Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
SlideShare a Scribd company logo

SSH how to 2011

Chris Hales
Chris Hales

Internal knowledge share on SSH setup and usage. Includes some helpful config file options to save time and how to create and use SSH keys for better security and productivity.

1 of 22
SSH Keys and Configurations Chris Hales
What is SSH? Secure Shell aka SSH is a secure encrypted communication protocol designed to replace older insecure protocols like telnet, rsh, and ftp.
What is SSH? Secure Shell aka SSH is a secure encrypted communication protocol designed to replace older insecure protocols like telnet, rsh, and ftp. SSH authentication can be done with a username and password combination which is the default. Here's the most simplistic usage we might encounter. $ ssh user@secureserver After you connect to secureserver you are normally asked for your password to complete the login.
What is SSH? Secure Shell aka SSH is a secure encrypted communication protocol designed to replace older insecure protocols like telnet, rsh, and ftp. SSH authentication can be done with a username and password combination which is the default. Here's the most simplistic usage we might encounter. $ ssh user@secureserver After you connect to secureserver you are normally asked for your password to complete the login. When you start doing this over and over again for many systems with various paswords it can become pretty tedious. What if there was a way to simplify the process? Time for SSH Keys to save the day!
Enter SSH Keys! SSH can be configured to use key pairs so that you don't have to type your password in every time you need to log into a commonly accessed system. Your public key is placed on all systems you wish to access using your private key.
Enter SSH Keys! SSH can be configured to use key pairs so that you don't have to type your password in every time you need to log into a commonly accessed system. Your public key is placed on all systems you wish to access using your private key. There's a lot of technical details surrounding public-key cryptography but for our purposes all you really need to know is that it's a really secure way of proving who you are to a third party system. Let's begin with creating your key pair if you don't already have one. Mac and Linux setup is basically identical. For Windows you will need Putty and PuTTYgen installed.
Key Creation for Windows For Windows users I'm cheating and sending you to an excellent PuTTYgen how-to which includes key pair creation. http://theillustratednetwork.mvps.org/Ssh/Private-publicKey.html
Key Creation for Mac/Linux On unix like systems (Ubuntu, OSX, etc.) we'll need to go through a few steps. Fortunately it's likely you already have an SSH directory because if you have ever used SSH one was created for you. Open up a terminal window and check your home directory for a hidden . ssh directory. $ cd ~/.ssh
Key Creation for Mac/Linux On unix like systems (Ubuntu, OSX, etc.) we'll need to go through a few steps. Fortunately it's likely you already have an SSH directory because if you have ever used SSH one was created for you. Open up a terminal window and check your home directory for a hidden . ssh directory. $ cd ~/.ssh If you receive a "no such file or directory" type of error message you have not used SSH and certainly don't have a key installed on your system. Next we'll create a set of keys which will create the file structure we need for us automatically.
Key Creation for Mac/Linux When you create an SSH key pair you want to enter a strong passphrase when prompted to do so*. While you could skip the passphrase it would allow anyone who can access it the ability to use it. Your key is valuable and it should be protected at all costs.
Key Creation for Mac/Linux When you create an SSH key pair you want to enter a strong passphrase when prompted to do so*. While you could skip the passphrase it would allow anyone who can access it the ability to use it. Your key is valuable and it should be protected at all costs. Let's create a strong 2048 bit RSA key with your email address included. $ ssh-keygen -t rsa -b 2048 -C"user@domain.com" You will be asked for a few options and you can leave those as their defaults but when asked for a passphrase choose a solid one. * A common practice when using SSH keys is to omit a passphrase because the default setup requires that you enter your passphrase each time you use your key which is seemingly the same as typing a password at login each time. Further in we'll cover how to work around this so you only need to enter your passphrase once per session.
Key Creation for Mac/Linux Once your key is created you should see some new files which were indicated during your key generation. $ cd ~/.ssh $ ls ~/.ssh/id_rsa This is your private key file that ssh will read by default when a login attempt is made. You can have multiple keys, i.e. id_otherkey. ~/.ssh/id_rsa.pub This is your public key file for authentication. The contents of this file should be added to ~/.ssh/authorized_keys on all machines where you wish to login using key authentication. There is no need to keep the contents of this file secret.
