SSH/Keys: Difference between revisions

From UMIACS
Jump to navigation Jump to search
m (→‎Batch clusters: torque -> slurm)
No edit summary
 
(10 intermediate revisions by 5 users not shown)
Line 1: Line 1:
SSH can utilize public key encryption to authenticate and authorize users.  This can be considered more secure especially if you secure your private key with a pass-phrase.  The keys themselves are not susceptible to brute force attacks like normal passwords over SSH are.
SSH can utilize public key encryption to authenticate and authorize users.  This can be considered more secure especially if you secure your private key with a pass-phrase.  The keys themselves are not susceptible to brute force attacks like normal passwords over SSH are.
==Overview==
;Prerequisites
#If using batch clusters (e.g. [[SLURM]]) please read [[SSH/Keys#Batch clusters | Batch clusters]] prior to creating a new key.
#Determine your OS (and if Windows, what you will be using to create the key)
#*Windows
#**Git Bash: follow instructions for Linux/MacOS/Bash and Git Bash (for Windows)
#**PuTTY: follow instructions for Windows (and PuTTY subsections)
#**TTSSH2: follow instructions for Windows (and TTSSH2 subsections)
#**[[BashForWindows10 | Windows Subsystem for Linux (WSL)]]: follow instructions for 'Linux/MacOS/Bash and Git Bash (for Windows)'
#*Linux: follow instructions for 'Linux/MacOS/Bash and Git Bash (for Windows)'
#*MacOS: follow instructions for 'Linux/MacOS/Bash and Git Bash (for Windows)'
;Steps
#[[SSH/Keys#Create and store the key pair | Create and store the key pair]]
#[[SSH/Keys#Copy the public key | Copy the public key]]
#If Windows, [[SSH/Keys#Adding Keys to SSH Clients (Windows Only) | Adding Keys to SSH Clients (Windows Only)]]
'''Note: UMIACS still requires multi-factor authentication if you are connecting from the public internet for security reasons. If you first connect to our VPN, you should then be able to use the keys as normal.'''
;Additional Considerations
#The [[SSH/Keys#SSH Agents | SSH Agents]] section is not a required component of creating and using an SSH key, but can be very useful if you choose to create a password to protect your SSH key, but find yourself needing to enter that password many times in a session. [[SSH/Keys#SSH Agents | SSH Agents]] allow you to temporarily use your SSH key without a password for a set period of time. Please see the [[SSH/Keys#SSH Agents | SSH Agents]] section for more information.


==Create and store the key pair==
==Create and store the key pair==
Line 7: Line 28:
===Windows===
===Windows===
;Git Bash
;Git Bash
:See below
:See [[SSH/Keys#Linux.2FMacOS.2FBash_and_Git_Bash_.28for_Windows.29 | Linux/MacOS/Bash and Git Bash (for Windows)]]
;PuTTY  
;PuTTY  
# Click on the start menu and search for PuTTYgen. Open the application
# Click on the start menu and search for PuTTYgen. Open the application
Line 20: Line 41:
# Add passphrase if wanted and save both the public and private keys
# Add passphrase if wanted and save both the public and private keys


===Linux/MacOSX/Bash and Git Bash (for Windows)===
===Linux/MacOS/Bash and Git Bash (for Windows)===
;Create a new key with a password
You can run the command <code>ssh-keygen -t rsa</code> to generate the new public and private key.  It will prompt you for a file to create the private key and then for the public key append <code>.pub</code> extension and store it in the same directory.  Pressing enter at the passphrase step twice will create a key without a pass-phrase.
You can run the command <code>ssh-keygen -t rsa</code> to generate the new public and private key.  It will prompt you for a file to create the private key and then for the public key append <code>.pub</code> extension and store it in the same directory.  Pressing enter at the passphrase step twice will create a key without a pass-phrase.


<pre>
Note: If you change the file in which to save the key, please ensure that it still starts with 'id', such as 'id_umiacs_rsa'.
 
