expands ssh
This commit is contained in:
parent
5e57446def
commit
eb9d1e5983
|
@ -38,8 +38,195 @@ If you're interested in the maths behind key pairs, have a look at this 15min [v
|
|||
|
||||
### Generating keys
|
||||
|
||||
SSH comes with `ssh-keygen` to generate keys.
|
||||
Keys are by default stored in `~/.ssh/` and named `id_rsa` for the **private** part, and `id_rsa.pud` for the **public** part.
|
||||
**Important**, each generated key is **unique** so if you overwrite a key you made previously that old key is **gone!**.
|
||||
There is **no way** to recover that old key anymore, gone is gone.
|
||||
I highly advise you to keep backup's of your important keys, preferably in multiple locations.
|
||||
GNOME [Seahorse](https://wiki.gnome.org/Apps/Seahorse/) or [keepass2](https://keepass.info/) are good password managers you can use to store both passwords and key pairs.
|
||||
|
||||
An ssh key can be generated by running the `ssh-keygen` command.
|
||||
You'll be prompted with a dialog that will ask to name and where to save the key pair, plus whether you want a password for that key or not.
|
||||
For automated logins you should not set a password as it would defeat the purpose but you **must** realise that everyone that has access to the **private** key will be able to log in to each server the key is deployed to.
|
||||
Keeping this file safe becomes very important.
|
||||
|
||||
**Remember the bandit SSH key level?**
|
||||
|
||||
```
|
||||
➜ ~ git:(master) ✗ ssh-keygen
|
||||
Generating public/private rsa key pair.
|
||||
Enter file in which to save the key (/home/waldek/.ssh/id_rsa): my_ssh_key
|
||||
Enter passphrase (empty for no passphrase):
|
||||
Enter same passphrase again:
|
||||
Your identification has been saved in my_ssh_key.
|
||||
Your public key has been saved in my_ssh_key.pub.
|
||||
The key fingerprint is:
|
||||
SHA256:ndWgt3PjUjrdfaBMudQFJM8xCrjPKXlvg9TRYsWz2UQ waldek@helloworld
|
||||
The key's randomart image is:
|
||||
+---[RSA 2048]----+
|
||||
| .. oo=.E|
|
||||
| . o B++.|
|
||||
| .. +o+*.|
|
||||
| .. ++++..|
|
||||
| S+o+*o* |
|
||||
| o *+.X +.|
|
||||
| + oB o +|
|
||||
| . +o .|
|
||||
| . . |
|
||||
+----[SHA256]-----+
|
||||
➜ ~ git:(master) ✗
|
||||
```
|
||||
|
||||
The current default is to generate an [RSA](https://en.wikipedia.org/wiki/RSA_(cryptosystem)) key of 2048 bits which is currently considered secure.
|
||||
You can change the scheme and bit depth with the `-t` and `-b` arguments respectively.
|
||||
Have a look at the `man ssh-keygen` pages for more info.
|
||||
|
||||
### Deploying keys
|
||||
|
||||
Just generating a key is not that useful, we need to know how to **use** them.
|
||||
In order to understand that we need to have a look at how an ssh connection works.
|
||||
When you try to establish an ssh connection you can add a `-v` flag to make the output more verbose.
|
||||
You'll see output along the lines of this:
|
||||
|
||||
```
|
||||
➜ qualifying git:(master) ✗ ssh student@localhost -v
|
||||
OpenSSH_7.9p1 Debian-10+deb10u2, OpenSSL 1.1.1d 10 Sep 2019
|
||||
debug1: Reading configuration data /home/waldek/.ssh/config
|
||||
debug1: Reading configuration data /etc/ssh/ssh_config
|
||||
debug1: /etc/ssh/ssh_config line 19: Applying options for *
|
||||
debug1: Connecting to localhost [127.0.0.1] port 22.
|
||||
debug1: Connection established.
|
||||
debug1: identity file /home/waldek/.ssh/id_rsa type 0
|
||||
debug1: identity file /home/waldek/.ssh/id_rsa-cert type -1
|
||||
debug1: identity file /home/waldek/.ssh/id_dsa type -1
|
||||
debug1: identity file /home/waldek/.ssh/id_dsa-cert type -1
|
||||
debug1: identity file /home/waldek/.ssh/id_ecdsa type -1
|
||||
debug1: identity file /home/waldek/.ssh/id_ecdsa-cert type -1
|
||||
debug1: identity file /home/waldek/.ssh/id_ed25519 type -1
|
||||
debug1: identity file /home/waldek/.ssh/id_ed25519-cert type -1
|
||||
debug1: identity file /home/waldek/.ssh/id_xmss type -1
|
||||
debug1: identity file /home/waldek/.ssh/id_xmss-cert type -1
|
||||
debug1: Local version string SSH-2.0-OpenSSH_7.9p1 Debian-10+deb10u2
|
||||
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.9p1 Debian-10+deb10u2
|
||||
debug1: match: OpenSSH_7.9p1 Debian-10+deb10u2 pat OpenSSH* compat 0x04000000
|
||||
debug1: Authenticating to localhost:22 as 'student'
|
||||
debug1: SSH2_MSG_KEXINIT sent
|
||||
debug1: SSH2_MSG_KEXINIT received
|
||||
debug1: kex: algorithm: curve25519-sha256
|
||||
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
|
||||
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
|
||||
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
|
||||
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
|
||||
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:iALTEcfl6AjvOnT0TWBNrp/PsuWem/ZiP+uGRVEeFaE
|
||||
debug1: Host 'localhost' is known and matches the ECDSA host key.
