SSHKeyAuth

From Newroco tech docs
Jump to: navigation, search

As the password authentication is not a great solution at scale (forgotten passwords, same passwords used on many many servers...), we recommend using ssh keys as an alternative authentication method on all servers.

Introduction

The key system works with a pair of private/public key. Imagine the public key is the lock, and the private key the key; you need to install the lock (public key) on all the servers you need to access, and need the private key to open that lock.

Remember, your private key is very important, let NOBODY get it! It would be almost like giving him the root password of all servers.

Create a public/private key pair

NB the passphrase you use should be unique, not a password you use elsewhere. Key auth is very secure, highly auditable and very convenient, but should someone acquire your private key and your passphrase, key auth becomes very, very dangerous.

On Linux

If you already have a private key from a previous setup:

  • copy it to your new desktop/laptop home directory's .ssh sub directory
  • Permissions should be 700 ( -rwx------ )

If you do not already have a private/public key pair from a previous setup:

  1.  
  2. test@lucian-work:~$ ssh-keygen
  3. Generating public/private rsa key pair.
  4. Enter file in which to save the key (/home/test/.ssh/id_rsa):
  5. Enter passphrase (empty for no passphrase):
  6. Enter same passphrase again:
  7. Your identification has been saved in /home/test/.ssh/id_rsa.
  8. Your public key has been saved in /home/test/.ssh/id_rsa.pub.
  9. The key fingerprint is:
  10. 00:f6:7b:a2:f8:9c:98:9c:46:f9:df:04:6d:94:04:be test@lucian-work
  11.  

This generates two files:

  1. ~/.ssh/id_rsa, your private key
  2. ~/.ssh/id_rsa.pub, your public key

On Windows

Download puttygen.

Click on "generate" to create a public/private key pair. Wave your mouse around to generate some randomness while the key is generated. Put a key phrase in (which you will need to remember), and save the private key file somewhere sensible- it will have the file format .ppk. You will need the key phrase to access this file in future. The public key shown in the box is what needs to be pasted into your authorized_keys file (ie do not open the public key file with a text editor and copy the contents - this will not work). Using putty, copy and paste the key (starting with ssh rsa and all on one line), then in your putty session with the authorized_keys file open, right-click to paste it in.

To get putty to use the keys in a session, in the main putty window scroll down to ssh/auth on the left-hand side, and browse to the location of the private key. Then in the Session window, type in the host address as normal. If you get a message saying that the server refused your key, it's probably the permissions on the authorized_keys file (see below).


Using a private key in Linux which has been generated in puttygen for Windows

To make my key work in 64-bit Ubuntu, I needed to convert the private key into openssh format (it had originally been created in puttygen for Windows)

1. First need to install puttygen (as part of the putty package):

     sudo apt-get install putty

2. Then need to copy the private key into ~/.ssh

3. Then make a copy converted to openssh format (my private key was named pmiles-2008-12-19.ppk):

     puttygen /home/pmiles/.ssh/pmiles-2008-12-19.ppk -o /home/pmiles/.ssh/id_rsa -O private-openssh

Prepping the server

14.04 onwards

Change the /etc/sudoers file to enable a user without password to use sudo.

  • Never edit this file directly, a wrong entry will disable ability to use sudo across the system.
  • The proper way of doing this is to use visudo as follows (this will not permit saving if sudoers file is not valid):
export EDITOR=vim
sudo visudo

Check that these existing entries exist:

# Members of the admin group may gain root privileges
%admin    ALL=(ALL) ALL
# Allow members of group sudo to execute any command
%sudo     ALL=NOPASSWD:ALL

NB Command ordering is important, %sudo line needs to be after the %admin one

If using backuppc or other services that need remote access, you must add entry for the user e.g. backuppc (but do not add backuppc to sudo group)

backuppc ALL=NOPASSWD: /usr/bin/rsync

Restart ssh server:

  1. service sshd restart
  • Disable password authentication in SSH (NB the root account should only be accessible at the console - do not change this account to NOPASSWD)
sudo vim /etc/ssh/sshd_config
  • Un-comment and change to no to disable tunnelled clear text passwords:
PasswordAuthentication no
  • Then, restart the SSH server:
sudo systemctl restart ssh

Install key authentication for an account

Create a user with SSH authentication, and without password

You can add and use the following script or do it manually. The script is for Ubuntu/Debian and has a dependency of logger, normally installed by default but if not can be installed by