Example: <pre>
-bash-4.2$ ssh-keygen -t rsa
-bash-4.2$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Generating public/private rsa key pair.
Enter file in which to save the key (/home/derek/.ssh/id_rsa):
Enter file in which to save the key (/home/username/.ssh/id_rsa):
Created directory '/home/derek/.ssh'.
Created directory '/home/username/.ssh'.
Enter passphrase (empty for no passphrase):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Enter same passphrase again:
Your identification has been saved in /home/derek/.ssh/id_rsa.
Your identification has been saved in /home/username/.ssh/id_rsa.
Your public key has been saved in /home/derek/.ssh/id_rsa.pub.
Your public key has been saved in /home/username/.ssh/id_rsa.pub.
The key fingerprint is:
The key fingerprint is:
32:bf:db:74:1b:7e:d7:c6:4b:b5:6f:a8:82:55:3f:bf derek@localhost.localdomain
32:bf:db:74:1b:7e:d7:c6:4b:b5:6f:a8:82:55:3f:bf username@localhost.localdomain
The key's randomart image is:
The key's randomart image is:
+--[ RSA 2048]----+
+--[ RSA 2048]----+
Line 48: Line 72:
</pre>
</pre>


==Copy the public key==
;Create a new key without a password
Once you have a generated a key pair you will want to add it to one or more computers to allow you to access them.  This can be done with the <code>ssh-copy-id</code> command and it will prompt you the first time for your current password ('''NOT your pass-phrase''').  You can replace localhost with any other hostname you want to copy the key to.  You can also specify a alternate user or identity file if you need to, please <code>man ssh-copy-id</code> for more information within your terminal.  This command will ensure that not only it copies your key but secures the file so that no one can tamper and add additional authorized keys to the file on the remote host.
You can simplify the existing example above by telling it you do not want a pass-phrase and can run the command <code>ssh-keygen -t rsa -N ""</code>.
 
For Windows hosts you can use Winscp to copy the public key file onto a remote host. The root file system for the bash subsystem for windows is located under C:\Users\<username>\appdata\local\lxss\


<pre>
Note: If you change the file in which to save the key, please ensure that it still starts with 'id', such as 'id_umiacs_rsa'.
-bash-4.2$ ssh-copy-id localhost
/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
derek@localhost's password:


Number of key(s) added: 1
Example: <pre>
 
Now try logging into the machine, with:  "ssh 'localhost'"
and check to make sure that only the key(s) you wanted were added.
</pre>
 
==Adding Keys to SSH Clients (Windows Only)==
;PuTTY
# Open Putty and enter the Fully Qualified Domain name for the host you wish to connect to
# Go to the Connections tab on the side panel and click on the data subsection
# Under data enter your default user into the first box (Auto-login Username)
# Go to the SSH section of the side panel and then go to the Auth Section
# Under Auth click on the browse and navigate to the saved private key
# Go back to session on the side panel and save your settings by typing in a name in saved sessions pressing the save button
;TTSSH2
# Open the application
# Cancel the first box
# Go to setup on the menu bar and go to SSH Authentication
# Enter your username, Click on the option labeled "Use RSA ... key to log in", then use the private key button located next to this line to navigate to your private key file, and click Ok
 
==Batch clusters==
Our [[Slurm]] clusters process jobs in batch and require the ability to ssh without entering a password.  You can simplify the existing example above by telling it you do not want a pass-phrase and can run the command <code>ssh-keygen -t rsa -N ""</code>. 
 
<pre>
-bash-4.2$ ssh-keygen -t rsa -N ""
-bash-4.2$ ssh-keygen -t rsa -N ""
Generating public/private rsa key pair.
Generating public/private rsa key pair.
Enter file in which to save the key (/home/derek/.ssh/id_rsa):
Enter file in which to save the key (/home/username/.ssh/id_rsa):
Created directory '/home/derek/.ssh'.
Created directory '/home/username/.ssh'.
Your identification has been saved in /home/derek/.ssh/id_rsa.
Your identification has been saved in /home/username/.ssh/id_rsa.
Your public key has been saved in /home/derek/.ssh/id_rsa.pub.
Your public key has been saved in /home/username/.ssh/id_rsa.pub.
The key fingerprint is:
The key fingerprint is:
ff:7a:99:28:fc:63:d6:10:44:4c:2e:68:76:44:76:7a derek@localhost.localdomain
ff:7a:99:28:fc:63:d6:10:44:4c:2e:68:76:44:76:7a username@localhost.localdomain
The key's randomart image is:
The key's randomart image is:
+--[ RSA 2048]----+
+--[ RSA 2048]----+
Line 105: Line 100:
</pre>
</pre>


After creating this key pair please make sure you follow the copy the public key instructions above to <code>localhost</code>.  This will ensure that your key will be useable on all the cluster nodes since they have a shared home directory.
;Modify permissions
Modify the permissions of your <tt>.ssh</tt> directory as well as the private key file that you just created with <tt>chmod</tt>.


