Skip to main content

Quickstart: SSH Public Key Infrastructure

The following quickstart was copied from http://uaahosting.uaa.alaska.edu/axjww/sshkey/


By Jim Weller


The purpose of this document is to quickly step you through using
passwordless authentication to connect to servers using the SSH2
protocol. This document is unique in that it unifies all the clients
and servers under a single identity. This document is very coarse
and expects that you'll follow along with the videos and only
use the notes as a supplement.


Prerequisites



  1. Commercial SSH client version 3.2 or higher installed.

    ftp://ssh.com/pub/ssh

  2. Commercial SSH Accession agent

    ftp://ssh.com/pub/accession

  3. PuTTY SSH2 Client Suite

    http://www.chiark.greenend.org.uk/~sgtatham/putty/
  4. OpenSSH environment. Cygwin shown here, but Linux, Mac X, BSD, Solaris and many others apply

    http://www.cygwin.com/


Video Guides




Terse Text Notes



Generating Private and Public Keys

A - Pick a strong password. You'll need to remember it because you'll type it
a couple of times during this setup and once every windows login after that.

B - Generate a key using commercial SSH.
       1 edit->settings->keys->new key
          Key Type: DSA
          Key Length: 2048
          NEXT>
          name: dsa204_commssh
          Pasword: leave blank
          Comment: leave blank

C - convert the key to openssh private key format and set a password
on it. You'll have to move the key you created above to a location
where you can use ssh-keygen from the openssh package. Either cygwin
or an openssh unix box (like linux/mac) or whatever you have handy.

       # convert commercialssh private to openssh private
       ssh-keygen -i -f dsa1024_commercial > dsa1024_openssh
       # convert openssh private to opensshpublic
       ssh-keygen -y -f dsa1024_openssh > dsa1024_openssh.pub
       # convert openssh public to commercialssh public
       ssh-keygen -e -f dsa1024_openssh.pub > dsa1024_commercial.pub
       # finally set a password on openssh private
       ssh-keygen -p -N password -f dsa1024_openssh
     
D - go back to commercial ssh and change to the password to match.

E - Use puttygen to convert the openssh key to a putty key. Set your
password while doing it. You only need to save a private key.

Now you have 3 identical private key files with the same passphrase
for each of the three different clients. The private keys must be
kept very secure. Never share them or leave them lying around. Make a
backup copy to put in a vault, firebox, or ziploc bag.

You also have two public key files, one for each brand of server.
These are not critical files. You'll share them with the servers you
want to connect to. As shown above, you can always re-create the
public keys from the private keys.

Just remember the server gets the public key of its flavor. The client
uses the private key of its flavor.



Making the Connection

Here are all the connection combinations

c - commercial ssh
o - openssh
p - putty

Client -> Server
----------------
c -> c
o -> c
p -> c

c -> o
o -> o
p -> o


You don't have to learn all six. You just need to learn 5 things. 2
ways to put public keys on servers and 3 clients to connect using
private keys.


Servers

You have to connect to the server at least once with a password in
order to perform these operations. Very high security environments
might have someone else do this for you. Either way, you have
to have your account on the server configured to accept your
public key.

1 - OpenSSH server

connect to the server
# mkdir .ssh
# chmod 700 .ssh
# cd .ssh
copy the OpenSSH public key file and append it to authorized_keys

2 - Commercial SSH server

connect to the server
# mkdir .ssh2
# chmod 700 .ssh2
# cd .ssh2
copy the commercial ssh public key file and put it in it's own file on the server
add a line to the authorization file to reference your key

Clients

By default you have to authenticate against your key every time you
connect to a server. This is good for security because you never send
a password over the wire; just big complex key strings. It's a pain
for you though. That's why most clients have an "agent" which runs in
the background on your computer and remembers the keys you
authenticated against. It's very convenient.

COOL!: Once the ssh-agent is running. You can eject your USB keychain. The
authentication ends when either you 1 kill the agent 2 exit your windows session
(killing the agent) 3 deallocate the key from the running agent.

