In this exercise we'll show how you can eliminate passwords by using ssh key authentication.
Choose the version of the exercises depending on what OS you are running on your laptop.
Download the following onto your desktop or into a downloads folder:
(Or you can try the installer bundle putty.zip which gets them all)
During the workshop only, you can download these from the local mirror at http://www.ws.nsrc.org/downloads/putty/
The home site is http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html
Double-click on puttygen.exe
At the bottom of the dialog box, under "Parameters":
Click on "Generate". Move the mouse randomly over the blank area until the progress bar reaches 100%
Key comment: [Your Name <your@email.address> ]
Key passphrase: [chooose a passphrase ]
Confirm passphrase: [choose same passphrase ]The passphrase is used to keep your private key encrypted on disk. It can be pretty much anything you want and as long as you want - including spaces - but if you forget it, your key becomes worthless. For now pick something that you will easily remember. You can change it at any time you want in the future.
Click "Save public key". Give a filename of "id_rsa.pub" (please save files into the same directory as where the executables are)
Click "Save private key". Give a filename of "id_rsa.ppk"
Use the mouse to highlight all the text in the box "Public key for pasting into OpenSSH authorized_keys file", and copy it to the clipboard.
Exit puttygen.
NOTE: Key generation is a one-off exercise. The more you deploy your public key, the more work it to be if you were to lose it and have to start again with a new one. I suggest you keep a secure backup of it somewhere, e.g. on a CD-ROM that you lock away.
You have two ways of doing this.
Use putty.exe to make a normal ssh connection to your host as the 'sysadm' user.
$ cat >>.ssh/authorized_keys
*** PASTE KEY FROM CLIPBOARD ***
*** If the cursor is still at the end of the line, hit Enter ***
*** hit ctrl-D ***The key consists of one very long line, which looks like
ssh-rsa <lots of base64 data> <comment>As a quick check that it hasn't been corrupted, count the lines in the file:
$ wc -l .ssh/authorized_keys
1 .ssh/authorized_keysIf you don't see "1", then you'll need to fix it (possibly with an editor, or else just rm the file and start again)
Now logout.
Double-click on psftp.exe. Open a connection to your server, and upload your public key:
psftp> open hostN.ws.nsrc.org
login as: sysadm
sysadm@hostN.ws.nsrc.org's password: <usual one>
Remote working directory is /home/sysadm
psftp> put id_rsa.pub
local:id_rsa.pub => remote:/home/sysadm/id_rsa.pub
psftp> quitUnfortunately, this public key is not in the format which openssh requires, so now login again using putty.exe, and use the following command to convert it and put it in the right place.
$ ssh-keygen -i -f id_rsa.pub >>.ssh/authorized_keysStart putty.exe again. Enter the hostname as usual, but before clicking Open, browse in the left hand column to Connection > SSH > Auth
[-] Connection
|
[-] SSH
| |- Keyex
| |- Auth <--- CLICK HERENext to "Private key for authentication", click Browse. Find your id_rsa.ppk file, open it, then click Open to start the connection.
You should be prompted for your username as before (sysadm), but then instead of being prompted for a password, you are asked for the passphrase for your private key. Enter it, and you should be logged in.
This is quite painful (both locating the private key and entering the passphrase), so later we're going to automate it using an agent.
If you have been given multiple hosts to use, now copy your public key to each of those other hosts, and check that you can use the same private key to log in to each of them. There is no need to create any any more key pairs - in fact it would be a bad idea to do so.
When you have done this, move onto Disabling password authentication at the end of this exercise.
$ ssh-keygen -t rsa -b 2048
Generating public/private rsa key pair.
Enter file in which to save the key (/home/sysadm/.ssh/id_rsa): <HIT ENTER>
Created directory '/home/sysadm/.ssh'.
Enter passphrase (empty for no passphrase): <CHOOSE PASSPHRASE>
Enter same passphrase again: <SAME PASSPHRASE>
Your identification has been saved in /home/sysadm/.ssh/id_rsa.
Your public key has been saved in /home/sysadm/.ssh/id_rsa.pub.