== SSH Agents ==
<pre>
chmod 700 ~/.ssh
chmod 600 ~/.ssh/id_rsa
</pre>
 
If you named your file something other than id_rsa, change <tt>id_rsa</tt> to the name of the file.
 
==Copy the public key==
Once you have a generated a key pair you will want to add it to one or more computers to allow you to access them. 
 
===Windows===
For Windows hosts you can use [http://winscp.net/eng/download.php WinSCP] to copy the public key file onto a remote host. The root file system for the Bash Subsystem for Windows is located under C:\Users\username>\AppData\Local\lxss\
 
===Linux/MacOS/Bash and Git Bash (for Windows)===
This can be done with the <code>ssh-copy-id</code> command and it will prompt you the first time for your current password ('''NOT your pass-phrase'''). You can replace localhost with any other hostname you want to copy the key to. You can also specify an alternate user or identity file if you need to, please <code>man ssh-copy-id</code> for more information within your terminal. This command will ensure that not only it copies your key but secures the file so that no one can tamper and add additional authorized keys to the file on the remote host.
 
Example: <pre>
-bash-4.2$ ssh-copy-id localhost
/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
username@localhost's password:
 
Number of key(s) added: 1


While it is very useful to protect your SSH key pair with a pass-phrase it can very time consuming to re-type the pass-phrase over and over.  SSH provides a agent that runs in the background and allow you add a key(s) to it with a time limit that they will be unlocked for.
Now try logging into the machine, with:  "ssh 'localhost'"
and check to make sure that only the key(s) you wanted were added.
</pre>


You will need to specify a shell in this case <code>bash</code> but could be any shell as appropriate (<code>tcsh</code>, <code>sh</code>, etc). The time specified by <code>-t</code> is specified in seconds.  
==Adding Keys to SSH Clients (Windows Only)==
;PuTTY
# Open PuTTY and enter the [https://en.wikipedia.org/wiki/Fully_qualified_domain_name fully qualified domain name (FQDN)] for the host you wish to connect to.
# Go to the Connections tab on the side panel and click on the data subsection.
# Under data enter your default user into the first box. (Auto-login Username)
# Go to the SSH section of the side panel and then go to the Auth Section.
# Under Auth click on the browse and navigate to the saved private key.
# Go back to session on the side panel and save your settings by typing in a name in saved sessions pressing the save button.
;TTSSH2
# Open the application.
# Cancel the first box.
# Go to setup on the menu bar and go to SSH Authentication.
# Enter your username, Click on the option labeled "Use RSA ... key to log in", then use the private key button located next to this line to navigate to your private key file, and click Ok.
 
==Batch clusters==
Our [[SLURM]] clusters process jobs in batch and require the ability to SSH without entering a password. When creating a key for use with [[SLURM]], follow the above instructions for creating keys without passwords.
 
After creating this key pair please make sure you follow the [[SSH/Keys#Copy_the_public_key | copy the public key]] instructions above to <code>localhost</code>. This will ensure that your key will be usable on all the cluster nodes since they have a shared home directory.
 
==SSH Agents==
While it is very useful to protect your SSH key pair with a pass-phrase it can very time consuming to re-type the pass-phrase over and over. SSH provides a agent that runs in the background and allow you add a key(s) to it with a time limit that they will be unlocked for.


<pre>
<pre>
bash-4.2$ ssh-agent bash
ssh-agent bash
bash-4.2$ ssh-add -t 1800
ssh-add -t $TIME
Enter passphrase for /home/derek/.ssh/id_rsa:
Identity added: /home/derek/.ssh/id_rsa (/home/derek/.ssh/id_rsa)
Lifetime set to 1800 seconds
</pre>
</pre>


You will be prompted for your passphrase and, when entered correctly, you will be able to ssh without entering a password.  You can check what keys are load when you are running inside a ssh-agent by using the command <code>ssh-add -l</code>.
The time specified by <code>-t</code> is specified in seconds.


