In this exercise we'll show how you can eliminate passwords by using ssh key authentication.
Choose the version of the exercises depending on what OS you are running on your laptop.
Download the following onto your desktop or into a downloads folder:
(Or you can try the installer bundle putty.zip which gets them all)
During the workshop only, you can download these from the local mirror at http://www.ws.nsrc.org/downloads/putty/
The home site is http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html
Double-click on puttygen.exe
At the bottom of the dialog box, under "Parameters":
Click on "Generate". Move the mouse randomly over the blank area until the progress bar reaches 100%
Key comment: [Your Name <your@email.address> ]
Key passphrase: [chooose a passphrase ]
Confirm passphrase: [choose same passphrase ]The passphrase is used to keep your private key encrypted on disk. It can be pretty much anything you want and as long as you want - including spaces - but if you forget it, your key becomes worthless. For now pick something that you will easily remember. You can change it at any time you want in the future.
Click "Save private key". Give a filename of "id_rsa.ppk" (please save files into the same directory as where the executables are)
Use the mouse to highlight all the text in the box "Public key for pasting into OpenSSH authorized_keys file", and copy it to the clipboard. It should be one very long line which starts with ssh-rsa ...
Open up notepad, and paste the key file into the clipboard, and save this as "id_rsa.pub". Now if you need an OpenSSH formatted key you can retrieve it from this file.
Exit puttygen.
NOTE: Key generation is a one-off exercise. The more you deploy your public key, the more work it to be if you were to lose it and have to start again with a new one. Thus it is important to make sure you don't lose access to your private key. I suggest you keep a secure backup of the private key somewhere, e.g. on a CD-ROM that you lock away.
You have two ways of doing this.
Use putty.exe to make a normal ssh connection to your host as the 'sysadm' user.
$ cat >>.ssh/authorized_keys
*** PASTE KEY FROM CLIPBOARD ***
*** In putty, right click to paste, or press shift-insert ***
*** If the cursor is still at the end of the line, hit Enter ***
*** Then hit ctrl-D ***The key consists of one very long line, which looks like
ssh-rsa <lots of base64 data> <comment>As a quick check that it hasn't been corrupted, look at the contents of the file:
$ less -S .ssh/authorized_keys(note the capital -S) Every line of the file should begin with "ssh-dss" or "ssh-rsa". If any lines don't start this way, speak with an instructor.
Now logout.
Inside puttygen, use the "Save Public Key" button to save your public key to a file, for example "id_rsa.ssh2"
Double-click on psftp.exe. Open a connection to your server, and upload your public key:
psftp> open hostN.ws.nsrc.org
login as: sysadm
sysadm@hostN.ws.nsrc.org's password: <usual one>
Remote working directory is /home/sysadm
psftp> put id_rsa.ssh2
local:id_rsa.ssh2 => remote:/home/sysadm/id_rsa.ssh2
psftp> quitUnfortunately, this public key is not in the format which openssh requires, so now login again using putty.exe, and use the following command to convert it and put it in the right place.
$ ssh-keygen -i -f id_rsa.ssh2 >>.ssh/authorized_keysStart putty.exe again. Enter the hostname as usual, but before clicking Open, browse in the left hand column to Connection > SSH > Auth
[-] Connection
|
[-] SSH
| |- Keyex
| |- Auth <--- CLICK HERENext to "Private key for authentication", click Browse. Find your id_rsa.ppk file, open it, then click Open to start the connection.
You should be prompted for your username as before (sysadm), but then instead of being prompted for a password, you are asked for the passphrase for your private key. Enter it, and you should be logged in.
This is quite painful (both locating the private key and entering the passphrase), so later we're going to automate it using an agent.
If you have been given multiple hosts to use, now copy your public key to each of those other hosts, and check that you can use the same private key to log in to each of them. There is no need to create any any more key pairs - in fact it would be a bad idea to do so.
When you have done this, move onto Disabling password authentication at the end of this exercise.
$ ssh-keygen -t rsa -b 2048
Generating public/private rsa key pair.
Enter file in which to save the key (/home/sysadm/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/sysadm/.ssh/id_rsa.
Your public key has been saved in /home/sysadm/.ssh/id_rsa.pub.
