Use SSK keys and SSH agent

Most oftenly, the SSH client is used with a pair [user + password] to connect to a remote machine.ne dis­tante.

However, it is possible to use keys (authentication via private/public key pair,
see here) to connect to a remote server.
Moreover, using an SSH agent, you can avoid typing passwords.

Generate a key set

To generate your personal key set, use the same commands as the one to generate the PSMN internal key .

IMPORTANT STEP ADDED : define a passphrase to lock your private key.

For Windows users, relate to the PuTTY documentation.

For Linux, BSD et MacOS X, here are the main steps to follow:

Step 1 : Start generating a set of keys

In a Terminal type the following commands:

user@host:~$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/user/.ssh/id_rsa):
            <Appuyer la touche Enter>
Created directory '/home/user/.ssh'.
Enter passphrase (empty for no passphrase):

Step 2 : Choose a good/strong passphrase

The passphrase is important, it locks your private key. A good passphrase must include at least 15 characters .

This is a bad passphrase :

toto

If the passphrase is too short or too poor, the program will answer:

Enter same passphrase again: 
passphrase too short: have 4 bytes, need > 4
Saving the key failed: /home/user/.ssh/id_rsa.

failed…

This is a good passphrase :

V0ici 1 ex3mple de passphrase c0mpl1quée, v0ire, alambiquée.

This is also an example of a good passphrase :

A bottle of "Glenfîddich Rare Collection 1937" cost 15 000 euros VAT. Minimum...

Step 3: Finish the keyset generation

Finally ssh-keygen says:

Enter same passphrase again: 
Your identification has been saved in /home/user/.ssh/id_rsa.
Your public key has been saved in /home/user/.ssh/id_rsa.pub.

A fingerprint is also generated (see below):

The key fingerprint is:
7a:ec:b2:1c:90:f5:2f:77:c5:bc:36:8b:0f:23:2e:76 user@host
The key's randomart image is:
+--[ RSA 2048]----+
|                 |
|                 |
|      .          |
|     o .     o   |
|    o   S     +  |
|     . o .   . . |
|      o + + + +  |
|     ..+o+Eo = o |
|      o+.o. ..o  |
+-----------------+

Step 4: Save your ssh key set

You can copy/paste the fingerprint verification (fingerprint + image) into a file ~ / .ssh / fingerprint .

Save your private key (id_rsa), your fingerprint file (fingerprint) and your public key (id_rsa.pub), in a safe and personal place (a USB key, for example).

Load agent-ssh

Linux / BSD

Il existe tout un tas de méthodes :

  • Utiliser les programmes ssh-askpass ou ssh-askpass-gnome de votre distribution favorite…
  • charger l'agent dans un script :
eval `ssh-agent`
ssh-add
  • Installer et utiliser keychain (outil CLI, prendre l'archive Release).

Vous pouvez utiliser un script (dans votre ~/.bashrc) pour le démarrer, et l'utiliser automatiquement dans vos terminaux :

# add key(s) to agent
eval `keychain --eval --agents ssh id_rsa`

MacOS X

Sur MacOS X, il existe aussi différentes méthodes :

  • Installer et utiliser keychain (outil CLI, prendre le package pour MacOS X).

Vous pouvez utiliser un script (dans votre ~/.bashrc) pour le démarrer, et l'utiliser automatiquement dans Terminal :

# add key(s) to agent
eval `keychain --eval --agents ssh id_rsa`
  • Si vous utilisez MacOSX Keychain, ajoutez l'option –inherit any :
# add key(s) to agent
eval `keychain --eval --agents ssh --inherit any id_rsa`
Si, à chaque ouverture de Terminal, keychain demande votre passphrase, enlevez l'option –inherit any
Pour bénéficier de “l'export X”, il faut aussi démarrer le serveur X sur le Mac, voir X11 et MacOS X

Windows

Sur Windows, il faut utiliser le logiciel PuTTY, dont l'usage est expliqué sur cette page.

Broadcast the public key

For the automatic loggin to work (ie: without password, but with passphrase ), your public key (id_rsa.pub) must be on all target servers, in the ~ /.ssh /authorized_keys file.

  • At PSMN, simply do as below (your /home is shared between all front nodes and compute nodes):
scp ~/.ssh/id_rsa.pub yourlogin@allo-psmn:~/.ssh/authorized_keys
 
  yourlogin@allo-psmn's password:
  id_rsa.pub                    100%  9KB 9.3KB/s   00:00
This erase the existing ~/.ssh/authorized_keys file. To simply add your public key to the existing~/.ssh/authorized_keys file, use the following commands:
scp ~/.ssh/id_rsa.pub yourlogin@allo-psmn:~/.ssh/id_rsa.pub
  yourlogin@allo-psmn's password:
  id_rsa.pub                    100%  9KB 9.3KB/s   00:00
ssh yourlogin@allo-psmn
  yourlogin@allo-psmn's password:
 