  1. apt-get install bsdutils
  1.  
  2. #!/bin/bash
  3.  
  4. server=$(ip route get 8.8.8.8 | awk '/8.8.8.8/ {print $NF}')
  5.  
  6. echo "Please insert your desired username"
  7. read username
  8. adduser --disabled-password --gecos "" $username
  9. mkdir /home/$username/.ssh
  10. file="authorized_keys"
  11.  
  12. vi /home/$username/.ssh/$file
  13. chown -R $username:$username /home/$username/.ssh
  14. chmod 600 /home/$username/.ssh/$file
  15.  
  16. echo "$username has been created"
  17. echo "Do you wish to give the new user sudo powers? (write Yes if you agree)"
  18. read answer
  19. case $answer in
  20. [Yy][Ee][Ss] ) adduser $username sudo
  21. echo "$username has been granted sudo powers"
  22. logger -n $server "Username $username has been created with sudo powers and his public key added in /home/$username/.ssh/$file";;
  23. *) echo "$username had not been granted sudo powers"
  24. logger -n $server "Username $username has been created without sudo powers and his public key added in /home/$username/.ssh/$file";;
  25. esac
  26.  
  27.  

Copy and paste the above into a new file and run

  1. $ sudo chmod +x <the name of the new file>
  2. $ sudo ./<the name of the new file>

Or do it manually

  1.  
  2. $ sudo adduser --disabled-password lpricop
  3. Adding user `lpricop' ...
  4. Adding new group `lpricop' (1006) ...
  5. Adding new user `lpricop' (1005) with group `lpricop' ...
  6. The home directory `/home/lpricop' already exists. Not copying from `/etc/skel'.
  7. Changing the user information for lpricop
  8. Enter the new value, or press ENTER for the default
  9. Full Name []:
  10. Room Number []:
  11. Work Phone []:
  12. Home Phone []:
  13. Other []:
  14. Is the information correct? [y/N] y
  15.  
  1.  
  2. $ sudo mkdir /home/lpricop/.ssh
  3. $ sudo vim /home/lpricop/.ssh/authorized_keys
  4.  

Paste your public key in that file, and then..

  1.  
  2. $ sudo chown -R lpricop:lpricop /home/lpricop/.ssh
  3. $ sudo chmod 600 /home/lpricop/.ssh/authorized_keys
  4.  
* These instructions assume a clean build - an installation update to 14.04 may have different groups.

If the user needs to be able to use sudo add to the sudo group (admin group in earlier versions)

sudo adduser lpricop sudo

For existing users

For existing users created with a password, as root do

  1. passwd -l <the username>

to require the user to use key auth from then on.

Two things to do on your workstation, not the server:

If you already have a private key from a previous setup

  • copy it to ~/.ssh
  • Permissions should be 700 ( -rwx------ )

Agent forwarding

When you connect with your public key to a server, and then want to connect from that server to another server using key authentication, this doesn't work, as the first server you connected to doesn't have your private key. You need to tell your PC and that server to forward the challenge sent by the server you are connecting to, to you, using what is called Agent Forwarding.

  1. $ vim .ssh/config
  2.  

Add the following lines:

  1. Host *
  2. ForwardAgent yes
  3.  

For security you can also consider limiting which servers the forward applies too. In newroco we only add client sites by IP to the "Host" line and configure the options on a per server basis.

Then run
  1. ssh-add
on your PC.

See Ssh_windows for information on how to do agent forwarding with windows.

You can check if agent forwarding is working by running

  1.  
  2. $ env | grep SSH_AUTH_SOCK

On the machine you're SSH'd into. If forwarding is working, it should return something like:

  1. SSH_AUTH_SOCK=/tmp/ssh-a1NF...

A blank response would indicate forwarding is not functional.

NB Forwarding is not "forever" - if you want to ssh hop from server to server, those servers also need to have ForwardAgent set to yes. This can be done on a per user basis as above or set as system wide default in /etc/ssh/ssh_config

SSH tips & tricks

If your login on your local machine is lucian and it is lpricop on the server, and you are quite bored to type everytime ssh user_name@server instead of ssh server, you can set the login name automatically for a specific server or a complete domain: Edit/create file ~/.ssh/config

  1.  
  2. Host "host_name"
  3. Hostname "host_ip_address"
  4. User "user_name"
  5.  
  1.  
  2. lucian@lucian-work:~$ ssh host_name
  3. Linux host_name 2.6.20-15-generic #2 SMP Sun Apr 15 07:36:31 UTC 2007 i686
  4. lpricop@host_name:~$
  5.  

See also SSH_for_multiple_server_management