Key Creation for Mac/Linux To use your shiny new key on a server you need to copy your public key over the the authorized_keys file. It's usually not safe to try to do a simple copy/paste since even a stray return will break a key file and OSX doesn't contain the ssh-copy-id utility so we'll have to do some magic. $ ssh user@174.143.170.119 -p 7022 "umask 077; cat >> .ssh/authorized_keys" < ~/.ssh/id_rsa.pub
Key Creation for Mac/Linux To use your shiny new key on a server you need to copy your public key over the the authorized_keys file. It's usually not safe to try to do a simple copy/paste since even a stray return will break a key file and OSX doesn't contain the ssh-copy-id utility so we'll have to do some magic. $ ssh user@174.143.170.119 -p 7022 "umask 077; cat >> .ssh/authorized_keys" < ~/.ssh/id_rsa.pub Now you should be able to authenticate to the server with your key. $ ssh user@174.143.170.119 -p 7022 If all is right in the world you will be asked for your key passphrase and not your server password.
Key Creation for Mac/Linux To use your shiny new key on a server you need to copy your public key over the the authorized_keys file. It's usually not safe to try to do a simple copy/paste since even a stray return will break a key file and OSX doesn't contain the ssh-copy-id utility so we'll have to do some magic. $ ssh user@174.143.170.119 -p 7022 "umask 077; cat >> .ssh/authorized_keys" < ~/.ssh/id_rsa.pub Now you should be able to authenticate to the server with your key. $ ssh user@174.143.170.119 -p 7022 If all is right in the world you will be asked for your key passphrase and not your server password. Success! :)
Key Creation for Mac/Linux To use your shiny new key on a server you need to copy your public key over the the authorized_keys file. It's usually not safe to try to do a simple copy/paste since even a stray return will break a key file and OSX doesn't contain the ssh-copy-id utility so we'll have to do some magic. $ ssh user@174.143.170.119 -p 7022 "umask 077; cat >> .ssh/authorized_keys" < ~/.ssh/id_rsa.pub Now you should be able to authenticate to the server with your key. $ ssh user@174.143.170.119 -p 7022 If all is right in the world you will be asked for your key passphrase and not your server password. Success! :) Failure :( contact Chris.
SSH Agent Entering your passphrase on every login defeats the intent of using keys. ssh-agent will take care of the pesky prompts. Under OSX it runs by default so you will even get a popup asking you to save your passphrase to the keychain. Once you save it you will never be asked again on your local system.
SSH Agent Entering your passphrase on every login defeats the intent of using keys. ssh-agent will take care of the pesky prompts. Under OSX it runs by default so you will even get a popup asking you to save your passphrase to the keychain. Once you save it you will never be asked again on your local system. For Linux it's little more complex. You will need to add a script to your ~/. profile file or you can execute a couple of short commands. The following will start up the ssh-agent and then allow ssh-add to pickup on the variables and it will hold your key for an entire session. Please note the back ticks around ssh-agent. $ eval `ssh-agent` $ ssh-add You will be prompted for your passphrase one time but not again during the same session.
SSH Config We've got new keys and we can access some servers with them. We're still doing a lot of typing though. e.g. $ ssh user@174.143.170.119 -p 7022 Wouldn't it be nice if we could convert that into a short simple easy to remember command like the following? $ ssh staging
SSH Config We've got new keys and we can access some servers with them. We're still doing a lot of typing though. e.g. $ ssh user@174.143.170.119 -p 7022 Wouldn't it be nice if we could convert that into a short simple easy to remember command like the following? $ ssh staging We can! Using a user configurable ssh config file you can create aliases for commonly access systems. Just create a config file using your favorite editor and adding it to your .ssh directory. $ nano -w ~/.ssh/config Host staging User <your-username> Hostname 174.143.170.119 Port 7022
SSH Config There are a number of things you can do inside the ssh config file but aliases/bookmarks are probably the most common entries you will run into or need for yourself. Here's the basic entry for our staging example. Host staging User <your-username> Hostname 174.143.170.119 Port 7022 This creates an alias to the 174.143.170.119 server with our user and port options. The "Host" line is the alias name we assign. Now calling the following will start an ssh session for ssh user@174.143.170.119 -p 7022. $ ssh staging
The End That's it. You are now an ssh wizard and can work both conveniently and securely. Keep your keys safe but if they are ever lost or you suspect an issue notify an admin quickly. To be really useful you will want to add your current private key or create a new key for staging. Because of permission issues however you may need a hand setting things up correctly.

