SSH: Generating and using SSH keys

By -
One of the preferred method of authentication on network devices is using SSH with a SSH public key.
In order to be able to authenticate yourself, you have to generate a SSH key pair.

A SSH key is composed of two parts, one private key (which should remain "private" and also should be password protected ) and one public key which should be installed on the SSH server in order to authenticate you.

SSH client on Linux:

In order to generate a SSH key pair on Linux, you will need to use "ssh-keygen" tool, which is a part of the "openssh-client" package on Debian-like operating systems:
smocanu@debian7:~$ dpkg -S $(which ssh-keygen)
openssh-client: /usr/bin/ssh-keygen
or a part of "openssh" package on RedHat-like operating systems:
smocanu@centos6 ~$ rpm -qf $(which ssh-keygen)
openssh-5.3p1-94.el6.x86_64
The generating process is quite simple, just run the "ssh-keygen" command, and it will ask you the location of the new key pair files and an "optional" password for the private key. As I said before, you have to provide quite a strong password for your private key, but a password that you will remember.

If you have problems with passwords and you can't remember them, you can use a password manager like Keepass .

I will generate a password using RSA as encryption algorithm and 4096bits long (from my point of view, a minimum 2048bis is required, while on some equipments a shorted than 1028bits key will not be accepted):
smocanu@centos6 ~$ ssh-keygen -t rsa -b 4096 -C smocanu@johnyc20.blogspot.ro
Generating public/private rsa key pair.
Enter file in which to save the key (/home/smocanu/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/smocanu/.ssh/id_rsa.
Your public key has been saved in /home/smocanu/.ssh/id_rsa.pub.
The key fingerprint is:
54:64:e6:6e:a1:6f:d3:38:e3:89:25:3f:86:8d:ae:25 smocanu@centos6
The key's randomart image is:
+--[ RSA 4096]----+
|         .=      |
|         =       |
|        . o      |
|       . o .     |
|        S o      |
|         o o     |
|      E o+O .    |
|       ooB+=     |
|      .oo.+.     |
+-----------------+
smocanu@centos6 ~$ ls -las .ssh/
total 20
4 drwx------. 2 smocanu users 4096 Jun 11 05:00 .
4 drwx------. 3 smocanu users 4096 Dec 24 09:14 ..
4 -rw-------. 1 smocanu users  396 Dec 24 09:50 authorized_keys
4 -rw-------. 1 smocanu users 3311 Jun 11 05:00 id_rsa
4 -rw-r--r--. 1 smocanu users  750 Jun 11 05:00 id_rsa.pub
As the names imply, the "id_rsa.pub" is the public key, while the "id_rsa" is the private key. Please note the rights on the private key (it is readable only by the user that is owning it).

