Use SSK keys and SSH agent

Most oftenly, the SSH client is used with a pair [ user + password ] to connect to a remote machine.ne dis­tante.

However, it is possible to use keys (authentication via private/public key pair,
see here) to connect to a remote server.
Moreover, using an SSH agent, you can avoid typing passwords everytime.

Generate a key set

To generate your personal key set, use the same commands as the one to generate the PSMN internal key .

IMPORTANT STEP ADDED : define a passphrase to lock your private key.

For Windows users, relate to the PuTTY documentation.

For Linux, BSD et MacOS X, here are the main steps to follow:

Step 1 : Start generating a set of keys

In a Terminal type the following commands:

user@host:~$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/user/.ssh/id_rsa):
            <Appuyer la touche Enter>
Created directory '/home/user/.ssh'.
Enter passphrase (empty for no passphrase):

New default parameters of SSH may generate a ed25519 key type. Replace .rsa by .ed25519 in next parts of this documentation

Step 2 : Choose a good/strong passphrase

The passphrase is important, it locks your private key. A good passphrase must include at least 15 characters .

This is a bad passphrase :

toto

If the passphrase is too short or too poor, the program will answer:

Enter same passphrase again: 
passphrase too short: have 4 bytes, need > 4
Saving the key failed: /home/user/.ssh/id_rsa.

failed…

This is a good passphrase :

V0ici 1 ex3mple de passphrase c0mpl1quée, v0ire, alambiquée.

This is also an example of a good passphrase :

A bottle of "Glenfîddich Rare Collection 1937" cost 15 000 euros VAT. Minimum...

Step 3: Finish the keyset generation

Finally ssh-keygen says:

Enter same passphrase again: 
Your identification has been saved in /home/user/.ssh/id_rsa.
Your public key has been saved in /home/user/.ssh/id_rsa.pub.

A fingerprint is also generated (see below):

The key fingerprint is:
7a:ec:b2:1c:90:f5:2f:77:c5:bc:36:8b:0f:23:2e:76 user@host
The key's randomart image is:
+--[ RSA 2048]----+
|                 |
|                 |
|      .          |
|     o .     o   |
|    o   S     +  |
|     . o .   . . |
|      o + + + +  |
|     ..+o+Eo = o |
|      o+.o. ..o  |
+-----------------+

Step 4: Save your ssh key set

You can copy/paste the fingerprint verification (fingerprint + image) into a file ~/.ssh/fingerprint.

Save your private key (id_rsa), your fingerprint file (fingerprint) and your public key (id_rsa.pub), in a safe and personal place (a USB key, for example).

Load agent-ssh

Linux / BSD

There's a lot of different methods:

  • Use ssh-askpass, ssh-askpass-gnome or ksshaskpass from your favorite distribution…
  • load ssh-agent in a script:
eval `ssh-agent`
ssh-add
  • Install and use keychain (CLI tool, use Release archive).

You can use a script (in your ~/.bashrc) to start keychain, and use it in your session:

# add key(s) to agent
eval `keychain --eval --agents ssh id_rsa`
  • KDE startup script:
#! /bin/bash
# Put this in ~/.kde/Autostart/ssh-agent.sh
# or ~/.config/autostart-scripts/ssh-agent.sh
export SSH_ASKPASS=/usr/bin/ksshaskpass
/usr/bin/ssh-add ~/.ssh/id_rsa  # or any key you want

MacOS X

There's also a bunch of methods on MacOS X:

  • Install and use keychain (CLI tool, use MacOS X package).

You can use a script (in your ~/.bashrc) to start keychain, and use it in Terminal:

# add key(s) to agent
eval `keychain --eval --agents ssh id_rsa`
  • On MacOSX Keychain, you may add the option –inherit any:
# add key(s) to agent
eval `keychain --eval --agents ssh --inherit any id_rsa`
If, every time you open a new Terminal window, keychain ask for your passphrase, remove the –inherit any option
For “X export” to work, you need to activate MacOS X11 server (XQuartz), see X11 and MacOS X

Windows

On Windows, you need to use PuTTY, see this page.

Broadcast the public key

For the automatic loggin to work (ie: without password, but with passphrase ), your public key (id_rsa.pub) must be on all target servers, in the ~ /.ssh /authorized_keys file.

