Différences

Ci-dessous, les différences entre deux révisions de la page.

Lien vers cette vue comparative

Les deux révisions précédentesRévision précédente
Prochaine révision
Révision précédente
en:documentation:tutorials:ssh:clef_agent_ssh [2020/05/07 15:51] – [MacOS X] ltaulellen:documentation:tutorials:ssh:clef_agent_ssh [2023/12/12 12:59] (Version actuelle) – supprimée ltaulell
Ligne 1: Ligne 1:
  
-====== Use SSK keys and SSH agent ====== 
- 
-Most oftenly, the SSH client is used with a pair ''[user + password]'' to connect to a remote machine.ne dis­tante.  
- 
-However, it is possible to use keys  
-(authentication via  private/public key pair, \\ see [[https://en.wikipedia.org/wiki/Public-key_cryptography|here]])  
-to connect to a remote server. \\ Moreover, using an SSH agent, you can avoid typing passwords everytime. 
- 
-===== Generate a key set ===== 
- 
-To generate your personal key set, use the same commands as the one to generate the [[en:documentation:tutorials:ssh:first_connection|PSMN internal key ]]  .  
- 
-<note important>**IMPORTANT STEP ADDED** : define a passphrase to lock your private key.</note> 
- 
-For Windows users, [[documentation:tutorials:ssh:putty|relate to the PuTTY documentation]]. 
- 
-For Linux, BSD et MacOS X, here are the main steps to follow: 
- 
-==== Step 1 : Start generating a set of keys ==== 
- 
-In a ''Terminal'' type the following commands: 
- 
-<code bash> 
-user@host:~$ ssh-keygen 
-Generating public/private rsa key pair. 
-Enter file in which to save the key (/home/user/.ssh/id_rsa): 
-            <Appuyer la touche Enter> 
-Created directory '/home/user/.ssh'. 
-Enter passphrase (empty for no passphrase): 
-</code> 
- 
- 
- 
-<WRAP center round info 60%> 
-New default parameters of SSH may generate a ''ed25519'' key type. Replace ''.rsa'' by ''.ed25519'' in next parts of this documentation 
-</WRAP> 
-==== Step 2 : Choose a good/strong passphrase ==== 
- 
-The passphrase is important, it locks your private key. A good passphrase must include ** at least 15 characters **. 
- 
-This is a  **bad passphrase** : 
-<code> 
-toto 
-</code> 
- 
-If the  passphrase is too short or too poor, the program will answer: 
-<code bash> 
-Enter same passphrase again:  
-passphrase too short: have 4 bytes, need > 4 
-Saving the key failed: /home/user/.ssh/id_rsa. 
-</code> 
- 
-**failed...** 
- 
-This is  a **good passphrase** : 
-<code> 
-V0ici 1 ex3mple de passphrase c0mpl1quée, v0ire, alambiquée. 
-</code> 
- 
-This is also an example of a **good passphrase** : 
-<code> 
-A bottle of "Glenfîddich Rare Collection 1937" cost 15 000 euros VAT. Minimum... 
-</code> 
- 
-==== Step 3:  Finish the keyset generation ==== 
- 
-Finally ''ssh-keygen'' says: 
-<code bash> 
-Enter same passphrase again:  
-Your identification has been saved in /home/user/.ssh/id_rsa. 
-Your public key has been saved in /home/user/.ssh/id_rsa.pub. 
-</code> 
- 
-A fingerprint is also generated (see below): 
- 
-<code bash> 
-The key fingerprint is: 
-7a:ec:b2:1c:90:f5:2f:77:c5:bc:36:8b:0f:23:2e:76 user@host 
-The key's randomart image is: 
-+--[ RSA 2048]----+ 
-|                 | 
-|                 | 
-|      .          | 
-|     o .       | 
-|    o        | 
-|     . o .   . . | 
-|      o + + + +  | 
-|     ..+o+Eo = o | 
-|      o+.o. ..o  | 
-+-----------------+ 
-</code> 
- 
-==== Step 4: Save your ssh key set ==== 
- 
-You can copy/paste the fingerprint verification (fingerprint + image) into a file ''~/.ssh/fingerprint''. 
- 
-**Save** your private key (''id_rsa''), your fingerprint file (''fingerprint'') and your public key (''id_rsa.pub''), in a safe and personal place (a USB key, for example). 
-===== Load agent-ssh ===== 
- 
-==== Linux / BSD ==== 
- 
-There's a lot of different methods: 
- 
-  * Use ''ssh-askpass'', ''ssh-askpass-gnome'' or ''ksshaskpass'' from your favorite distribution... 