> cat .ssh/id_rsa.pub >> .ssh/authorized_keys
> exit

If you have successfully loaded your ssh-agent, you can now login to allo-psmn without providing your password:

user@host:~$ ssh yourlogin@allo-psmn.ens-lyon.fr

(yourlogin correspond to your login at PSMN)

Examples and use cases

Linux and BSD configuration example

You can automate the connection steps by using the SSH config file on your workstation. Here is an example:

  • ~/.ssh/config for Linux or BSD
config
Host *
  ServerAliveInterval 60
  ForwardX11Timeout 1d
  TCPKeepAlive yes
  ForwardAgent yes
  ForwardX11 yes         # pour Linux
#  ForwardX11Trusted yes # pour MacOSX
  Compression yes
  StrictHostKeyChecking no
  HashKnownHosts no
 
###
# internal gateway
Host allo-psmn
  User <login PSMN>
  HostName allo-psmn.psmn.ens-lyon.fr
 
# connection to x5650comp1 from within ENS network
Host comp1
  User <login PSMN>
  Hostname x5650comp1
  ProxyCommand ssh <login PSMN>@allo-psmn netcat -w1 %h %p
 
# connection to e5-2670comp2 from within ENS netwoek
Host comp2
  User <login PSMN>
  Hostname e5-2670comp2
  ProxyCommand ssh <login PSMN>@allo-psmn netcat -w1 %h %p
 
###
# external gateway
Host allo-externe
  User <login PSMN>
  ProxyCommand ssh <login PSMN>@ssh.psmn.ens-lyon.fr tcpconnect allo-psmn %p
#  User <login ENS>
#  ProxyCommand ssh <login ENS>@ssh.ens-lyon.fr tcpconnect allo-psmn %p
 
# connection to x5650comp1 from outside ENS network
Host comp1-ext
  User <login PSMN>
  HostName x5650comp1
  ProxyCommand ssh <login PSMN>@allo-externe netcat -w1 %h %p
 
# connection to e5-2670comp2 from outside ENS network
Host comp2-ext
  User <login PSMN>
  Hostname e5-2670comp2
  ProxyCommand ssh <login PSMN>@allo-externe netcat -w1 %h %p

You need to replace <login PSMN> by your own PSMN login, and <login ENS> by your ENS login. netcat -w1 can be replaced by tcpconnect.

The list of connection servers to the PSMN is available here.

This example file already implement hops. For more explanations, see the documentation on hops and how to automate them available here.

MacOS X configuration example

On MacOS X, you need to use the -Y option instead of the -X (or ForwardX11Trusted yes instead of ForwardX11 yes in your ~/.ssh/config file). Here is an example:

  • ~/.ssh/config for MacOS X
config
Host *
  ServerAliveInterval 60
  ForwardX11Timeout 1d
  TCPKeepAlive yes
  ForwardAgent yes
#  ForwardX11 yes       # for Linux
  ForwardX11Trusted yes # for MacOSX
  Compression yes
  StrictHostKeyChecking no
  HashKnownHosts no
 
###
# internal gateway
Host allo-psmn
  User <login PSMN>
  HostName allo-psmn.psmn.ens-lyon.fr
 
# connection to x5650comp1 from inside ENS network
Host comp1
  User <login PSMN>
  Hostname x5650comp1
  ProxyCommand ssh <login PSMN>@allo-psmn netcat -w1 %h %p
 
# connection to e5-2670comp2 from inside ENS network
Host comp2
  User <login PSMN>
  Hostname e5-2670comp2
  ProxyCommand ssh <login PSMN>@allo-psmn netcat -w1 %h %p
 
###
# external gateway
Host allo-externe
  User <login PSMN>
  #HostName allo-psmn
  ProxyCommand ssh <login PSMN>@ssh.psmn.ens-lyon.fr tcpconnect allo-psmn %p
 
# connection to x5650comp1 from outside ENS network
Host comp1-ext
  User <login PSMN>
  HostName x5650comp1
  ProxyCommand ssh <login PSMN>@allo-externe netcat -w1 %h %p
 
# connection to e5-2670comp2 from outside ENS network
Host comp2-ext
  User <login PSMN>
  Hostname e5-2670comp2
  ProxyCommand ssh <login PSMN>@allo-externe netcat -w1 %h %p

You need to replace <login PSMN> by your own PSMN login, and <login ENS> by your ENS login. netcat -w1 can be replaced by tcpconnect.

The list of connection servers to the PSMN is available here.

This example file already implement hops. For more explanations, see the documentation on hops and how to automate them available here.

export X for MacOS X

To be able to use “export X” on a Mac, you have to start the X11 software (in Applications/Utilities, like Terminal) before initiating an SSH connection.

Hops and multihops

For more explanation on hops and their automation, see this page.

en/documentation/tutorials/ssh/clef_agent_ssh.txt · Dernière modification: 2018/05/28 16:51 par cpetit