More Related Content

SSH how to 2011

  • 1. SSH Keys and Configurations Chris Hales
  • 2. What is SSH? Secure Shell aka SSH is a secure encrypted communication protocol designed to replace older insecure protocols like telnet, rsh, and ftp.
  • 3. What is SSH? Secure Shell aka SSH is a secure encrypted communication protocol designed to replace older insecure protocols like telnet, rsh, and ftp. SSH authentication can be done with a username and password combination which is the default. Here's the most simplistic usage we might encounter. $ ssh user@secureserver After you connect to secureserver you are normally asked for your password to complete the login.
  • 4. What is SSH? Secure Shell aka SSH is a secure encrypted communication protocol designed to replace older insecure protocols like telnet, rsh, and ftp. SSH authentication can be done with a username and password combination which is the default. Here's the most simplistic usage we might encounter. $ ssh user@secureserver After you connect to secureserver you are normally asked for your password to complete the login. When you start doing this over and over again for many systems with various paswords it can become pretty tedious. What if there was a way to simplify the process? Time for SSH Keys to save the day!
  • 5. Enter SSH Keys! SSH can be configured to use key pairs so that you don't have to type your password in every time you need to log into a commonly accessed system. Your public key is placed on all systems you wish to access using your private key.
  • 6. Enter SSH Keys! SSH can be configured to use key pairs so that you don't have to type your password in every time you need to log into a commonly accessed system. Your public key is placed on all systems you wish to access using your private key. There's a lot of technical details surrounding public-key cryptography but for our purposes all you really need to know is that it's a really secure way of proving who you are to a third party system. Let's begin with creating your key pair if you don't already have one. Mac and Linux setup is basically identical. For Windows you will need Putty and PuTTYgen installed.
  • 7. Key Creation for Windows For Windows users I'm cheating and sending you to an excellent PuTTYgen how-to which includes key pair creation. http://theillustratednetwork.mvps.org/Ssh/Private-publicKey.html
  • 8. Key Creation for Mac/Linux On unix like systems (Ubuntu, OSX, etc.) we'll need to go through a few steps. Fortunately it's likely you already have an SSH directory because if you have ever used SSH one was created for you. Open up a terminal window and check your home directory for a hidden . ssh directory. $ cd ~/.ssh
  • 9. Key Creation for Mac/Linux On unix like systems (Ubuntu, OSX, etc.) we'll need to go through a few steps. Fortunately it's likely you already have an SSH directory because if you have ever used SSH one was created for you. Open up a terminal window and check your home directory for a hidden . ssh directory. $ cd ~/.ssh If you receive a "no such file or directory" type of error message you have not used SSH and certainly don't have a key installed on your system. Next we'll create a set of keys which will create the file structure we need for us automatically.
  • 10. Key Creation for Mac/Linux When you create an SSH key pair you want to enter a strong passphrase when prompted to do so*. While you could skip the passphrase it would allow anyone who can access it the ability to use it. Your key is valuable and it should be protected at all costs.
  • 11. Key Creation for Mac/Linux When you create an SSH key pair you want to enter a strong passphrase when prompted to do so*. While you could skip the passphrase it would allow anyone who can access it the ability to use it. Your key is valuable and it should be protected at all costs. Let's create a strong 2048 bit RSA key with your email address included. $ ssh-keygen -t rsa -b 2048 -C"user@domain.com" You will be asked for a few options and you can leave those as their defaults but when asked for a passphrase choose a solid one. * A common practice when using SSH keys is to omit a passphrase because the default setup requires that you enter your passphrase each time you use your key which is seemingly the same as typing a password at login each time. Further in we'll cover how to work around this so you only need to enter your passphrase once per session.
  • 12. Key Creation for Mac/Linux Once your key is created you should see some new files which were indicated during your key generation. $ cd ~/.ssh $ ls ~/.ssh/id_rsa This is your private key file that ssh will read by default when a login attempt is made. You can have multiple keys, i.e. id_otherkey. ~/.ssh/id_rsa.pub This is your public key file for authentication. The contents of this file should be added to ~/.ssh/authorized_keys on all machines where you wish to login using key authentication. There is no need to keep the contents of this file secret.