|
||||
debug1: Found key in /home/waldek/.ssh/known_hosts:1
|
||||
debug1: rekey after 134217728 blocks
|
||||
debug1: SSH2_MSG_NEWKEYS sent
|
||||
debug1: expecting SSH2_MSG_NEWKEYS
|
||||
debug1: SSH2_MSG_NEWKEYS received
|
||||
debug1: rekey after 134217728 blocks
|
||||
debug1: Will attempt key: /home/waldek/.ssh/id_rsa RSA SHA256:tOuvE+Qq1B/eXyGcyIfs0MVXaaSI/GNYjLqO3D+Tz+k
|
||||
debug1: Will attempt key: /home/waldek/.ssh/id_dsa
|
||||
debug1: Will attempt key: /home/waldek/.ssh/id_ecdsa
|
||||
debug1: Will attempt key: /home/waldek/.ssh/id_ed25519
|
||||
debug1: Will attempt key: /home/waldek/.ssh/id_xmss
|
||||
debug1: SSH2_MSG_EXT_INFO received
|
||||
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>
|
||||
debug1: SSH2_MSG_SERVICE_ACCEPT received
|
||||
debug1: Authentications that can continue: publickey,password
|
||||
debug1: Next authentication method: publickey
|
||||
debug1: Offering public key: /home/waldek/.ssh/id_rsa RSA SHA256:tOuvE+Qq1B/eXyGcyIfs0MVXaaSI/GNYjLqO3D+Tz+k
|
||||
debug1: Authentications that can continue: publickey,password
|
||||
debug1: Trying private key: /home/waldek/.ssh/id_dsa
|
||||
debug1: Trying private key: /home/waldek/.ssh/id_ecdsa
|
||||
debug1: Trying private key: /home/waldek/.ssh/id_ed25519
|
||||
debug1: Trying private key: /home/waldek/.ssh/id_xmss
|
||||
debug1: Next authentication method: password
|
||||
student@localhost's password:
|
||||
```
|
||||
|
||||
The connection will try any form of authentication allowed by the server in order of most secure to least secure.
|
||||
Publickeys are considered more secure than passwords so it will try that first.
|
||||
You can see this at the following line `debug1: Will attempt key: /home/waldek/.ssh/id_rsa RSA SHA256:tOuvE+Qq1B/eXyGcyIfs0MVXaaSI/GNYjLqO3D+Tz+k`.
|
||||
The `student` account does not have the matching public key as an authorized key so the client tries a password login next `debug1: Next authentication method: password`.
|
||||
|
||||
On the server side the sshd process will look for a matching **public** key in the users home directory.
|
||||
By default it will try every line in the `~/.ssh/authorized_keys` file for authentication.
|
||||
If a match is found, you'll be granted access, if not it will try an other authentication method until every method allowed by the server is exhausted and you'll be denied access.
|
||||
The verbose output of a successful login with a key pair can be seen below.
|
||||
|
||||
```
|
||||
➜ ~ git:(master) ✗ ssh student@localhost -v
|
||||
OpenSSH_7.9p1 Debian-10+deb10u2, OpenSSL 1.1.1d 10 Sep 2019
|
||||
debug1: Reading configuration data /home/waldek/.ssh/config
|
||||
debug1: Reading configuration data /etc/ssh/ssh_config
|
||||
debug1: /etc/ssh/ssh_config line 19: Applying options for *
|
||||
debug1: Connecting to localhost [127.0.0.1] port 22.
|
||||
debug1: Connection established.
