Page tree

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

There are several ways to use SSH; one is to use automatically generated public-private key pairs to simply encrypt a network connection, and then use password authentication to log on. Another is to use a manually generated public-private key pair to perform the authentication, allowing users or programs to log in without having to specify a password. In this scenario, anyone can produce a matching pair of different keys (public and private). The public key is placed on all computers that must allow access to the owner of the matching private key (the owner keeps the private key secret). While authentication is based on the private key, the key itself is never transferred through the network during authentication. SSH only verifies whether the same person offering the public key also owns the matching private key. 


Set up public-key authentication using SSH on a Linux or macOS computer

To set up public-key authentication using SSH on a Linux or macOS computer:

  • Log into the computer you'll use to access the remote host, and then use command-line SSH to generate a key pair using the RSA algorithm. To generate RSA keys, on the command line, enter:

    Code Block
    languagebash
    ssh-keygen -t rsa


  • You will be first prompted to provide a filename to store the public/private key, hit Enter or Return to accept the default value


  • You will then be prompted to enter a passphrase. If you hit Enter or Return, you will create a passwordless key pair. You will find plenty of online resources that suggest creating a passwordless key pair. From a security prespective, this is NOT RECOMMENDED. Please consider adding a passphrase.

    Code Block
    languagebash
    [apacheco@mira](1016): ssh-keygen -t rsa
    Generating public/private rsa key pair.
    Enter file in which to save the key (/home/apacheco/.ssh/id_rsa):
    Enter passphrase (empty for no passphrase):
    Enter same passphrase again:
    Your identification has been saved in /home/apacheco/.ssh/id_rsa.
    Your public key has been saved in /home/apacheco/.ssh/id_rsa.pub.
    The key fingerprint is:
    SHA256:<redacted> apacheco@mira
    The key's randomart image is:
    +---[RSA 2048]----+
    |  oo.o..o.       |
    | . .*..*.        |
    |  E.o+*o=        |
    |   O.ooO..       |
    |  o =oo S.       |
    |   .o o .        |
    |.  ..+ = .       |
    |ooo.  = o        |
    |===o.o..         |
    +----[SHA256]-----+


  •  If ssh-copy-id command is available on your system, then you can copy your public key using the command

    Code Block
    languagebash
    [apacheco@mira](1018): ssh-copy-id -i ~/.ssh/id_rsa.pub alp514@sol.cc.lehigh.edu
    /usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/home/apacheco/.ssh/id_rsa.pub"
    /usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
    /usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
    
    Number of key(s) added: 1
    
    Now try logging into the machine, with:   "ssh 'alp514@sol.cc.lehigh.edu'"
    and check to make sure that only the key(s) you wanted were added.


  • Alternatively, copy the public key to your account on the remote system using SFTP or SCP.

    Code Block
    languagebash
    titleSCP
    scp ${HOME}/.ssh/id_rsa.pub alp514@sol.cc.lehigh.edu:~/


  • Login to the remote system and add the contents of your public key file (~/id_rsa.pub) to a new line in your ~/.ssh/authorized_keys file

    Code Block
    languagebash
    cat ~/id_rsa.pub >> ~/.ssh/authorized_keys


  • If you login to the remote system, it will prompt you to enter the passphrase for the key pair rather than the password on the remote system. You have three chances to enter the correct passphrase  before it defaults to the account password. To login to the remote system without entering your password or passphrase, use the credential manager, ssh-agent

    Code Block
    languagebash
    [apacheco@mira](1020): ssh sol
    Enter passphrase for key '/home/apacheco/.ssh/id_rsa':
    Last login: Thu May 21 13:21:11 2020 from xyz.cc.lehigh.edu
    
              |
              |   .        Welcome to Sol.  Compute intensive jobs are not to be
       `.  *  |     .'     run on the head node; appropriate tasks are editing,
         `. ._|_* .'  .    compilation, and SLURM job submission. Low impact,
       . * .'   `.  *      non-polling daemons are also allowed.
    -------|     |-------
       .  *`.___.' *  .    . SLURM job submission is required.
          .'  |* `.  *     . Files in /home and /share.
        .' *  |  . `.      . Apps in /share/Apps.
            . |
              |            User quotas are set to 150GB on /home.
    