  • At PSMN, simply do as below (your /home is shared between all front nodes and compute nodes):
scp ~/.ssh/id_rsa.pub yourlogin@allo-psmn:~/.ssh/authorized_keys
 
  yourlogin@allo-psmn's password:
  id_rsa.pub                    100%  9KB 9.3KB/s   00:00
This erase the existing ~/.ssh/authorized_keys file. To simply add your public key to the existing~/.ssh/authorized_keys file, use the following commands:
scp ~/.ssh/id_rsa.pub yourlogin@allo-psmn:~/.ssh/id_rsa.pub
  yourlogin@allo-psmn's password:
  id_rsa.pub                    100%  9KB 9.3KB/s   00:00
ssh yourlogin@allo-psmn
  yourlogin@allo-psmn's password:
 
> cat .ssh/id_rsa.pub >> .ssh/authorized_keys
> exit

If you have successfully loaded your ssh-agent, you can now login to allo-psmn without providing your password:

user@host:~$ ssh yourlogin@allo-psmn.ens-lyon.fr

(yourlogin correspond to your login at PSMN)

Examples and use cases

Linux and BSD configuration example

You can automate the connection steps by using the SSH config file on your workstation. Here is an example:

  • ~/.ssh/config for Linux or BSD
config
Host *
  ServerAliveInterval 60
  ForwardX11Timeout 1d
  TCPKeepAlive yes
  ForwardAgent yes
  ForwardX11 yes         # pour Linux
#  ForwardX11Trusted yes # pour MacOSX
  Compression yes
  StrictHostKeyChecking no
  HashKnownHosts no
 
###
# internal gateway
Host allo-psmn
  User <login PSMN>
  HostName allo-psmn.psmn.ens-lyon.fr
 
# connection to x5650comp1 from within ENS network
Host comp1
  User <login PSMN>
  Hostname x5650comp1
  ProxyCommand ssh <login PSMN>@allo-psmn netcat -w1 %h %p
 
# connection to e5-2670comp2 from within ENS netwoek
Host comp2
  User <login PSMN>
  Hostname e5-2670comp2
  ProxyCommand ssh <login PSMN>@allo-psmn netcat -w1 %h %p
 
###
# external gateway
Host allo-externe
  User <login PSMN>
  ProxyCommand ssh <login PSMN>@ssh.psmn.ens-lyon.fr tcpconnect allo-psmn %p
#  User <login ENS>
#  ProxyCommand ssh <login ENS>@ssh.ens-lyon.fr tcpconnect allo-psmn %p
 
# connection to x5650comp1 from outside ENS network
Host comp1-ext
  User <login PSMN>
  HostName x5650comp1
  ProxyCommand ssh <login PSMN>@allo-externe netcat -w1 %h %p
 
# connection to e5-2670comp2 from outside ENS network
Host comp2-ext
  User <login PSMN>
  Hostname e5-2670comp2
  ProxyCommand ssh <login PSMN>@allo-externe netcat -w1 %h %p

You need to replace <login PSMN> by your own PSMN login, and <login ENS> by your ENS login. netcat -w1 can be replaced by tcpconnect.

The list of connection servers to the PSMN is available here.

This example file already implement hops. For more explanations, see the documentation on hops and how to automate them available here.

MacOS X configuration example

On MacOS X, you need to use the -Y option instead of the -X (or ForwardX11Trusted yes instead of ForwardX11 yes in your ~/.ssh/config file). Here is an example:

  • ~/.ssh/config for MacOS X
config
Host *
  ServerAliveInterval 60
  ForwardX11Timeout 1d
  TCPKeepAlive yes
  ForwardAgent yes
#  ForwardX11 yes       # for Linux
  ForwardX11Trusted yes # for MacOSX
  Compression yes
  StrictHostKeyChecking no
  HashKnownHosts no
 
###
# internal gateway
Host allo-psmn
  User <login PSMN>
  HostName allo-psmn.psmn.ens-lyon.fr
 
# connection to x5650comp1 from inside ENS network
Host comp1
  User <login PSMN>
  Hostname x5650comp1
  ProxyCommand ssh <login PSMN>@allo-psmn netcat -w1 %h %p
 
# connection to e5-2670comp2 from inside ENS network
Host comp2
  User <login PSMN>
  Hostname e5-2670comp2
  ProxyCommand ssh <login PSMN>@allo-psmn netcat -w1 %h %p
 
###
# external gateway
Host allo-externe
  User <login PSMN>
  #HostName allo-psmn
  ProxyCommand ssh <login PSMN>@ssh.psmn.ens-lyon.fr tcpconnect allo-psmn %p
 
# connection to x5650comp1 from outside ENS network
Host comp1-ext
  User <login PSMN>
  HostName x5650comp1
  ProxyCommand ssh <login PSMN>@allo-externe netcat -w1 %h %p
 
# connection to e5-2670comp2 from outside ENS network
Host comp2-ext
  User <login PSMN>
  Hostname e5-2670comp2
  ProxyCommand ssh <login PSMN>@allo-externe netcat -w1 %h %p

You need to replace <login PSMN> by your own PSMN login, and <login ENS> by your ENS login. netcat -w1 can be replaced by tcpconnect.

The list of connection servers to the PSMN is available here.

This example file already implement hops. For more explanations, see the documentation on hops and how to automate them available here.

export X for MacOS X

To be able to use “export X” on a Mac, you have to start the X11 software (in Applications/Utilities, like Terminal) before initiating an SSH connection.

Hops and multihops

For more explanation on hops and their automation, see this page.

en/documentation/tutorials/ssh/clef_agent_ssh.txt · Dernière modification: 2020/05/13 15:55 par fleroux