The key fingerprint is:
78:77:45:9d:50:27:6d:85:11:63:52:1a:94:ee:22:91 sysadm@hostX.ws.nsrc.org
The key's randomart image is:
+--[ RSA 2048]----+
| .++@B=|
| .*.+=|
| . .. .. |
| .E .. |
| . S.... |
| ...... |
| . . |
| |
| |
+-----------------+
The passphrase is used to keep your private key encrypted on disk. It can be pretty much anything you want and as long as you want - including spaces - but if you forget it, your key becomes worthless. For now pick something that you will easily remember. You can change it at any time you want in the future (using ssh-keygen -p)
NOTE: Key generation is a one-off exercise. The more you deploy your public key, the more work it to be if you were to lose it and have to start again with a new one. I suggest you keep a secure backup of it somewhere, e.g. on a CD-ROM that you lock away.
Note that .ssh/authorized_keys can contain multiple keys, one per line, so to avoid overwriting other user's keys on a shared system you should append your key to the authorized_keys file:
$ cat .ssh/id_rsa.pub | ssh sysadm@hostN.ws.nsrc.org 'cat >>.ssh/authorized_keys'Open an ssh connection to your server as normal:
$ ssh sysadm@hostN.ws.nsrc.orgThis time, instead of being prompted for your password, you should be prompted for the passphrase on your private key. Enter it. You should be logged in.
If you have been given multiple hosts to use, now copy your public key to each of those other hosts, and check that you can use the same private key to log in to each of them. There is no need to create any any more key pairs for this exercise.
When you have done this, move onto Disabling password authentication at the end of this exercise.
If you cannot log in using your key, it might be that the permissions on your public key or the .ssh directory are too open (sshd will not accept a public key if the file or directory is group-writeable).
Fix them on the machine you are trying to connect to like this:
$ chown -R sysadm:sysadm ~/.ssh
$ chmod 700 ~/.ssh
$ chmod 600 ~/.ssh/authorized_keysIf you are using Linux (or BSD or OSX) system, you also need to make sure the permissions are correct on your client computer.
$ chmod 700 ~/.ssh
$ chmod 600 ~/.ssh/id_rsa
$ chmod 600 ~/.ssh/id_rsa.pubNow that you can login to your hosts using private keys, a highly recommended step is to disable password authentication completely for SSH logins.
First, let's get a root shell.
$ sudo -s
#Now you need to edit the file /etc/ssh/sshd_config using whichever text editor you are most comfortable with.
# editor /etc/ssh/sshd_config
--- check this is set ---
ChallengeResponseAuthentication no
--- find this line ---
#PasswordAuthentication yes
--- change it to the following ---
PasswordAuthentication noExit and save, and then restart ssh:
# service ssh restartTo test this, try logging in without using your private key, and check that it does not fall back to prompting you for a password.
If your laptop is running Linux or OSX and is still logging in with the key, you may need to run ssh-add -d at the laptop's command line to forget the passphrase.
Question: now you have disabled password authentication, what might you do if you lock yourself out of the machine?
Answer: you can still login at the machine's console using a password. We have only disabled passwords for SSH logins.
(This section is completely optional, but you may like to try it if you have spare time)
Some environments like to allow direct logins as the "root" user with ssh keys.
Check that /etc/ssh/sshd_config contains the following line:
PermitRootLogin without-passwordNow copy your public key to /root/.ssh/authorized_keys
# mkdir /root/.ssh
# cp ~sysadm/.ssh/authorized_keys /root/.ssh/Now you should be able to login in another session as username "root" as well as "sysadm", using the same private key. You should immediately get a root prompt without requiring sudo.
What happens if you want to allow another user to login to the same account? You can just add further public keys to .ssh/authorized_keys
To test this, see if you can allow your neighbour to login to your sysadm account using their public key.
To do this, you will need to get them to give you their public key, and append it to /home/sysadm/.ssh/authorized_keys. You can do this using whichever method you prefer.
Note that if you get them to e-mail it to you it may be safer inside a zip file, otherwise e-mail will tend to break the long line into shorter lines which would need to be joined together.
You can then add it either using an editor (again be careful about line wrapping), or using a shell >> (append)
$ cd
$ cat >>.ssh/authorized_keys
*** PASTE KEY FROM CLIPBOARD ***
*** If the cursor is still at the end of the line, hit Enter ***
*** hit ctrl-D ***After you have done this, check that the expected number of lines (keys) are in the file:
$ wc -l .ssh/authorized_keys
2 .ssh/authorized_keysThen check that they can login to your machine!