MandrakeUser.Org - Your Mandrake-Linux Knowledge Base!


 
 

*DocIndex - Security

SSH II - Setup

* Generating Your Own Key Pair
* Distributing Your Key
* Keeping Keys In System Memory

Related Resources:

SSH FAQ
Getting started with SSH
man ssh-keygen, man ssh-add, man ssh-agent

Revision / Modified: Sep. 27, 2001 / Oct. 09, 2001
Author: Tom Berger

 

* Generating Your Own Key Pair

Generating and distributing your own keys has two advantages: you protect yourself from 'man-in-the-middle' attacks (e.g. by a machine which fakes the fingerprint of the remote host) and you can use one password for all the servers you connect to.

Notice that there are currently two major, partly incompatible versions of SSH in use: version 1 and version 2. Whereas SSH version 2 servers can be configured to accept keys created with version 1, you are better off when you create two key pairs: one for version 1 and one for version 2. Since the names of the generated keys are different, they can be stored in the same directory and you can let the SSH server figure out which key it wants.

The version 1 key is generated by the command

ssh-keygen

The key using version 2 wants this:

ssh-keygen -t rsa

Version 2 'RSA' keys as generated by this command are preferred to version 2 'DSA' keys.

'ssh-keygen' will invoke the following dialog:

Generating RSA keys: ............................ooooooO......ooooooO
Key generation complete.
Enter file in which to save the key (/home/[user]/.ssh/identity):

[Just hit ENTER here unless you already have another key with that name, e.g. for a different SSH version]
Created directory '/home/[user]/.ssh'.
Enter passphrase (empty for no passphrase):

[The entered passphrase will not appear on the screen.]
Enter same passphrase again:
[The passphrase is not recoverable. If you forget it, you will have to generate a new keypair.]
Your identification has been saved in /home/[user]/.ssh/identity.
[This is your private key.]
Your public key has been saved in /home/[user]/.ssh/identity.pub.
The key fingerprint is: 2a:dc:71:2f:27:84:a2:e4:a1:1e:a9:63:e2:fa:a5:89 [user]@[local machine]

ssh-keygen -t rsa basically does the same, but saves the key pair by default to '/home/[user]/.ssh/id_rsa' (private key) and '/home/[user]/.ssh/id_rsa.pub' (public key). You can use the same passphrase for both key pairs.

Now you have a key pair: a public key to distribute to all the remote machines you want to ssh to and a private key, which is the heart of the authentication process. Which means: no one should ever be able to access your private key! ls -l ~/.ssh/identity or ls -l ~/.ssh/id_rsa should always show these permissions:

-rw-------

If you suspect your private key has been compromised, do not hesitate to generate a new pair. You will then have to distribute your new public key again, of course.

* section index * top

* Distributing Your Key

On each server you need an SSH connection to, create a .ssh subdirectory in your home directory. Into this directory, copy the local file '~/.ssh/identity.pub' and rename it to 'authorized_keys'. Likewise for version 2 keys: copy '~/.ssh/id_rsa.pub' and rename it to 'authorized_keys2'. Now execute on the remote server

chmod 644 .ssh/authorized_keys .ssh/authorized_keys2

Do not forget this step, SSH won't work if the 'authorized_keys(2)' file is writable by anyone other than you!

'authorized_keys(2)' can hold more than one public key, in case you want to connect to the remote server from a different machine. In this case you have to generate a new key pair on the machine, copy the content of the local 'identity.pub' file and paste it into the remote 'authorized_keys' file. Of course you should only do that if you have an account of your own on the client machine and the key is password protected! Furthermore, don't forget to remove the key pair when you no longer need it.
Simply put: it's better not to use key-based authentication on untrustworthy machines ;).

* section index * top

* Keeping Keys In System Memory

This method comes in handy when you usually connect to more than one machine during a session. The trick is to run applications which are automatically authenticated. This is achieved by a combination of the programsssh-add and ssh-agent.
man ssh-add reads:

"The authentication agent must be running and must be an ancestor of the current process for ssh-add to work."

Huh? ;) ssh-agent executes several commands, creates an PID file and sets some system environment variables. To make this work, you need the shell's eval command:

eval $(ssh-agent)

You should now see a message like

Agent pid [number]

Enter

ssh-add

in the same terminal and the key will be loaded into memory, asking you for the password, if you have protected the key with one. Now you can start SSH sessions from this terminal without having to give any passwords, provided you set up the SSH 'config' file accordingly, which will be discussed on the next page.

The 'pure' ssh-add command will be default only load SSH version 1 keys. To load a version 2 key, you have to specify its filename:

ssh-add .ssh/id_rsa

To load both keys (version 1 and version 2) at once, you have to specify both filenames:

ssh-add .ssh/identity .ssh/id_rsa

If you want to be 'ssh-agent' the 'ancestor' of all virtual terminals in a session, add the command eval $(ssh-agent) to your personal X startup files, either '~/.xinitrc', if you are starting X from the console, or '~/.xsession', if you are booting directly into X. Then runssh-add and all terminals you will open during this session will be authenticated.

Notice that all this isn't necessary for ML 7.1 and later, if you boot directly into X: '/etc/X11/Xsession' automatically starts the agent if there is an SSH key in the user's '~/.ssh' directory.

Other useful options are

  • ssh-add -l which lists the key(s) currently kept in memory, and
  • ssh-add -d which removes an identity from the system memory.

* section index * top

And now for some * SSH configuring ...

 
Legal: All texts on this site are covered by the GNU Free Documentation License. Standard disclaimers of warranty apply. Copyright LSTB (Tom Berger) and Mandrakesoft 1999-2002.