Now we should test is and to do that we have to install it on the server. I will use the same machine, the SSH client, as server also.
To install the private key on the server, simply copy the content of the "id_rsa.pub" file into the authorized key file (which usually is the "~/.ssh/authorized_keys" or "~/.ssh/authorized_keys2", depending on your SSH server configuration):
smocanu@centos6 ~$ cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys
smocanu@centos6 ~$ cat ~/.ssh/authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAgEAvJ/z3cI9Vxr0lay69jgAvQYgqUxyqjmbgaQst61QHs6CO32xjrQ6Lq7fqqU+r+w1jJyTGuqmI2B4SabAoLMUv+1psZudur5dMoF0nGpG71JMwzIGQ206TW9YAw2VXkU3dHTcpDxQFe9hsksIyhTIjiDst3IsfUNryZk5u1BJPrLpznN4XOW8aiGo6+EbB5wG5rG2KXU/PX8og5lmPu7rjHZSlkuwc16/on5N/ZS5U8th9i6PfdkQO59TcgxkiiGZ0SARKSRtDBRtuK+wYgrN6zGni9Gnuu0uh4t29CBuTRLxiaTWpnk1TTVTwTkTLVSWKnx1cujWzlnsOGxDeeRY7SNZODutO/xd9OvHK0+oMw2d8WDZ1qTBIHKmN1lf70F8dPff6g7jfbpGQCdUCTshoJNRsfIHZlLftJHqnUJRPm5yLRY5e3wBmtUkbBS7sZ6wcFJs9tNLGuksYiRUNFqfna0MQQYU5A4OlyZz6JmUzPb1Wn3upsPHDpx/p7OcUqE9fQBGPLpI3N9GVSBGr5aZmnNBMtNcF8TAWg52c3CE/VzXP0ahMQ/9oPkwf0BSIWCgowv/Dzz/6H5za3rhlFsFZf+sKIU+Sb8UrT9vme07eXeaViYsu9YtT0rDVGJCkqTjt7POQFXxD2B0OvFXqy0OU09G5iulPymF3MQ0di58nQU= smocanu@johnyc20.blogspot.ro
Now we should be able to authenticate ourselves on this SSH server using our newly created key, by passing the argument "-i path_to_the_private_key" to the ssh command:
smocanu@centos6 ~$ ssh -i .ssh/id_rsa smocanu@localhost
The authenticity of host 'localhost (127.0.0.1)' can't be established.
RSA key fingerprint is e2:6d:0c:ef:3b:c8:b8:4a:63:96:4c:81:28:b4:16:90.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'localhost' (RSA) to the list of known hosts.
Last login: Wed Jun 11 04:53:14 2014 from 195.90.110.125
smocanu@centos6 ~$
Note that if you didn't connect until now to this server, you have to accept the fingerprint of it, this will be saved into the "~/.ssh/known_hosts" file, file that will be created, if it does not exists already:
smocanu@centos6 ~$ ls -las .ssh/
total 24
4 drwx------. 2 smocanu users 4096 Jun 11 05:16 .
4 drwx------. 3 smocanu users 4096 Dec 24 09:14 ..
4 -rw-------. 1 smocanu users  396 Jun 11 05:16 authorized_keys
4 -rw-------. 1 smocanu users 3311 Jun 11 05:00 id_rsa
4 -rw-r--r--. 1 smocanu users  750 Jun 11 05:00 id_rsa.pub
4 -rw-r--r--. 1 smocanu users  391 Jun 11 05:15 known_hosts
smocanu@centos6 ~$ cat ~/.ssh/known_hosts
localhost ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA9gQ1pMXUa3g9o/gaRE0dCD7hI7SrAc2DMC12oaaJNKYT9VN8HYtAqB31nTsdUiJiJ60typG89deSRrh9MQLlE4w1CwbIx20IlGDo55mI043bofXrTlssiLx40fE43kQPxyjz9zFheAxfbxD+HnFWQIn/nYtm7TPhGzJiZbxnJarsuskywWprO1mZuhSGXPJfi0vdjSekwdVMhog2/dIhEWu4qQ5ETAO0Ii1sLy1qJEwHCn3wRUYttMHq2fRhEn/T7vb997KcFG2xG/B+kohpoc9pMthclQWWTqDT4OxB0D6dpRu7+X6E/NVPf0/5BaFjk+rub3uXwBJVrvxJ+nLgcQ==
If, at some point, you will reinstall a server or, for whatever reasons, the fingerprint of it will be changed, you won't be able to connect to it until you will delete the old fingerprint of the server.
I will modify the fingerprint of the localhost machine, saved on my "~/.ssh/known_hosts", to simulate a fingerprint change:
smocanu@centos6 ~$ sed -i 's/x/X/g' ~/.ssh/known_hosts
After that you won't be able to connect to that server, unless you will explicitly tell to the client that you know what you are doing, by removing the old fingerprint: 
smocanu@centos6 ~$ ssh -i .ssh/id_rsa localhost
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
e2:6d:0c:ef:3b:c8:b8:4a:63:96:4c:81:28:b4:16:90.
Please contact your system administrator.
Add correct host key in /home/smocanu/.ssh/known_hosts to get rid of this message.
Offending key in /home/smocanu/.ssh/known_hosts:1
RSA host key for localhost has changed and you have requested strict checking.
Host key verification failed.
smocanu@centos6 ~$ cat .ssh/known_hosts
localhost ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA9gQ1pMXUa3g9o/gaRE0dCD7hI7SrAc2DMC12oaaJNKYT9VN8HYtAqB31nTsdUiJiJ60typG89deSRrh9MQLlE4w1CwbIX20IlGDo55mI043bofXrTlssiLX40fE43kQPXyjz9zFheAXfbXD+HnFWQIn/nYtm7TPhGzJiZbXnJarsuskywWprO1mZuhSGXPJfi0vdjSekwdVMhog2/dIhEWu4qQ5ETAO0Ii1sLy1qJEwHCn3wRUYttMHq2fRhEn/T7vb997KcFG2XG/B+kohpoc9pMthclQWWTqDT4OXB0D6dpRu7+X6E/NVPf0/5BaFjk+rub3uXwBJVrvXJ+nLgcQ==

If you know that the fingerprint of the server has changed, you have to remove the old one, and you can do by editing the "~/.ssh/known_hosts" file or by using the same tool as before with "-R" switch.

smocanu@centos6 ~$ ssh-keygen -R localhost
/home/smocanu/.ssh/known_hosts updated.
Original contents retained as /home/smocanu/.ssh/known_hosts.old
smocanu@centos6 ~$ cat .ssh/known_hosts
There is no need to tell you that if you didn't change anything on your server and even so you are getting the upper warning, there is a chance that your server is compromised.

