key (/home/sysadm/.ssh/id_rsa): &lt;HIT ENTER&gt; 125Created directory '/home/sysadm/.ssh'. 126Enter passphrase (empty for no passphrase): &lt;CHOOSE PASSPHRASE&gt; 127Enter same passphrase again: &lt;SAME PASSPHRASE&gt; 128Your identification has been saved in /home/sysadm/.ssh/id_rsa. 129Your public key has been saved in /home/sysadm/.ssh/id_rsa.pub. 130The key fingerprint is: 13132:2b:e3:0e:14:fb:60:38:a6:e2:73:95:53:9d:a8:0f sysadm@dmzN.ws.nsrc.org</code></pre> 132<p>The passphrase is used to keep your private key encrypted on disk. It can be pretty much anything you want and as long as you want - including spaces - but if you forget it, your key becomes worthless. For now pick something that you will easily remember. You can change it at any time you want in the future (using <code>ssh-keygen -p</code>)</p> 133<p>NOTE: Key generation is a one-off exercise. The more you deploy your public key, the more work it to be if you were to lose it and have to start again with a new one. I suggest you keep a secure backup of it somewhere, e.g. on a CD-ROM that you lock away.</p> 134<h2 id="copy-the-public-key-onto-your-unix-server-1"><a href="#copy-the-public-key-onto-your-unix-server-1"><span class="header-section-number">3.2</span> 2. Copy the PUBLIC key onto your Unix server</a></h2> 135<p>The simplest way to copy the public key is with scp:</p> 136<pre><code>$ scp .ssh/id_rsa.pub sysadm@dmzN.ws.nsrc.org:.ssh/authorized_keys</code></pre>
137<p>Note that .ssh/authorized_keys can contain multiple keys, one per line, so on a shared system you might want to append your key instead:</p>
138<pre><code>$cat .ssh/id_rsa.pub | ssh sysadm@dmzN.ws.nsrc.org 'cat &gt;&gt;.ssh/authorized_keys'</code></pre> 139<h2 id="login-using-your-private-key-1"><a href="#login-using-your-private-key-1"><span class="header-section-number">3.3</span> 3. Login using your private key</a></h2> 140<p>Open an ssh connection to your server as normal:</p> 141<pre><code>$ ssh sysadm@dmzN.ws.nsrc.org</code></pre>
142<p>This time, instead of being prompted for your password, you should be prompted for the passphrase on your private key. Enter it. You should be logged in.</p>
143<h2 id="use-a-passphrase-agent-1"><a href="#use-a-passphrase-agent-1"><span class="header-section-number">3.4</span> 4. Use a passphrase agent</a></h2>
144<p>Entering a passphrase every time you connect would be painful, but this isn't necessary if you have an agent which decrypts the private key and keeps it in memory.</p>
145<p>If you are running under a modern graphical environment like Gnome, you probably already got a dialog box prompting you for a passphrase, and this means you're already running an agent. You should be able to logout and login to the remote server, without being prompted for your passphrase again.</p>
146<p>To see what identities (decrypted private keys) your agent has in memory:</p>
147<pre><code>$ssh-add -l</code></pre> 148<p>To forget all identities:</p> 149<pre><code>$ ssh-add -d</code></pre>
150<p>If you don't have an agent, then you can start a new subshell with ssh-agent as its parent:</p>
151<pre><code>$ssh-agent bash 152$ ssh-add
153 ... prompted for your passphrase
154$</code></pre> 155<p>Now the agent will handle future connections for you.</p> 156<p>If you are running an older graphical environment, and you normally start X using <code>startx</code>, then start it using <code>ssh-agent startx</code> instead. Then type 'ssh-add' in an xterm.</p> 157<hr /> 158<h1 id="additional-information-not-part-of-exercises"><a href="#additional-information-not-part-of-exercises"><span class="header-section-number">4</span> Additional information [not part of exercises]</a></h1> 159<h2 id="agent-forwarding"><a href="#agent-forwarding"><span class="header-section-number">4.1</span> Agent forwarding</a></h2> 160<p>Using an agent, you can access across multiple ssh hops without having to copy your key or enter your passphrase anywhere.</p> 161<p>If you enable &quot;agent forwarding&quot; when you login to host X, you can then login from X to Y without any prompting (assuming Y has your public key in authorized_keys). The request to authenticate is forwarded securely back along your original ssh session to the agent running on your workstation.</p> 162<p>Under Unix:</p> 163<pre><code>$ ssh -o ForwardAgent=yes user@host</code></pre>
164<p>If you do this frequently, it's easier to configure it in <code>.ssh/hosts</code></p>
165<pre><code>host foo
166hostname foo.example.com
172<pre><code>$ssh -L8080:some.where:80 user@remote.host 173... while ssh connection is open, a connection to 127.0.0.1 port 8080 174... will be tunneled, and the far end will open a connection to 175... some.where port 80 176 177$ ssh -X user@remote.host