|
||||
debug1: identity file /home/waldek/.ssh/id_rsa type 0
|
||||
debug1: identity file /home/waldek/.ssh/id_rsa-cert type -1
|
||||
debug1: identity file /home/waldek/.ssh/id_dsa type -1
|
||||
debug1: identity file /home/waldek/.ssh/id_dsa-cert type -1
|
||||
debug1: identity file /home/waldek/.ssh/id_ecdsa type -1
|
||||
debug1: identity file /home/waldek/.ssh/id_ecdsa-cert type -1
|
||||
debug1: identity file /home/waldek/.ssh/id_ed25519 type -1
|
||||
debug1: identity file /home/waldek/.ssh/id_ed25519-cert type -1
|
||||
debug1: identity file /home/waldek/.ssh/id_xmss type -1
|
||||
debug1: identity file /home/waldek/.ssh/id_xmss-cert type -1
|
||||
debug1: Local version string SSH-2.0-OpenSSH_7.9p1 Debian-10+deb10u2
|
||||
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.9p1 Debian-10+deb10u2
|
||||
debug1: match: OpenSSH_7.9p1 Debian-10+deb10u2 pat OpenSSH* compat 0x04000000
|
||||
debug1: Authenticating to localhost:22 as 'student'
|
||||
debug1: SSH2_MSG_KEXINIT sent
|
||||
debug1: SSH2_MSG_KEXINIT received
|
||||
debug1: kex: algorithm: curve25519-sha256
|
||||
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
|
||||
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
|
||||
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
|
||||
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
|
||||
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:iALTEcfl6AjvOnT0TWBNrp/PsuWem/ZiP+uGRVEeFaE
|
||||
debug1: Host 'localhost' is known and matches the ECDSA host key.
|
||||
debug1: Found key in /home/waldek/.ssh/known_hosts:1
|
||||
debug1: rekey after 134217728 blocks
|
||||
debug1: SSH2_MSG_NEWKEYS sent
|
||||
debug1: expecting SSH2_MSG_NEWKEYS
|
||||
debug1: SSH2_MSG_NEWKEYS received
|
||||
debug1: rekey after 134217728 blocks
|
||||
debug1: Will attempt key: /home/waldek/.ssh/id_rsa RSA SHA256:tOuvE+Qq1B/eXyGcyIfs0MVXaaSI/GNYjLqO3D+Tz+k
|
||||
debug1: Will attempt key: /home/waldek/.ssh/id_dsa
|
||||
debug1: Will attempt key: /home/waldek/.ssh/id_ecdsa
|
||||
debug1: Will attempt key: /home/waldek/.ssh/id_ed25519
|
||||
debug1: Will attempt key: /home/waldek/.ssh/id_xmss
|
||||
debug1: SSH2_MSG_EXT_INFO received
|
||||
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521>
|
||||
debug1: SSH2_MSG_SERVICE_ACCEPT received
|
||||
debug1: Authentications that can continue: publickey,password
|
||||
debug1: Next authentication method: publickey
|
||||
debug1: Offering public key: /home/waldek/.ssh/id_rsa RSA SHA256:tOuvE+Qq1B/eXyGcyIfs0MVXaaSI/GNYjLqO3D+Tz+k
|
||||
debug1: Server accepts key: /home/waldek/.ssh/id_rsa RSA SHA256:tOuvE+Qq1B/eXyGcyIfs0MVXaaSI/GNYjLqO3D+Tz+k
|
||||
debug1: Authentication succeeded (publickey).
|
||||
Authenticated to localhost ([127.0.0.1]:22).
|
||||
debug1: channel 0: new [client-session]
|
||||
debug1: Requesting no-more-sessions@openssh.com
|
||||
debug1: Entering interactive session.
|
||||
debug1: pledge: network
|
||||
debug1: client_input_global_request: rtype hostkeys-00@openssh.com want_reply 0
|
||||
debug1: Remote: /home/student/.ssh/authorized_keys:1: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding
|
||||
debug1: Remote: /home/student/.ssh/authorized_keys:1: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding
|
||||
debug1: Sending environment.
|
||||
debug1: Sending env LC_CTYPE = en_GB.UTF-8
|
||||
debug1: Sending env LANG = en_GB.UTF-8
|
||||
Linux helloworld 4.19.0-17-amd64 #1 SMP Debian 4.19.194-1 (2021-06-10) x86_64
|
||||
|
||||
The programs included with the Debian GNU/Linux system are free software;
|
||||
the exact distribution terms for each program are described in the
|
||||
individual files in /usr/share/doc/*/copyright.
|
||||
|
||||
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
|
||||
permitted by applicable law.
|
||||
student@helloworld:~$
|
||||
```
|
||||
|
||||
## Standard usage
|
||||
|
||||
## Tweaking the sshd configuration file
|
||||
|
@ -69,6 +256,8 @@ Protocol
|
|||
|
||||
## SFTP
|
||||
|
||||
## Autossh
|
||||
|
||||
## SSHFS
|
||||
|
||||
## SSHuttle
|
||||
|
|
Loading…
Reference in New Issue