Presentation on theme: "Sonny J Zambrana University of Pennsylvania ISC-SEO November 2008."— Presentation transcript:
Sonny J Zambrana University of Pennsylvania ISC-SEO November 2008
Agenda Overview of SSH Keys Pros/Cons of using SSH Keys How to Create and Use Keys Authentication Details Security Troubleshooting Online Documentation Open Discussion
Overview What is SSH key authentication: SSH is a protocol for secure, remote logins and file copying. Key authentication lets you prove your identity to a remote host using a cryptographic key instead of a login password. SSH keys are more secure than passwords because keys are never transmitted over the network, whereas passwords are (albeit encrypted). An SSH key is actually a matched pair of keys stored in two files. The private or secret key remains on the client machine. The public key is copied to the remote (server) machine. When establishing a connection, the SSH client and server perform a complex negotiation based on the private and public key, and if they match (in a cryptographic sense), your identity is proven and the connection succeeds.
Pros/Cons Pros : - Secure password less authentication - Users no longer need to know credentials - Scripts no longer require a password file - Reduces the risk of remote exploits due to weak credentials Cons : - Unwanted access to other remote accounts - Difficult to maintain multiple keys - If compromised, key needs to be replaced in several locations
Creating SSH Keys Definition : A RSA key pair must be generated on the client system. The public portion of this key pair will reside on the servers being connected to, while the private portion needs to remain on a secure local area of the client system. The key generation can be done with the ssh-keygen utility. Steps : User must generate a key pair User (or administrator) must place the public key on the appropriate server
Creating SSH Keys Cont. Create a 2048 bit RSA key on client: /usr/bin/ssh-keygen -t rsa Generating public/private rsa key pair. Enter file in which to save the key (/home/user/.ssh/id_rsa): Created directory '/home/user/.ssh'. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/user/.ssh/id_rsa. Your public key has been saved in /home/user/.ssh/id_rsa.pub. The key fingerprint is: c7:2a:ac:0f:24:ad:ee:93:fe:e2:45:04:9c:c3:b6:7e
Creating SSH Keys Cont. Create/Modify the public key on server: 1.Transfer the /home/user/.ssh/id_rsa.pub file to the server you want to connect to. /usr/bin/scp /home/user/.ssh/id_rsa.pub 2.Login to the server as the ID you want to use the public key for. 3.Concatenate the contents of id_rsa.pub to /home/user/.ssh/authorized_keys /bin/cat /home/user/id_rsa.pub >> /home/user/.ssh/authorized_keys 4.Remove the public key file: /bin/rm /home/user/id_rsa.pub
Using SSH Keys Test Authentication: -Login to the client where you created the key. -Try to connect to the server where you copied the public key to using the /usr/bin/ssh command. -If you are successful you will not be prompted for a password. If you are prompted for a password verify that the steps have been followed correctly. If you are still prompted then review the troubleshooting slide. -Otherwise, congratulations! You have successfully setup SSH public key authentication.
Authentication Details Things to know about key authentication: Uses a cryptographic key instead of a login password. More secure since the keys are never passed over the network. Concatenate … Do not overwrite ~/.ssh/authorized_keys on server. Servers that you are connecting to must be in ~/.ssh/known_hosts on client prior to any batch running. Use FQDN’s instead of the short host names when connecting from the client. The system considers depot, depot.isc-seo & depot.isc-seo.upenn.edu as three different hosts. Developers are responsible for creating keys on test systems. SEO is responsible for creating keys on the equivalent production systems.
Security Always use 2048 bit RSA encryption. This is the strongest, fastest and most reliable encryption method that the industry offers. DSA encryption can be used for encryption but it is slower than RSA. This method is only required when sending encrypted files out of the country and will only be used for those special cases. Be responsible, do not share the private key with anyone or any other account, no exceptions! If the client account is compromised, the client needs to complete the following tasks: – Generate a new key pair. – Remove references to the old key pair on the client and servers that it connects to. – Distribute the public key to every server it connects to.
Troubleshooting Things to know: If you are still being prompted for a password please verify the steps have been completed successfully. Verify that the permissions of the ~/.ssh directory are 700 (rwx------) on both the client and server. Verify that the permissions of the home directory are only writeable by the user and not the group/world. Verify that the account has not be locked due to too many failed login attempts. Some cases have shown that the account may have remote login disabled.
Documentation Presentation: https://www.mr.isc-seo.upenn.edu/Pages/Documentation.aspx FAQ: https://www.mr.isc-seo.upenn.edu/Pages/Documentation.aspx Help Distribution List Man Pages Type ‘man ssh-keygen’ on any AIX/Linux server