  • 13. Key Creation for Mac/Linux To use your shiny new key on a server you need to copy your public key over the the authorized_keys file. It's usually not safe to try to do a simple copy/paste since even a stray return will break a key file and OSX doesn't contain the ssh-copy-id utility so we'll have to do some magic. $ ssh user@174.143.170.119 -p 7022 "umask 077; cat >> .ssh/authorized_keys" < ~/.ssh/id_rsa.pub
  • 14. Key Creation for Mac/Linux To use your shiny new key on a server you need to copy your public key over the the authorized_keys file. It's usually not safe to try to do a simple copy/paste since even a stray return will break a key file and OSX doesn't contain the ssh-copy-id utility so we'll have to do some magic. $ ssh user@174.143.170.119 -p 7022 "umask 077; cat >> .ssh/authorized_keys" < ~/.ssh/id_rsa.pub Now you should be able to authenticate to the server with your key. $ ssh user@174.143.170.119 -p 7022 If all is right in the world you will be asked for your key passphrase and not your server password.
  • 15. Key Creation for Mac/Linux To use your shiny new key on a server you need to copy your public key over the the authorized_keys file. It's usually not safe to try to do a simple copy/paste since even a stray return will break a key file and OSX doesn't contain the ssh-copy-id utility so we'll have to do some magic. $ ssh user@174.143.170.119 -p 7022 "umask 077; cat >> .ssh/authorized_keys" < ~/.ssh/id_rsa.pub Now you should be able to authenticate to the server with your key. $ ssh user@174.143.170.119 -p 7022 If all is right in the world you will be asked for your key passphrase and not your server password. Success! :)
  • 16. Key Creation for Mac/Linux To use your shiny new key on a server you need to copy your public key over the the authorized_keys file. It's usually not safe to try to do a simple copy/paste since even a stray return will break a key file and OSX doesn't contain the ssh-copy-id utility so we'll have to do some magic. $ ssh user@174.143.170.119 -p 7022 "umask 077; cat >> .ssh/authorized_keys" < ~/.ssh/id_rsa.pub Now you should be able to authenticate to the server with your key. $ ssh user@174.143.170.119 -p 7022 If all is right in the world you will be asked for your key passphrase and not your server password. Success! :) Failure :( contact Chris.
  • 17. SSH Agent Entering your passphrase on every login defeats the intent of using keys. ssh-agent will take care of the pesky prompts. Under OSX it runs by default so you will even get a popup asking you to save your passphrase to the keychain. Once you save it you will never be asked again on your local system.
  • 18. SSH Agent Entering your passphrase on every login defeats the intent of using keys. ssh-agent will take care of the pesky prompts. Under OSX it runs by default so you will even get a popup asking you to save your passphrase to the keychain. Once you save it you will never be asked again on your local system. For Linux it's little more complex. You will need to add a script to your ~/. profile file or you can execute a couple of short commands. The following will start up the ssh-agent and then allow ssh-add to pickup on the variables and it will hold your key for an entire session. Please note the back ticks around ssh-agent. $ eval `ssh-agent` $ ssh-add You will be prompted for your passphrase one time but not again during the same session.
  • 19. SSH Config We've got new keys and we can access some servers with them. We're still doing a lot of typing though. e.g. $ ssh user@174.143.170.119 -p 7022 Wouldn't it be nice if we could convert that into a short simple easy to remember command like the following? $ ssh staging
  • 20. SSH Config We've got new keys and we can access some servers with them. We're still doing a lot of typing though. e.g. $ ssh user@174.143.170.119 -p 7022 Wouldn't it be nice if we could convert that into a short simple easy to remember command like the following? $ ssh staging We can! Using a user configurable ssh config file you can create aliases for commonly access systems. Just create a config file using your favorite editor and adding it to your .ssh directory. $ nano -w ~/.ssh/config Host staging User <your-username> Hostname 174.143.170.119 Port 7022
  • 21. SSH Config There are a number of things you can do inside the ssh config file but aliases/bookmarks are probably the most common entries you will run into or need for yourself. Here's the basic entry for our staging example. Host staging User <your-username> Hostname 174.143.170.119 Port 7022 This creates an alias to the 174.143.170.119 server with our user and port options. The "Host" line is the alias name we assign. Now calling the following will start an ssh session for ssh user@174.143.170.119 -p 7022. $ ssh staging
  • 22. The End That's it. You are now an ssh wizard and can work both conveniently and securely. Keep your keys safe but if they are ever lost or you suspect an issue notify an admin quickly. To be really useful you will want to add your current private key or create a new key for staging. Because of permission issues however you may need a hand setting things up correctly.