Monday, July 26, 2010

Quickstart: SSH Public Key Infrastructure

The following quickstart was copied from http://uaahosting.uaa.alaska.edu/axjww/sshkey/


By Jim Weller


The purpose of this document is to quickly step you through using
passwordless authentication to connect to servers using the SSH2
protocol. This document is unique in that it unifies all the clients
and servers under a single identity. This document is very coarse
and expects that you'll follow along with the videos and only
use the notes as a supplement.


Prerequisites



  1. Commercial SSH client version 3.2 or higher installed.

    ftp://ssh.com/pub/ssh

  2. Commercial SSH Accession agent

    ftp://ssh.com/pub/accession

  3. PuTTY SSH2 Client Suite

    http://www.chiark.greenend.org.uk/~sgtatham/putty/
  4. OpenSSH environment. Cygwin shown here, but Linux, Mac X, BSD, Solaris and many others apply

    http://www.cygwin.com/


Video Guides




Terse Text Notes



Generating Private and Public Keys

A - Pick a strong password. You'll need to remember it because you'll type it
a couple of times during this setup and once every windows login after that.

B - Generate a key using commercial SSH.
1 edit->settings->keys->new key
Key Type: DSA
Key Length: 2048
NEXT>
name: dsa204_commssh
Pasword: leave blank
Comment: leave blank

C - convert the key to openssh private key format and set a password
on it. You'll have to move the key you created above to a location
where you can use ssh-keygen from the openssh package. Either cygwin
or an openssh unix box (like linux/mac) or whatever you have handy.

# convert commercialssh private to openssh private
ssh-keygen -i -f dsa1024_commercial > dsa1024_openssh
# convert openssh private to opensshpublic
ssh-keygen -y -f dsa1024_openssh > dsa1024_openssh.pub
# convert openssh public to commercialssh public
ssh-keygen -e -f dsa1024_openssh.pub > dsa1024_commercial.pub
# finally set a password on openssh private
ssh-keygen -p -N password -f dsa1024_openssh

D - go back to commercial ssh and change to the password to match.

E - Use puttygen to convert the openssh key to a putty key. Set your
password while doing it. You only need to save a private key.

Now you have 3 identical private key files with the same passphrase
for each of the three different clients. The private keys must be
kept very secure. Never share them or leave them lying around. Make a
backup copy to put in a vault, firebox, or ziploc bag.

You also have two public key files, one for each brand of server.
These are not critical files. You'll share them with the servers you
want to connect to. As shown above, you can always re-create the
public keys from the private keys.

Just remember the server gets the public key of its flavor. The client
uses the private key of its flavor.



Making the Connection

Here are all the connection combinations

c - commercial ssh
o - openssh
p - putty

Client -> Server
----------------
c -> c
o -> c
p -> c

c -> o
o -> o
p -> o


You don't have to learn all six. You just need to learn 5 things. 2
ways to put public keys on servers and 3 clients to connect using
private keys.


Servers

You have to connect to the server at least once with a password in
order to perform these operations. Very high security environments
might have someone else do this for you. Either way, you have
to have your account on the server configured to accept your
public key.

1 - OpenSSH server

connect to the server
# mkdir .ssh
# chmod 700 .ssh
# cd .ssh
copy the OpenSSH public key file and append it to authorized_keys

2 - Commercial SSH server

connect to the server
# mkdir .ssh2
# chmod 700 .ssh2
# cd .ssh2
copy the commercial ssh public key file and put it in it's own file on the server
add a line to the authorization file to reference your key

Clients

By default you have to authenticate against your key every time you
connect to a server. This is good for security because you never send
a password over the wire; just big complex key strings. It's a pain
for you though. That's why most clients have an "agent" which runs in
the background on your computer and remembers the keys you
authenticated against. It's very convenient.

COOL!: Once the ssh-agent is running. You can eject your USB keychain. The
authentication ends when either you 1 kill the agent 2 exit your windows session
(killing the agent) 3 deallocate the key from the running agent.

1 - PuTTY and Pageant
start pageant.exe
right click the icon->add key
browse for your .PPK key
select the PPK key
type the key's password
launch putty sessions to servers having the key

2 - Commercial SSH Client and Accession
start accession
click add key
browse for your dsa2048_commssh
type the key's password
launch commercial ssh sessions to servers having the key

3 - OpenSSH client, ssh-agent, and ssh-add

ssh-agent bash -login
# bash -login could be another program like X or xterm or login
ssh-add /YourUsbKeyStore/dsa2048_openssh
# type your password
# launch openssh sessions to servers having the key





Getting your public key into banner
-----------------------------------
prod.alaska.edu (aka Toklat) is a commercial SSH server. So all the
notes I presented earlier about commercial ssh servers still apply.
prod.alaska.edu differs because statewide does not give you a standard
shell like bash or csh. They give you a homegrown menu system that
keeps you in a sandbox.

S for shell commands
D for directory commands
2-y-.ssh2 to make the .ssh2 directory
1-y-.ssh2 to change to the .ssh2 directory
R to return to the main menu
4 or 5-y-mykey.pub to edit a file with emacs or vi respectively (this is the jim.pub file from the videos). Paste your commercial public key into the file
4 or 5-y-authorization add 'Key mykey.pub' to this file just like in the videos

You're done. You should be able to SSH in using public key
authentication. I don't know yet how this relates to you password on
glacier, but I assume you'll never need to worry about it which is
fine as this is a billion times more secure.

1 comment:

  1. Cool ! Thanks a lot for sharing the easy to generate public and private keys and video links too that explains the complete creation process. I am glad that I have found such an informative post.
    public key infrastructure

    ReplyDelete