SSHKeyAuth
As the password authentication is not a great solution at scale (forgotten passwords, same passwords used on many many servers...), we recommend using ssh keys as an alternative authentication method on all servers.
Introduction
The key system works with a pair of private/public key. Imagine the public key is the lock, and the private key the key; you need to install the lock (public key) on all the servers you need to access, and need the private key to open that lock.
Remember, your private key is very important, let NOBODY get it! It would be almost like giving him the root password of all servers.
Create a public/private key pair
NB the passphrase you use should be unique, not a password you use elsewhere. Key auth is very secure, highly auditable and very convenient, but should someone acquire your private key and your passphrase, key auth becomes very, very dangerous.
On Linux
If you already have a private key from a previous setup:
- copy it to your new desktop/laptop home directory's .ssh sub directory
- Permissions should be 700 ( -rwx------ )
If you do not already have a private/public key pair from a previous setup:
test@lucian-work:~$ ssh-keygen Generating public/private rsa key pair. Enter file in which to save the key (/home/test/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/test/.ssh/id_rsa. Your public key has been saved in /home/test/.ssh/id_rsa.pub. The key fingerprint is: 00:f6:7b:a2:f8:9c:98:9c:46:f9:df:04:6d:94:04:be test@lucian-work
This generates two files:
- ~/.ssh/id_rsa, your private key
- ~/.ssh/id_rsa.pub, your public key
On Windows
Download puttygen.
Click on "generate" to create a public/private key pair. Wave your mouse around to generate some randomness while the key is generated. Put a key phrase in (which you will need to remember), and save the private key file somewhere sensible- it will have the file format .ppk. You will need the key phrase to access this file in future. The public key shown in the box is what needs to be pasted into your authorized_keys file (ie do not open the public key file with a text editor and copy the contents - this will not work). Using putty, copy and paste the key (starting with ssh rsa and all on one line), then in your putty session with the authorized_keys file open, right-click to paste it in.
To get putty to use the keys in a session, in the main putty window scroll down to ssh/auth on the left-hand side, and browse to the location of the private key. Then in the Session window, type in the host address as normal. If you get a message saying that the server refused your key, it's probably the permissions on the authorized_keys file (see below).
Using a private key in Linux which has been generated in puttygen for Windows
To make my key work in 64-bit Ubuntu, I needed to convert the private key into openssh format (it had originally been created in puttygen for Windows)
1. First need to install puttygen (as part of the putty package):
sudo apt-get install putty
2. Then need to copy the private key into ~/.ssh
3. Then make a copy converted to openssh format (my private key was named pmiles-2008-12-19.ppk):
puttygen /home/pmiles/.ssh/pmiles-2008-12-19.ppk -o /home/pmiles/.ssh/id_rsa -O private-openssh
Prepping the server
14.04 onwards
Change the /etc/sudoers file to enable a user without password to use sudo.
- Never edit this file directly, a wrong entry will disable ability to use sudo across the system.
- The proper way of doing this is to use visudo as follows (this will not permit saving if sudoers file is not valid):
export EDITOR=vim sudo visudo
Check that these existing entries exist:
# Members of the admin group may gain root privileges %admin ALL=(ALL) ALL # Allow members of group sudo to execute any command %sudo ALL=NOPASSWD:ALL
NB Command ordering is important, %sudo line needs to be after the %admin one
If using backuppc or other services that need remote access, you must add entry for the user e.g. backuppc (but do not add backuppc to sudo group)
rsyncbackup ALL=NOPASSWD: /usr/bin/rsync
Restart ssh server:
service sshd restart
- To test the process has worked so far, add your sudo user as per SSHKeyAuth#Install_key_authentication_for_an_account below. Then logout and log back in as that user to continue on.