    Use of this system is subject to Lehigh University security and
    information policies available at http://www.lehigh.edu/security.


  • It is a good security practice to change the key pair passphrase regularly just as you regularly change your password. 

    Code Block
    languagebash
    [apacheco@mira](1028): ssh-keygen -p
    Enter file in which the key is (/home/apacheco/.ssh/id_rsa):
    Enter old passphrase:
    Enter new passphrase (empty for no passphrase):
    Enter same passphrase again:
    Your identification has been saved with the new passphrase.


  • If you have an existing key pair that does not contain a password, then you can add a password using the command ssh-keygen -p -f <path to private key>

Using ssh-agent and ssh-add to manage passwords

ssh-agent is a key manager for SSH. It holds your keys and certificates in memory, unencrypted, and ready for use by ssh. The ssh-add command prompts the user for a private key password and adds it to the list maintained by ssh-agent. Once you add a password to ssh-agent, you will not be prompted for it when using SSH or SCP to connect to hosts with your public key.

  • At the prompt, enter 

    Code Block
    languagebash
    [apacheco@mira](1002): eval `ssh-agent`
    Agent pid 31571

    Use backtics (`) rather than the single quote (')

  • Use ssh-add to add credentials to ssh-agent. It's good security to give a lifetime to your saved credential. By default, the lifetime is the length of time the terminal is open. When prompted, enter the passphrase for the private key.

    Code Block
    languagebash
    [apacheco@mira](1003): ssh-add -t 1h
    Enter passphrase for /home/apacheco/.ssh/id_rsa:
    Identity added: /home/apacheco/.ssh/id_rsa (/home/apacheco/.ssh/id_rsa)
    Lifetime set to 3600 seconds


  • For the next 1 hour (assuming previous command), you can login to Sol or any remote system on which the public key pair is saved without entering your password

    Code Block
    languagebash
    [apacheco@mira](1004): ssh sol
    Last login: Thu May 21 13:42:08 2020 from xyz.cc.lehigh.edu
    
              |
              |   .        Welcome to Sol.  Compute intensive jobs are not to be
       `.  *  |     .'     run on the head node; appropriate tasks are editing,
         `. ._|_* .'  .    compilation, and SLURM job submission. Low impact,
       . * .'   `.  *      non-polling daemons are also allowed.
    -------|     |-------
       .  *`.___.' *  .    . SLURM job submission is required.
          .'  |* `.  *     . Files in /home and /share.
        .' *  |  . `.      . Apps in /share/Apps.
            . |
              |            User quotas are set to 150GB on /home.
    
    Use of this system is subject to Lehigh University security and
    information policies available at http://www.lehigh.edu/security.


  • To see a list of keys added to your agent, use the command

    Code Block
    languagebash
    [apacheco@mira](1004): ssh-add -l
    2048 SHA256:<redacted> /home/apacheco/.ssh/id_rsa (RSA)


  • To delete all saved keys, use the command

    Code Block
    languagebash
    [apacheco@mira](1005): ssh-add -D
    All identities removed.
    [apacheco@mira](1006): ssh-add -l
    The agent has no identities.


  • If you have saved multiples keys and want to delete only one key, then use the command ssh-add -d <private key>. For e.g.

    Code Block
    languagebash
    [apacheco@mira](1010): ssh-add -d /home/apacheco/.ssh/id_rsa
    Identity removed: /home/apacheco/.ssh/id_rsa (apacheco@mira)
    [apacheco@mira](1011): ssh-add -l
    The agent has no identities.


Best Security Practices

  • Always protect your key pair with a passphrase.
    • Use a strong passphrase just as you would for your password.
    • Do not use your password as your passphrase.
    • Do not write your password/passphrase and store at a place that anyone can access for e.g. post-it note on your monitor.
  • Verify only your account has access to ssh keys by running chmod 700 ~/.ssh.
  • Never share your private key and/or your passphrase/password.
  • Always store your credentials in ssh-agent with a definite lifetime.
  • Change your passphrase as regularly as you change your password.
    • Do not use reuse your password and passphrase.
  • Limit the number of systems that you log in from.


...