-  * load ssh-agent in a script: 
- 
-<code bash> 
-eval `ssh-agent` 
-ssh-add 
-</code> 
- 
-  * Install and use [[http://www.funtoo.org/wiki/Keychain|keychain]] (CLI tool, use Release archive). 
- 
-You can use a script (in your ''~/.bashrc'') to start keychain, and use it in your session: 
- 
-<code bash> 
-# add key(s) to agent 
-eval `keychain --eval --agents ssh id_rsa` 
-</code> 
- 
-==== MacOS X ==== 
- 
-There's also a bunch of methods on MacOS X: 
- 
-  * Install and use [[http://www.funtoo.org/wiki/Keychain|keychain]] (CLI tool, use MacOS X package). 
- 
-Vous pouvez utiliser un script (dans votre ''~/.bashrc'') pour le démarrer, et l'utiliser automatiquement dans Terminal : 
-<code bash> 
-# add key(s) to agent 
-eval `keychain --eval --agents ssh id_rsa` 
-</code> 
- 
-  * Si vous utilisez MacOSX Keychain, ajoutez l'option ''--inherit any'' : 
-<code bash> 
-# add key(s) to agent 
-eval `keychain --eval --agents ssh --inherit any id_rsa` 
-</code> 
- 
-<note important>Si, à chaque ouverture de Terminal, keychain demande votre passphrase, enlevez l'option ''--inherit any''</note> 
- 
-  * Installer et utiliser [[http://sshkeychain.sourceforge.net/|SSHKeyChain]] (outil graphique) 
- 
- 
-<note tip>Pour bénéficier de "l'export X", il faut aussi démarrer le serveur X sur le Mac, voir [[documentation:tutorials:ssh:clef_agent_ssh#export_x_pour_macos_x|X11 et MacOS X]]</note> 
- 
- 
- 
-==== Windows ==== 
- 
-Sur Windows, il faut utiliser le logiciel PuTTY, dont l'usage est expliqué [[documentation:tutorials:ssh:putty|sur cette page]]. 
- 
-===== Broadcast the public key ===== 
- 
-For the automatic loggin to work (//ie//: without password, ** but with passphrase **), your public key (id_rsa.pub) must be on all target servers, in the ''~ /.ssh /authorized_keys'' file. 
- 
-  * At PSMN, simply do as below (your ''/home'' is shared between all front nodes and compute nodes): 
- 
-<code bash> 
-scp ~/.ssh/id_rsa.pub yourlogin@allo-psmn:~/.ssh/authorized_keys 
- 
-  yourlogin@allo-psmn's password: 
-  id_rsa.pub                    100%  9KB 9.3KB/  00:00 
-</code> 
- 
-<note important>This **erase** the existing ''~/.ssh/authorized_keys'' file. To simply  **add** your public key to the existing''~/.ssh/authorized_keys'' file, use the following commands:</note> 
- 
-<code bash> 
-scp ~/.ssh/id_rsa.pub yourlogin@allo-psmn:~/.ssh/id_rsa.pub 
-  yourlogin@allo-psmn's password: 
-  id_rsa.pub                    100%  9KB 9.3KB/  00:00 
-</code> 
- 
-<code bash> 
-ssh yourlogin@allo-psmn 
-  yourlogin@allo-psmn's password: 
- 
-> cat .ssh/id_rsa.pub >> .ssh/authorized_keys 
-> exit 
-</code> 
- 
-If you have successfully loaded your ssh-agent, you can now login to '' allo-psmn '' without providing your password: 
- 
-<code bash> 
-user@host:~$ ssh yourlogin@allo-psmn.ens-lyon.fr 
-</code> 
-(yourlogin correspond to your login at PSMN) 
- 
-===== Examples and use cases ===== 
- 
-==== Linux and BSD configuration example ==== 
- 
-You can automate the connection steps by using the SSH config file on your workstation. Here is an example: 
- 
-  * ''~/.ssh/config'' **for Linux or BSD** 
- 
-<code bash config> 
-Host * 
-  ServerAliveInterval 60 
-  ForwardX11Timeout 1d 
-  TCPKeepAlive yes 
-  ForwardAgent yes 
-  ForwardX11 yes         # pour Linux 
-#  ForwardX11Trusted yes # pour MacOSX 
-  Compression yes 