- Disable password authentication in SSH (NB the root account should only be accessible at the console - do not change this account to NOPASSWD)
sudo vim /etc/ssh/sshd_config
- Un-comment and change to no to disable tunnelled clear text passwords:
PasswordAuthentication no
- Then, restart the SSH server:
sudo systemctl restart ssh
Install key authentication for an account
Create a user with SSH authentication, and without password
You can add and use the following script or do it manually. The script is for Ubuntu/Debian and has a dependency of logger, normally installed by default but if not can be installed by
apt-get install bsdutils
#!/bin/bash server=$(ip route get 8.8.8.8 | awk '/8.8.8.8/ {print $NF}') echo "Please insert your desired username" read username adduser --disabled-password --gecos "" $username mkdir /home/$username/.ssh file="authorized_keys" vi /home/$username/.ssh/$file chown -R $username:$username /home/$username/.ssh chmod 600 /home/$username/.ssh/$file echo "$username has been created" echo "Do you wish to give the new user sudo powers? (write Yes if you agree)" read answer case $answer in [Yy][Ee][Ss] ) adduser $username sudo echo "$username has been granted sudo powers" logger -n $server "Username $username has been created with sudo powers and his public key added in /home/$username/.ssh/$file";; *) echo "$username had not been granted sudo powers" logger -n $server "Username $username has been created without sudo powers and his public key added in /home/$username/.ssh/$file";; esac
Copy and paste the above into a new file and run
$ sudo chmod +x <the name of the new file> $ sudo ./<the name of the new file>
Or do it manually
$ sudo adduser --disabled-password lpricop Adding user `lpricop' ... Adding new group `lpricop' (1006) ... Adding new user `lpricop' (1005) with group `lpricop' ... The home directory `/home/lpricop' already exists. Not copying from `/etc/skel'. Changing the user information for lpricop Enter the new value, or press ENTER for the default Full Name []: Room Number []: Work Phone []: Home Phone []: Other []: Is the information correct? [y/N] y
$ sudo mkdir /home/lpricop/.ssh $ sudo vim /home/lpricop/.ssh/authorized_keys
Paste your public key in that file, and then..
$ sudo chown -R lpricop:lpricop /home/lpricop/.ssh $ sudo chmod 600 /home/lpricop/.ssh/authorized_keys
* These instructions assume a clean build - an installation update to 14.04 may have different groups.
If the user needs to be able to use sudo add to the sudo group (admin group in earlier versions)
sudo adduser lpricop sudo
For existing users
For existing users created with a password, as root do
passwd -l <the username>
to require the user to use key auth from then on.
Two things to do on your workstation, not the server:
If you already have a private key from a previous setup
- copy it to ~/.ssh
- Permissions should be 700 ( -rwx------ )
Agent forwarding
When you connect with your public key to a server, and then want to connect from that server to another server using key authentication, this doesn't work, as the first server you connected to doesn't have your private key. You need to tell your PC and that server to forward the challenge sent by the server you are connecting to, to you, using what is called Agent Forwarding.
$ vim .ssh/config
Add the following lines:
Host * ForwardAgent yes
For security you can also consider limiting which servers the forward applies too. In newroco we only add client sites by IP to the "Host" line and configure the options on a per server basis.
Then run
ssh-add
on your PC.
See Ssh_windows for information on how to do agent forwarding with windows.
You can check if agent forwarding is working by running
$ env | grep SSH_AUTH_SOCK
On the machine you're SSH'd into. If forwarding is working, it should return something like:
SSH_AUTH_SOCK=/tmp/ssh-a1NF...
A blank response would indicate forwarding is not functional.
NB Forwarding is not "forever" - if you want to ssh hop from server to server, those servers also need to have ForwardAgent set to yes. This can be done on a per user basis as above or set as system wide default in /etc/ssh/ssh_config
SSH tips & tricks
If your login on your local machine is lucian and it is lpricop on the server, and you are quite bored to type everytime ssh user_name@server instead of ssh server, you can set the login name automatically for a specific server or a complete domain: Edit/create file ~/.ssh/config
Host "host_name" Hostname "host_ip_address" User "user_name"
lucian@lucian-work:~$ ssh host_name Linux host_name 2.6.20-15-generic #2 SMP Sun Apr 15 07:36:31 UTC 2007 i686 lpricop@host_name:~$
See also SSH_for_multiple_server_management