1 - PuTTY and Pageant
start pageant.exe
right click the icon->add key
browse for your .PPK key
select the PPK key
type the key's password
launch putty sessions to servers having the key

2 - Commercial SSH Client and Accession
start accession
click add key
browse for your dsa2048_commssh
type the key's password
launch commercial ssh sessions to servers having the key

3 - OpenSSH client, ssh-agent, and ssh-add

ssh-agent bash -login
# bash -login could be another program like X or xterm or login
ssh-add /YourUsbKeyStore/dsa2048_openssh
# type your password
# launch openssh sessions to servers having the key




Getting your public key into banner
-----------------------------------
prod.alaska.edu (aka Toklat) is a commercial SSH server. So all the
notes I presented earlier about commercial ssh servers still apply.
prod.alaska.edu differs because statewide does not give you a standard
shell like bash or csh. They give you a homegrown menu system that
keeps you in a sandbox.

S for shell commands
D for directory commands
2-y-.ssh2 to make the .ssh2 directory
1-y-.ssh2 to change to the .ssh2 directory
R to return to the main menu
4 or 5-y-mykey.pub to edit a file with emacs or vi respectively (this is the jim.pub file from the videos). Paste your commercial public key into the file
4 or 5-y-authorization add 'Key mykey.pub' to this file just like in the videos

You're done. You should be able to SSH in using public key
authentication. I don't know yet how this relates to you password on
glacier, but I assume you'll never need to worry about it which is
fine as this is a billion times more secure.
Labels:

Comments

  1. AndreaMarch 12, 2012 at 9:37 AM

    Cool ! Thanks a lot for sharing the easy to generate public and private keys and video links too that explains the complete creation process. I am glad that I have found such an informative post.
    public key infrastructure

    ReplyDelete

Post a Comment

Popular posts from this blog

uSleep on windows (win32)

I am facing a terrible issue regarding timing on windows. Googling arround, I've found those infos: Using QueryPerformanceCounter and QueryPerformanceFrequency APIs in Dev-C++ ( http://yeohhs.blogspot.com/2005/08/using -queryperformancecounter-and_13.html ) QueryPerformanceCounter() vs. GetTickCount() http://www.delphifaq.com/faq/delphi_windows_API/f345.shtml How to time a block of code http://www.cryer.co.uk/brian/delphi/howto_time_code.htm And Results of some quick research on timing in Win32 http://www.geisswerks.com/ryan/FAQS/timing.html With that I'm trying to write something like a uSleep function for windows: # include<windows.h> void uSleep ( int waitTime){ __int64 time1 = 0, time2 = 0, sysFreq = 0; QueryPerformanceCounter((LARGE_INTEGER *)&time1); QueryPerformanceFrequency((LARGE_INTEGER *)&freq); do { QueryPerformanceCounter((LARGE_INTEGER *)&time2); // }while((((time2-time1)*1.0)/sysFreq)<waitTime); } while ( (time2-time1) <waitTime); } T
Post a Comment
Read more

Soft body deformation

The wikipedia has a short entry on " Soft body dynamics " but it cites this interesting framework called SOFA. "SOFA [ 1 ] is an Open Source framework primarily targeted at real-time physical simulation , with an emphasis on medical simulation. It is mostly intended for the research community to help develop newer algorithms, but can also be used as an efficient prototyping tool or as a physics engine ." [1] It is also multi-platform. As soon as I have some test written, I will put some shots here. [1] SOFA (Simulation Open Framework Architecture). (2009, March 26). In Wikipedia, The Free Encyclopedia . Retrieved 14:01, May 7, 2009, from http://en.wikipedia.org/w/index.php?title=SOFA_(Simulation_Open_Framework_Architecture)&oldid=279736872
Post a Comment
Read more

More trickery with gnuplot dumb terminal

In my post " Plotting memory usage on console " the chart doesn't pan the data. Now, using a named pipe, the effect got a little bit nicer. First, we have to run the memUsage.sh script to get a file filled with memory usage info: ./memUsage.sh > memUsage.dat & Then we have to create a named pipe: mkfifo pipe Now we have to run another process to tail only the last 64 lines from the memUsage.dat while [ 1 ]; do tail -64 memUsage.dat> pipe; done & And now we just have to plot the data from the pipe: watch -n 1 'gnuplot -e "set terminal dumb;p \"pipe\" with lines"' And that is it!
3 comments
Read more