If you are using a Linux workstation and you don't want to type the password for you SSH key every time when you are connecting to a server, you can use an agent. On RedHat-like operating systems it should be provided by "openssh-clients" package:
smocanu@centos6 ~$ rpm -qf $(which ssh-agent)
openssh-clients-5.3p1-94.el6.x86_64

And on Debian-like operating systems it should be provided by "openssh-client" package:
smocanu@debian7:~$ dpkg -S $(which ssh-agent)
openssh-client: /usr/bin/ssh-agent
To use it, you just need to run  the "ssh-add" command with your private key as parameter and to provide the password for the key:
smocanu@centos6 ~$ ssh-add .ssh/id_rsa
Enter passphrase for .ssh/id_rsa:
Identity added: .ssh/id_rsa (.ssh/id_rsa)
smocanu@centos6 ~$ ssh-add -l
4096 54:64:e6:6e:a1:6f:d3:38:e3:89:25:3f:86:8d:ae:25 .ssh/id_rsa (RSA)
smocanu@centos6 ~$
After that you should be able to authenticate on your servers without any explicit reference to your key:
smocanu@centos6 ~$ ssh smocanu@localhost
Last login: Wed Jun 11 05:25:03 2014 from 127.0.0.1
smocanu@centos6 ~$

SSH client on Windows:

If you are using Windows, you can also use a collection of tools, called putty*, to generate the SSH keys and to connect to a SSH server.
The tool used to generate the SSH key pair is called "puTTYgen" and it has a very intuitive GUI:
PuTTYgen1
You have to select the type of the key(1), the number of bits(2) and the to press the "Generate"(3) button.
While the keys are generation please note that you have to move the mouse on the indicted area.
Once this process is finished, your keys are ready to use:
PuTTYgen2
First of all, insert a suggestive comment(1) for the key and second, select a strong password for the key(2).
Now you can save(3) you private key into a save place, don't save it on your  desktop, the preferred place is an encrypted file system.
You also should save the openSSH public key(4), make sure you double click on the text to select all the key.
Now you can install the public key on the server and use the newly created private key to authenticate on the server:
Putty - Session
First, enter the IP address(1) of your server and second, enter a description for that session(2).
Now choose the SSH key that should be used to authenticate you on that server. Expand "Connection"(3), "SSH"(4) and "Auth"(5).
Putty - Connection->SSH->Auth
Choose the path(6) to the private key and you are ready to connect to the server using your newly created ssh key.
If you would like to save this session, so you don't have to enter all of the above parameters, just get back to the "Session"(7) options and you are now to the previous screen(Putty - Session) where you should press "save"(8) and finally "open"(9).
Now you should be connected to your server and it should ask you to type your username and the password of the private key.

All the above settings can be simplified if you choose to use a SSH agent. Putty is providing you an agent called "Pageant". Once opened, it will remain opened and you should be able to access it on task tray.
Right click(1) on it's icon from task tray and select "Add key"(2):
Pageant - task tray
Browse to the private key, select it and enter the password you chose earlier. Now you key should be added on your agent. You can check that by selecting the "View Keys" option from the earlier menu and a window "Peageant Key List" should appear and it should display your key:
Pagean - View Keys


One last thing about ssh and Windows. If you are using many ssh sessions on your Windows machine, you should check a putty manager la puttycm or superputty.


Comments

Post a Comment

Popular posts from this blog

JunOS - mount USB stick

By -
There are times when you have to use a USB stick to copy to or from it files to a Juniper router/switch. Fortunetly it will not be to very frequently, but there will be a time when you will need it. JunOS being a UNIX( FreeBSD ) based OS, you have to identify and mount the device attached. First, you have to check the device name, so you can identify it on /dev: smocanu@j2350> show log messages | match mass May 16 15:25:45  j2350 /kernel: umass0: Kingston DataTraveler SE9, rev 2.00/1.00, addr 2 May 16 15:25:46  j2350 /kernel: da0 at umass-sim0 bus 0 target 0 lun 0 Then you have to verify the partition number, usually it is the first one: smocanu@j2350> start shell % ls -las /dev/da0 /dev/da0 /dev/da0s1 Now you can mount your USB stick: % mkdir /var/tmp/usb % mount_msdosfs /dev/da0s1 /var/tmp/usb Once your USB stick is mounted, you can copy to/from it files, using /var/tmp/usb path. Do not forget that you have to umount the USB storage, before removing it fr
Read more

Linux: Versioning the /etc/ configurations using 'etckeeper'

By -
One of the most important things for an administrator is to keep track of the changes. The preferred  way to do that is to use a configuration management system , like ' cfengine ', ' puppet ', ' chef ', ' ansible ' or you named it. Even so, you should still be able to see what exactly was changed on you system and when. I'm using ' etckeeper '  to do that and I'm thinking that it is very useful. The most important Unix distributions are including this software and you can install it by using your favorite package manager. On CentOS6, you can run: [root@centos6 ~]# yum install etckeeper After installing, at least on CentOS, you have to initialize the repository, by running: [root@centos6 ~]# etckeeper init Initialized empty Git repository in /etc/.git/ The last thing is to commit these changes, that means that you will add the entire /etc directory to the repository: [root@centos6 ~]# etckeeper commit -m "initial com
Read more