SSH how to 2011
Upcoming SlideShare
Loading in...5
×
 

Like this? Share it with your network

Share

SSH how to 2011

on

  • 2,163 views

Internal knowledge share on SSH setup and usage. Includes some helpful config file options to save time and how to create and use SSH keys for better security and productivity.

Internal knowledge share on SSH setup and usage. Includes some helpful config file options to save time and how to create and use SSH keys for better security and productivity.

Statistics

Views

Total Views
2,163
Views on SlideShare
2,162
Embed Views
1

Actions

Likes
1
Downloads
14
Comments
0

1 Embed 1

http://www.linkedin.com 1

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

SSH how to 2011 Presentation Transcript

  • 1. SSH Keys and Configurations Chris Hales
  • 2. What is SSH?Secure Shell aka SSH is a secure encrypted communication protocoldesigned to replace older insecure protocols like telnet, rsh, and ftp.
  • 3. What is SSH?Secure Shell aka SSH is a secure encrypted communication protocoldesigned to replace older insecure protocols like telnet, rsh, and ftp.SSH authentication can be done with a username and passwordcombination which is the default. Heres the most simplistic usage we mightencounter.$ ssh user@secureserverAfter you connect to secureserver you are normally asked for yourpassword to complete the login.
  • 4. What is SSH?Secure Shell aka SSH is a secure encrypted communication protocoldesigned to replace older insecure protocols like telnet, rsh, and ftp.SSH authentication can be done with a username and passwordcombination which is the default. Heres the most simplistic usage we mightencounter.$ ssh user@secureserverAfter you connect to secureserver you are normally asked for yourpassword to complete the login.When you start doing this over and over again for many systems withvarious paswords it can become pretty tedious. What if there was a way tosimplify the process?Time for SSH Keys to save the day!
  • 5. Enter SSH Keys!SSH can be configured to use key pairs so that you dont have to type yourpassword in every time you need to log into a commonly accessedsystem. Your public key is placed on all systems you wish to access usingyour private key.
  • 6. Enter SSH Keys!SSH can be configured to use key pairs so that you dont have to type yourpassword in every time you need to log into a commonly accessedsystem. Your public key is placed on all systems you wish to access usingyour private key.Theres a lot of technical details surrounding public-key cryptography but forour purposes all you really need to know is that its a really secure way ofproving who you are to a third party system.Lets begin with creating your key pair if you dont already have one. Macand Linux setup is basically identical. For Windows you will need Putty andPuTTYgen installed.
  • 7. Key Creation for WindowsFor Windows users Im cheating and sending you to an excellentPuTTYgen how-to which includes key pair creation.http://theillustratednetwork.mvps.org/Ssh/Private-publicKey.html
  • 8. Key Creation for Mac/LinuxOn unix like systems (Ubuntu, OSX, etc.) well need to go through a fewsteps. Fortunately its likely you already have an SSH directory because ifyou have ever used SSH one was created for you.Open up a terminal window and check your home directory for a hidden .ssh directory.$ cd ~/.ssh
  • 9. Key Creation for Mac/LinuxOn unix like systems (Ubuntu, OSX, etc.) well need to go through a fewsteps. Fortunately its likely you already have an SSH directory because ifyou have ever used SSH one was created for you.Open up a terminal window and check your home directory for a hidden .ssh directory.$ cd ~/.sshIf you receive a "no such file or directory" type of error message you havenot used SSH and certainly dont have a key installed on your system.Next well create a set of keys which will create the file structure we needfor us automatically.
  • 10. Key Creation for Mac/LinuxWhen you create an SSH key pair you want to enter a strong passphrasewhen prompted to do so*. While you could skip the passphrase it wouldallow anyone who can access it the ability to use it. Your key is valuableand it should be protected at all costs.
  • 11. Key Creation for Mac/LinuxWhen you create an SSH key pair you want to enter a strong passphrasewhen prompted to do so*. While you could skip the passphrase it wouldallow anyone who can access it the ability to use it. Your key is valuableand it should be protected at all costs.Lets create a strong 2048 bit RSA key with your email address included.$ ssh-keygen -t rsa -b 2048 -C"user@domain.com"You will be asked for a few options and you can leave those as theirdefaults but when asked for a passphrase choose a solid one.* A common practice when using SSH keys is to omit a passphrasebecause the default setup requires that you enter your passphrase eachtime you use your key which is seemingly the same as typing a password atlogin each time. Further in well cover how to work around this so you onlyneed to enter your passphrase once per session.