Example:
(The following would start a bash shell with passwordless SSH active for 30 minutes.)
<pre>
<pre>
ssh-agent bash
ssh-add -t 1800
</pre>
You will be prompted for your passphrase and, when entered correctly, you will be able to SSH without entering a password. You can check what keys are load when you are running inside a ssh-agent by using the command <code>ssh-add -l</code>.
Example: <pre>
bash-4.2$ ssh-add -l
bash-4.2$ ssh-add -l
2048 ee:83:10:c8:2f:2c:17:5e:ef:80:42:7e:ff:75:9e:53 /home/derek/.ssh/id_rsa (RSA)
2048 ee:83:10:c8:2f:2c:17:5e:ef:80:42:7e:ff:75:9e:53 /home/username/.ssh/id_rsa (RSA)
</pre>
</pre>

Latest revision as of 19:04, 3 June 2024

SSH can utilize public key encryption to authenticate and authorize users. This can be considered more secure especially if you secure your private key with a pass-phrase. The keys themselves are not susceptible to brute force attacks like normal passwords over SSH are.

Overview

Prerequisites
  1. If using batch clusters (e.g. SLURM) please read Batch clusters prior to creating a new key.
  2. Determine your OS (and if Windows, what you will be using to create the key)
    • Windows
      • Git Bash: follow instructions for Linux/MacOS/Bash and Git Bash (for Windows)
      • PuTTY: follow instructions for Windows (and PuTTY subsections)
      • TTSSH2: follow instructions for Windows (and TTSSH2 subsections)
      • Windows Subsystem for Linux (WSL): follow instructions for 'Linux/MacOS/Bash and Git Bash (for Windows)'
    • Linux: follow instructions for 'Linux/MacOS/Bash and Git Bash (for Windows)'
    • MacOS: follow instructions for 'Linux/MacOS/Bash and Git Bash (for Windows)'
Steps
  1. Create and store the key pair
  2. Copy the public key
  3. If Windows, Adding Keys to SSH Clients (Windows Only)

Note: UMIACS still requires multi-factor authentication if you are connecting from the public internet for security reasons. If you first connect to our VPN, you should then be able to use the keys as normal.

Additional Considerations
  1. The SSH Agents section is not a required component of creating and using an SSH key, but can be very useful if you choose to create a password to protect your SSH key, but find yourself needing to enter that password many times in a session. SSH Agents allow you to temporarily use your SSH key without a password for a set period of time. Please see the SSH Agents section for more information.

Create and store the key pair

The first step is to generate a key which will create two files filled with long strings of characters. A public key file that you may distribute to any machine you want to use it on and a private key that needs to be kept secure. Allowing anyone to read this private key will compromise the security of the key and could allow someone to access any resources secured by this key without your consent. There are a number of different key types but rsa is the most compatible.

Windows

Git Bash
See Linux/MacOS/Bash and Git Bash (for Windows)
PuTTY
  1. Click on the start menu and search for PuTTYgen. Open the application
  2. Verify that you are attempting to create an "SSH2 RSA" key by clicking on the appropriate box
  3. Click generate and follow the instructions for generating your keys
  4. Add passphrase if wanted and save both the public and private keys
TTSSH2
  1. Open the application
  2. Cancel the first box
  3. Go to setup on the menu bar and go to SSH KeyGenerator
  4. Click generate and follow the instructions for generating your key
  5. Add passphrase if wanted and save both the public and private keys

Linux/MacOS/Bash and Git Bash (for Windows)

Create a new key with a password

You can run the command ssh-keygen -t rsa to generate the new public and private key. It will prompt you for a file to create the private key and then for the public key append .pub extension and store it in the same directory. Pressing enter at the passphrase step twice will create a key without a pass-phrase.

Note: If you change the file in which to save the key, please ensure that it still starts with 'id', such as 'id_umiacs_rsa'.

Example:

-bash-4.2$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/username/.ssh/id_rsa):
Created directory '/home/username/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/username/.ssh/id_rsa.
Your public key has been saved in /home/username/.ssh/id_rsa.pub.
The key fingerprint is:
32:bf:db:74:1b:7e:d7:c6:4b:b5:6f:a8:82:55:3f:bf username@localhost.localdomain
The key's randomart image is:
+--[ RSA 2048]----+
|                 |
|                 |
|                 |
|            .    |
|      o S  . .  .|
|       +  .   o o|
|        .o. o  B.|
|        .+.o o+ O|
|        o...+o E+|
+-----------------+
Create a new key without a password

You can simplify the existing example above by telling it you do not want a pass-phrase and can run the command ssh-keygen -t rsa -N "".

