Public key authentication with ssh

From CT Wiki
Jump to: navigation, search

To access Linux servers like the login machines and interactive Stoomboot nodes, the ssh utility is used. By default ssh prompts the user to enter his/her password. Entering passwords all the time is both inconvenient and a security risk (when entered in the wrong place). Furthermore, entering a wrong password for a few times may lead to temporarily being denied login access!

There is a secure and convenient alternative: the use of public key authentication. Public key authentication requires that once a secret private key and public key pair is generated by the user on his/her own trusted computer (like the own desktop or laptop). The public key can be copied to the systems on which should be logged in, the private key is kept on the own computer and must not be readable by anyone else (otherwise it wouldn't be private anymore!). The key pair must be protected with a secret passphrase.

When logging in to the remote system, ssh asks for the (secret) passphrase. After entering the correct passphrase, the user is logged in on the system. It is possible to store the passphrase in a so-called ssh-agent, so that it only needs to be entered once and future logins can happen without having to enter it again, as long as the agent is still running.

Advantages of the use of ssh keys:

  • When using an agent, the passphrase only needs to be entered once and can be re-used for future logins. No need to retype the password all the time.
  • It is more secure because one can only login when having access to the secret private key and knowing its secret passphrase. Entering passwords is always a risk - one may expose his/her password by entering it on the wrong (malafide) server! The passphrase is local to the user's computer and cannot be used without access to the private key.
  • The passphrase (and agent) will also work with other commands to copy datat, such as scp, sftp and rsync.


Contents

Preparations

Generating the key pair (Linux)

To create a key pair under Linux, first create a directory $HOME/.ssh if it does not yet exist:

mkdir $HOME/.ssh

Go to that directory:

cd $HOME/.ssh

Then use the tool ssh-keygen (see man ssh-keygen for options):

ssh-keygen

This creates a pair consisting of a public key (default name: id_rsa.pub) and a private key (default name: id_rsa). The permissions of these files are important!

ls -l $HOME/.ssh
drwxr-xr-x .ssh/
-r--r--r-- .ssh/id_rsa.pub
-r-------- .ssh/id_rsa

(If the private key is readable by other users, it will not work to login and is no longer secure. Then it must be replaced by a new key.)


Copying the public key to the remote server (Linux)

The public key (id_rsa.pub) must be added once to the file $HOME/.ssh/authorized_keys on the remote server on which the user wants to login. This is most easily achieved with ssh-copy-id:

ssh-copy-id <user>@<host>

This will ask for the password for <user> at <host>. This step needs to be repeated per remote server - unless they share the same $HOME directory.

Generating the key pair (Windows)

Instructions for setting up the key pair under Windows with the program PUTTY as described in another article: https://wiki.nikhef.nl/ct/Subversion#Generate_a_PuTTY_Privatekey_file

Logging in

Linux

It is most convenient to use an agent to keep the key's passphrase. Then the passphrase needs to be entered once and can be re-used as long as the agent is running.

To list the active keys:

ssh-add -l

To add the (default) key to the agent - this will ask for the passphrase:

ssh-add

To login:

ssh <user>@<host>

If the key was added to the agent, there is no need to enter the passphrase (nor the password). If the key was not added to a running agent, then the passphrase is prompted.

It is possible to login from the remote machine <host> to another machine <host2> with public key authentication. For this, agent forwarding (-A) must be used:

ssh -A <user>@<host>
ssh -A <user2>@<host2>

This assumes that the public key was copied to <host2> before.

Windows

To start the agent, see: https://wiki.nikhef.nl/ct/Subversion#Configure_the_PuTTY_Pageant

To start a connection, see for example: https://mediatemple.net/community/products/dv/204404604/using-ssh-in-putty-

Views
Personal tools