SSH

From Wildsong
Revision as of 05:20, 26 February 2011 by Brian Wilson (talk | contribs)
Jump to navigationJump to search

More information on ssh can be found at http://www.openssh.org/

Why use SSH

It's secure

The entire session is encrypted. This means you can work in a cafe over wifi and not worry about anyone snooping. Note that you DO have to use a computer with ssh installed on it and have a copy of your private key on it.

Lots of tools use it

Any tool that supports ssh or sftp can talk to the server.

For example, on Ubuntu (and other Linux computers that use Nautilus file manager) you click "Places"->"Connect to Server..." and you can open a file manager window and drag and drop files between your computer and my server.

Various other tools like Adobe Dreamweaver and ActiveState Komodo have support built in to allow opening, editing and saving files on the server.

Of course command line works too (sftp, scp, ssh, rsync).

On Windows some people like Filezilla to transfer files. For a command shell on Windows I use putty.

Why use SSH key pairs?

We never have to exchange any secrets: I don't need to give you a password. We don't have to send secrets through email. I will never know what your password is since there isn't one. Only a passphrase to protect your private key.

When you connect to my server, all data transmitted over the networks is encrypted. This means you can safely work in any public places or use wireless connections without worrying who is sneaking a look at your traffic.

\* Strictly speaking you don't need to use a passphrase, but if you put the key pair on a portable computer it protects us both if the computer is lost or stolen. No passphrase means you don't have to type your passphrase to connect to my server.


Use case 1. You want access to a server that I manage

Linux and possibly Mac users

  • If you already have an ssh key pair then you only need send me your public key.
  • If you don't or you want to use a different pair, generate a pair.

The ssh files live in your home directory in the hidden folder called .ssh (That's a dot followed by ssh)

If you don't have a folder called .ssh then you don't have keys either. Here are all the commands to create a new pair.

  1. move to your home directory

cd

  1. create the folder

mkdir .ssh

  1. protect the folder

chmod 700 .ssh

  1. generate keys, use a passphrase you can remember
  2. this will overwrite existing keys, you might not want to do that!

ssh-keygen

This will create id_rsa and id_rsa.pub in .ssh by default, you can specify a zillion things other on the command line such as a different name for the files like maybe 'id_rsa_hupi'

How to generate a key pair

Linux

  1. Run the command "ssh-keygen"
  2. Accept the defaults. Enter a passphrase that you can remember.
  3. Send me the file "~/.ssh/id_rsa.pub"

Windows

You could install Cygwin and just follow the Linux instructions, but I am assuming that you use Windows because you don't like command lines.

Macintosh

The next time I sit at a Mac I will fill in this section.

How to use SFTP connections

On Linux and Mac systems, you can use traditional command line programs including ssh, scp and rsync.

On Gnome based Linux systems such as Ubuntu,

On Windows, for command line sessions you can use putty.

Use case 2. Granting me access to your server

  1. You have to run an sshd server on your machine.
  2. I generate a key pair in RSA format, creating a passphrase-encrypted private key and a public key.
  3. I send you my public key.
  4. You add my key to the accounts that you want to allow me to have access to. For example, you can create a personal account for me with the username "bwilson" and add the file in /home/bwilson/.ssh/authorized_keys and optionally also put a copy in /root/.ssh/authorized_keys to give me root level access.

Then I can use an ssh client to connect. I enter my passphrase and the client uses the decrypted private key to authenticate with your system. If the private and public keys match, your system grants me access.

As long as I don't share my passphrase with anyone, even if I lose my laptop, no one can use my private key to access your machine.

If you want to revoke access, you remove or disable access to my public key(s).

You don't have to give me any password information on your machine, so you don't have to change the root password when we are done working together.

This is what an RSA public key looks like

ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAsfKX946JbxemrYTT55dTk9Bg98tLeH3PAi5/cpQkWdntATz4ISIvqOltXkKrssj3dlK57M5u86RA05mzIOLPel9o52WCiYUdGiCnAOJa7fS9+XBU2rtrsgl0NBttVbC/m1qH1Ff6WKcGEwjlwxZvQAMk6pdSLDf9A4bns1qpS+jdD4nBOsVjx9cF6MD+1dHd/JqpNfllXDLeFsNNBivQ8ansAMiOj4WwXyU+XgbaZGngl1LYuwc1Lk+5N8Z4wq+33ERokvKOvNl8dAe4/n0oZqMF7LU+rHqIpUiusDRryFF+O2ogb+yTCwz0TYxNwg0tkTFFZN4xqc5hjhFgWrCuOvPQ== [email protected]

Key file installation notes

The file(s) "authorized_keys" are text files containing public keys. You can add new keys from the command line or using a text editor. The ownership and permissions should be set to be owned by the user account and readable only by that user. The typical commands:

# cd /home/username/.ssh                     move to user's directory
# cat /tmp/id_rsa.pub >> authorized_keys     append key to file
# chown username authorized_keys             fix ownership
# chmod 600 authorized_keys                  fix permissions