  • 12. Key Creation for Mac/LinuxOnce your key is created you should see some new files whichwere indicated during your key generation.$ cd ~/.ssh$ ls~/.ssh/id_rsaThis is your private key file that ssh will read by default when a loginattempt is made. You can have multiple keys, i.e. id_otherkey.~/.ssh/id_rsa.pubThis is your public key file for authentication. The contents of this file shouldbe added to ~/.ssh/authorized_keys on all machines where you wishto login using key authentication. There is no need to keep the contents ofthis file secret.
  • 13. Key Creation for Mac/LinuxTo use your shiny new key on a server you need to copy your public keyover the the authorized_keys file. Its usually not safe to try to do a simplecopy/paste since even a stray return will break a key file and OSX doesntcontain the ssh-copy-id utility so well have to do some magic.$ ssh user@174.143.170.119 -p 7022 "umask 077;cat >> .ssh/authorized_keys" < ~/.ssh/id_rsa.pub
  • 14. Key Creation for Mac/LinuxTo use your shiny new key on a server you need to copy your public keyover the the authorized_keys file. Its usually not safe to try to do a simplecopy/paste since even a stray return will break a key file and OSX doesntcontain the ssh-copy-id utility so well have to do some magic.$ ssh user@174.143.170.119 -p 7022 "umask 077;cat >> .ssh/authorized_keys" < ~/.ssh/id_rsa.pubNow you should be able to authenticate to the server with your key.$ ssh user@174.143.170.119 -p 7022If all is right in the world you will be asked for your key passphrase and notyour server password.
  • 15. Key Creation for Mac/LinuxTo use your shiny new key on a server you need to copy your public keyover the the authorized_keys file. Its usually not safe to try to do a simplecopy/paste since even a stray return will break a key file and OSX doesntcontain the ssh-copy-id utility so well have to do some magic.$ ssh user@174.143.170.119 -p 7022 "umask 077;cat >> .ssh/authorized_keys" < ~/.ssh/id_rsa.pubNow you should be able to authenticate to the server with your key.$ ssh user@174.143.170.119 -p 7022If all is right in the world you will be asked for your key passphrase and notyour server password.Success! :)
  • 16. Key Creation for Mac/LinuxTo use your shiny new key on a server you need to copy your public keyover the the authorized_keys file. Its usually not safe to try to do a simplecopy/paste since even a stray return will break a key file and OSX doesntcontain the ssh-copy-id utility so well have to do some magic.$ ssh user@174.143.170.119 -p 7022 "umask 077;cat >> .ssh/authorized_keys" < ~/.ssh/id_rsa.pubNow you should be able to authenticate to the server with your key.$ ssh user@174.143.170.119 -p 7022If all is right in the world you will be asked for your key passphrase and notyour server password.Success! :)Failure :( contact Chris.
  • 17. SSH AgentEntering your passphrase on every login defeats the intent of using keys.ssh-agent will take care of the pesky prompts. Under OSX it runs by defaultso you will even get a popup asking you to save your passphrase to thekeychain. Once you save it you will never be asked again on your localsystem.
  • 18. SSH AgentEntering your passphrase on every login defeats the intent of using keys.ssh-agent will take care of the pesky prompts. Under OSX it runs by defaultso you will even get a popup asking you to save your passphrase to thekeychain. Once you save it you will never be asked again on your localsystem.For Linux its little more complex. You will need to add a script to your ~/.profile file or you can execute a couple of short commands. The followingwill start up the ssh-agent and then allow ssh-add to pickup on the variablesand it will hold your key for an entire session. Please note the back ticksaround ssh-agent.$ eval `ssh-agent`$ ssh-addYou will be prompted for your passphrase one time but not againduring the same session.
  • 19. SSH ConfigWeve got new keys and we can access some servers with them. Were stilldoing a lot of typing though. e.g.$ ssh user@174.143.170.119 -p 7022Wouldnt it be nice if we could convert that into a short simple easy toremember command like the following?$ ssh staging
  • 20. SSH ConfigWeve got new keys and we can access some servers with them. Were stilldoing a lot of typing though. e.g.$ ssh user@174.143.170.119 -p 7022Wouldnt it be nice if we could convert that into a short simple easy toremember command like the following?$ ssh stagingWe can! Using a user configurable ssh config file you can create aliases forcommonly access systems. Just create a config file using your favoriteeditor and adding it to your .ssh directory.$ nano -w ~/.ssh/configHost stagingUser <your-username>Hostname 174.143.170.119Port 7022
  • 21. SSH ConfigThere are a number of things you can do inside the ssh config file butaliases/bookmarks are probably the most common entries you will run intoor need for yourself. Heres the basic entry for our staging example.Host stagingUser <your-username>Hostname 174.143.170.119Port 7022This creates an alias to the 174.143.170.119 server with our user and portoptions. The "Host" line is the alias name we assign. Now calling thefollowing will start an ssh session for ssh user@174.143.170.119 -p 7022.$ ssh staging
  • 22. The EndThats it. You are now an ssh wizard and can work both conveniently andsecurely. Keep your keys safe but if they are ever lost or you suspect anissue notify an admin quickly.To be really useful you will want to add your current private key or create anew key for staging. Because of permission issues however you may needa hand setting things up correctly.