Note: If you change the file in which to save the key, please ensure that it still starts with 'id', such as 'id_umiacs_rsa'.

Example:

-bash-4.2$ ssh-keygen -t rsa -N ""
Generating public/private rsa key pair.
Enter file in which to save the key (/home/username/.ssh/id_rsa):
Created directory '/home/username/.ssh'.
Your identification has been saved in /home/username/.ssh/id_rsa.
Your public key has been saved in /home/username/.ssh/id_rsa.pub.
The key fingerprint is:
ff:7a:99:28:fc:63:d6:10:44:4c:2e:68:76:44:76:7a username@localhost.localdomain
The key's randomart image is:
+--[ RSA 2048]----+
|       .+++      |
|       + +o      |
|      + +.E      |
|     o . o.      |
|        S  .     |
|         ..      |
|       .  .+ o   |
|        o =.=    |
|         =o+.    |
+-----------------+
Modify permissions

Modify the permissions of your .ssh directory as well as the private key file that you just created with chmod.

chmod 700 ~/.ssh 
chmod 600 ~/.ssh/id_rsa

If you named your file something other than id_rsa, change id_rsa to the name of the file.

Copy the public key

Once you have a generated a key pair you will want to add it to one or more computers to allow you to access them.

Windows

For Windows hosts you can use WinSCP to copy the public key file onto a remote host. The root file system for the Bash Subsystem for Windows is located under C:\Users\username>\AppData\Local\lxss\

Linux/MacOS/Bash and Git Bash (for Windows)

This can be done with the ssh-copy-id command and it will prompt you the first time for your current password (NOT your pass-phrase). You can replace localhost with any other hostname you want to copy the key to. You can also specify an alternate user or identity file if you need to, please man ssh-copy-id for more information within your terminal. This command will ensure that not only it copies your key but secures the file so that no one can tamper and add additional authorized keys to the file on the remote host.

Example:

-bash-4.2$ ssh-copy-id localhost
/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
username@localhost's password:

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh 'localhost'"
and check to make sure that only the key(s) you wanted were added.

Adding Keys to SSH Clients (Windows Only)

PuTTY
  1. Open PuTTY and enter the fully qualified domain name (FQDN) for the host you wish to connect to.
  2. Go to the Connections tab on the side panel and click on the data subsection.
  3. Under data enter your default user into the first box. (Auto-login Username)
  4. Go to the SSH section of the side panel and then go to the Auth Section.
  5. Under Auth click on the browse and navigate to the saved private key.
  6. Go back to session on the side panel and save your settings by typing in a name in saved sessions pressing the save button.
TTSSH2
  1. Open the application.
  2. Cancel the first box.
  3. Go to setup on the menu bar and go to SSH Authentication.
  4. Enter your username, Click on the option labeled "Use RSA ... key to log in", then use the private key button located next to this line to navigate to your private key file, and click Ok.

Batch clusters

Our SLURM clusters process jobs in batch and require the ability to SSH without entering a password. When creating a key for use with SLURM, follow the above instructions for creating keys without passwords.

After creating this key pair please make sure you follow the copy the public key instructions above to localhost. This will ensure that your key will be usable on all the cluster nodes since they have a shared home directory.

SSH Agents

While it is very useful to protect your SSH key pair with a pass-phrase it can very time consuming to re-type the pass-phrase over and over. SSH provides a agent that runs in the background and allow you add a key(s) to it with a time limit that they will be unlocked for.

ssh-agent bash
ssh-add -t $TIME

The time specified by -t is specified in seconds.

Example: (The following would start a bash shell with passwordless SSH active for 30 minutes.)

ssh-agent bash
ssh-add -t 1800

You will be prompted for your passphrase and, when entered correctly, you will be able to SSH without entering a password. You can check what keys are load when you are running inside a ssh-agent by using the command ssh-add -l.

Example:

bash-4.2$ ssh-add -l
2048 ee:83:10:c8:2f:2c:17:5e:ef:80:42:7e:ff:75:9e:53 /home/username/.ssh/id_rsa (RSA)