The key fingerprint is:
32:2b:e3:0e:14:fb:60:38:a6:e2:73:95:53:9d:a8:0f sysadm@hostN.ws.nsrc.orgThe passphrase is used to keep your private key encrypted on disk. It can be pretty much anything you want and as long as you want - including spaces - but if you forget it, your key becomes worthless. For now pick something that you will easily remember. You can change it at any time you want in the future (using ssh-keygen -p)
NOTE: Key generation is a one-off exercise. The more you deploy your public key, the more work it to be if you were to lose it and have to start again with a new one. I suggest you keep a secure backup of it somewhere, e.g. on a CD-ROM that you lock away.
The simplest way to copy the public key is with scp:
$ scp .ssh/id_rsa.pub sysadm@hostN.ws.nsrc.org:.ssh/authorized_keysNote that .ssh/authorized_keys can contain multiple keys, one per line, so on a shared system you might want to append your key instead:
$ cat .ssh/id_rsa.pub | ssh sysadm@hostN.ws.nsrc.org 'cat >>.ssh/authorized_keys'Open an ssh connection to your server as normal:
$ ssh sysadm@hostN.ws.nsrc.orgThis time, instead of being prompted for your password, you should be prompted for the passphrase on your private key. Enter it. You should be logged in.
If you have been given multiple hosts to use, now copy your public key to each of those other hosts, and check that you can use the same private key to log in to each of them. There is no need to create any any more key pairs - in fact it would be a bad idea to do so.
When you have done this, move onto Disabling password authentication at the end of this exercise.
If you cannot log in using your key, it might be that the permissions on your public key or the .ssh directory are too open (sshd will not accept a public key if the file or directory is group-writeable).
Fix them like this:
~ $ chown sysadm:sysadm ~/.ssh/authorized_keys $ chmod 644 ~/.ssh/authorized_keys $ chown sysadm:sysadm ~/.ssh $ chmod 755 /.ssh ~~
Now that you can login to your hosts using private keys, a highly recommended step is to disable password authentication completely for SSH logins.
First, let's get a root shell.
$ sudo -s
#Now you need to edit the file /etc/ssh/sshd_config using whichever text editor you are most comfortable with.
# editor /etc/ssh/sshd_config
--- check this is set ---
ChallengeResponseAuthentication no
--- find this line ---
#PasswordAuthentication yes
--- change it to the following ---
PasswordAuthentication noExit and save, and then restart ssh:
# service ssh restartTo test this, try logging in without using your private key, and check that it does not fall back to prompting you for a password.
If your laptop is running Linux or OSX and is still logging in with the key, you may need to run ssh-add -d at the laptop's command line to forget the passphrase.
Question: now you have disabled password authentication, what might you do if you lock yourself out of the machine?
Answer: you can still login at the machine's console using a password. We have only disabled passwords for SSH logins.
(This section is completely optional, but you may like to try it if you have spare time)
Some environments like to allow direct logins as the "root" user with ssh keys.
Check that /etc/ssh/sshd_config contains the following line:
PermitRootLogin without-passwordNow copy your public key to /root/.ssh/authorized_keys
# mkdir /root/.ssh
# cp ~sysadm/.ssh/authorized_keys /root/.ssh/Now you should be able to login in another session as username "root" as well as "sysadm", using the same private key. You should immediately get a root prompt without requiring sudo.
What happens if you want to allow another user to login to the same account? You can just add further public keys to .ssh/authorized_keys
To test this, see if you can allow your neighbour to login to your sysadm account using their public key.
To do this, you will need to get them to give you their public key, and append it to /home/sysadm/.ssh/authorized_keys. You can do this using whichever method you prefer.
Note that uf you get them to E-mail it to you it may be safer inside a zip file, otherwise E-mail will tend to break the long line into shorter lines which would need to be joined together.
You can then add it either using an editor (again be careful about line wrapping), or using a shell >> (append)
$ cd
$ cat >>.ssh/authorized_keys
*** PASTE KEY FROM CLIPBOARD ***
*** If the cursor is still at the end of the line, hit Enter ***
*** hit ctrl-D ***After you have done this, check that the expected number of lines (keys) are in the file:
$ wc -l .ssh/authorized_keys
2 .ssh/authorized_keysThen check that they can login to your machine!