This is going to be old hat for some, but I know there are those who can benefit from it, so I’ll post a brief tutorial here. This post is to extend upon the post published by Christer on Ubuntu Tutorials.
There is a lot of software on the Linux system that I take for granted, and I am sure there are many reading this post who also do not realize the full power of SSH. Among those two goldmines are SSH key authentication and sshfs. First, SSH key authentication (sshfs for another post).
There are two ways that a server can recognize that a user is trying to access it: passwords or keys. Both provide the server with the security that the person at the local machine is who they say they are. Of course, if the local system is compromised, there is no way for the server to know. However, with that said, hopefully, it’s basic user error that created the compromise in the first place. But nevermind that. I’m rambling.
Many of us use SSH daily. Probably more times than once throughout the course of the day. I know I do. At work, I SSH into my home box for secure proxy, as well as SSH into the office server. With the office server containing many virtual servers, I find myself using SSH a few times more. On top of that, we use SVN to manage our code collaboration. We use svn+ssh to check in the code. Needless to say, I find myself using SSH several times throughout the course of the day. One major problem is typing my password at every pass. Key authentication fixes that.
Using SSH key authentication, I generate a private and public key. With this key pair, I then append the public key to an authorized keys file, telling the remote system that I can use it if a private key is supplied. If the remote system can match the public key to the private key that I am supplying, then I don’t have to worry about a password. It won’t ask me for one. It knows I am who I say I am.
So, how do we make this happen? Simple. SSH provides a set of utilities that make it really easy.
First, we need to generate the key pair. When asked, you should provide a passphrase for the key. This is highly recommended, as doing a passphraseless key authentication means that anyone can use your key when at your computer, which sucks even more if it gets compromised. Type in a passphrase. Save yourself the pain.
ssh-keygen -t [dsa|rsa]
As you can see, you can generate either a DSA key or an RSA key. It doesn’t matter which one you generate. For me, I generated a DSA key. So, I need to append the public DSA key to the authorized keys file found in my home directory. First, copy over the file to the remote server:
scp ~/.ssh/id_dsa.pub email@example.com:~/
Then ssh to the remote server, and append the contents:
ssh firstname.lastname@example.org cat id_dsa.pub >> .ssh/authorized_keys
If the file didn’t exist, then you just created it. If it did exist, then you appended your key to the end of the file, leaving any other keys in the file in tact. Continue to add your public key to as many remote servers in this fashion as possible. Once added, you can remove the public key.
Ok. Now, we have SSH using key authentication, rather than password authentication. The only problem is, we’re still typing in our passphrase when trying to connect remotely. I thought the point of key authentication was to get rid of that. It was, and it’s still possible.
We need to use the SSH agent to manage our passphrase when logged in. Luckily, if using Gnome, you already have an SSH agent running. I don’t know about KDE.
ps aux | grep ssh-agent aaron 5142 0.0 0.0 4484 448 ? Ss Feb07 0:00 /usr/bin/ssh-agent /usr/bin/ssh-agent /usr/bin/dbus-launch --exit-with-session /usr/bin/gnome-session
As you can see, Gnome is managing my SSH agent for me. However, only when logged in via the GDM. If Iog out of Gnome, then my ssh agent is lost. So, this means, if you log in via a terminal without X, then you will need to start the SSH agent.
What is the SSH agent, exactly? Well, it manages your passphrase along with other variables when you login to remote servers using SSH key authentication. So, if you login using the SSH keys, and you’re prompted for your passphrase, your passphrase is stored in the agent. Which means, that you can keep it there, so you won’t have to edit it again. The way to do this is add your key to the agent along with your passphrase:
That will do the trick. Now, SSH into the remote server. It will ask you for your passphrase. Now logout and log back in. Did it ask you for your passphrase again? If you’ve followed all the steps, then it shouldn’t have. Reason being, is both your key, and it’s associated passphrase are being stored in the agent. The SSH agent manages the two together, and any future logins, regardless of remote server (as long as your public key is on that server), will not ask you for a password or passphrase.
Pretty cool huh? Just wait, it gets better. You can forward your agent from session to session. This means, as long as you have your public key in the authorized keys file, you will never be asked for your password or passphrase. The agent can be carried across the session. Just edit your /etc/ssh/ssh_config file, and uncomment the line that says “ForwardAgent no” and change it to yes.
sudo vim /etc/ssh/ssh_config
Let me give you an example to help illustrate the process.
John generates his SSH key pair, and adds the public key to his SSH server. He then adds his key to the agent, enables forwarding his agent, and SSHs in. He is asked for his passphrase. After done with his work, he logs out. Unfortunately, he forgot to edit a certain file, so he SSHs back into his server. This time, because he logged out remotely but not locally, he is not asked for his passphrase. Kelly, his girlfriend, needs help with her SSH server, and asks him to sign in. He does, but this time, the SSH server prompts him for his password. “Odd” he thought. I am forwarding my SSH agent. I shouldn’t ask me for this. Well, if he didn’t add his public key to Kelly’s authorized key file, then of course it will. If he had his public key in the authorized key file, then Kelly’s server would not ask for anything, and just load right up.
Does that make sense? His agent is being forwarded from remote session to remote session never asking for a passphrase or password, as long as the public key is in the authorized keys file. You just need to remember ‘ssh-add’ when logging into Gnome. If logging into KDE or another window manager, then you may need to start the agent:
I am unsure about what window managers you would need to run that command in. I just know with Gnome, you don’t need to worry about it.
No more asking passwords or passphrases when you use SSH. This makes it especially handy when using svn+ssh. If you check in code a lot, this will save you a ton of typing at the shell.
So, there you go. Secure SSH key authentication made simple. You have security first in mind when generating the keys, and supplying a passphrase. You make things simple by using SSH agent to manage your key sessions and your passphrases. Finally, your forward your agent across multiple machines, regardless of how deep, keeping the simplicity and ease of use in mind. The whole time, security is first on the agenda.