-  StrictHostKeyChecking no 
-  HashKnownHosts no 
- 
-### 
-# internal gateway 
-Host allo-psmn 
-  User <login PSMN> 
-  HostName allo-psmn.psmn.ens-lyon.fr 
- 
-# connection to x5650comp1 from within ENS network 
-Host comp1 
-  User <login PSMN> 
-  Hostname x5650comp1 
-  ProxyCommand ssh <login PSMN>@allo-psmn netcat -w1 %h %p 
- 
-# connection to e5-2670comp2 from within ENS netwoek 
-Host comp2 
-  User <login PSMN> 
-  Hostname e5-2670comp2 
-  ProxyCommand ssh <login PSMN>@allo-psmn netcat -w1 %h %p 
- 
-### 
-# external gateway 
-Host allo-externe 
-  User <login PSMN> 
-  ProxyCommand ssh <login PSMN>@ssh.psmn.ens-lyon.fr tcpconnect allo-psmn %p 
-#  User <login ENS> 
-#  ProxyCommand ssh <login ENS>@ssh.ens-lyon.fr tcpconnect allo-psmn %p 
- 
-# connection to x5650comp1 from outside ENS network 
-Host comp1-ext 
-  User <login PSMN> 
-  HostName x5650comp1 
-  ProxyCommand ssh <login PSMN>@allo-externe netcat -w1 %h %p 
- 
-# connection to e5-2670comp2 from outside ENS network 
-Host comp2-ext 
-  User <login PSMN> 
-  Hostname e5-2670comp2 
-  ProxyCommand ssh <login PSMN>@allo-externe netcat -w1 %h %p 
- 
-</code> 
- 
-You need to replace ''<login PSMN>'' by your own PSMN login, and ''<login ENS>'' by your ENS login. ''netcat -w1'' can be replaced by ''tcpconnect''. 
- 
-The list of connection servers to the PSMN is available  [[documentation:clusters:services#serveurs_de_compilation|here]]. 
- 
-This example file already implement hops. For more explanations, see the documentation on hops and how to automate them [[en:documentation:tutorials:ssh:multihop_ssh| available here]]. 
- 
-==== MacOS X configuration example ==== 
- 
-On MacOS X, you need to use the ''-Y'' option instead of the ''-X'' (or ''ForwardX11Trusted yes'' instead of ''ForwardX11 yes'' in your ''~/.ssh/config'' file). Here is an example: 
- 
-  * ''~/.ssh/config'' **for MacOS X** 
- 
-<code bash config> 
-Host * 
-  ServerAliveInterval 60 
-  ForwardX11Timeout 1d 
-  TCPKeepAlive yes 
-  ForwardAgent yes 
-#  ForwardX11 yes       # for Linux 
-  ForwardX11Trusted yes # for MacOSX 
-  Compression yes 
-  StrictHostKeyChecking no 
-  HashKnownHosts no 
- 
-### 
-# internal gateway 
-Host allo-psmn 
-  User <login PSMN> 
-  HostName allo-psmn.psmn.ens-lyon.fr 
- 
-# connection to x5650comp1 from inside ENS network 
-Host comp1 
-  User <login PSMN> 
-  Hostname x5650comp1 
-  ProxyCommand ssh <login PSMN>@allo-psmn netcat -w1 %h %p 
- 
-# connection to e5-2670comp2 from inside ENS network 
-Host comp2 
-  User <login PSMN> 
-  Hostname e5-2670comp2 
-  ProxyCommand ssh <login PSMN>@allo-psmn netcat -w1 %h %p 
- 
-### 
-# external gateway 
-Host allo-externe 
-  User <login PSMN> 
-  #HostName allo-psmn 
-  ProxyCommand ssh <login PSMN>@ssh.psmn.ens-lyon.fr tcpconnect allo-psmn %p 
- 
-# connection to x5650comp1 from outside ENS network 
-Host comp1-ext 
-  User <login PSMN> 
-  HostName x5650comp1 
-  ProxyCommand ssh <login PSMN>@allo-externe netcat -w1 %h %p 
- 
-# connection to e5-2670comp2 from outside ENS network 
-Host comp2-ext 
-  User <login PSMN> 
-  Hostname e5-2670comp2 
-  ProxyCommand ssh <login PSMN>@allo-externe netcat -w1 %h %p 
- 
-</code> 
- 
-You need to replace ''<login PSMN>'' by your own PSMN login, and ''<login ENS>'' by your ENS login. ''netcat -w1'' can be replaced by ''tcpconnect''. 
- 
-The list of connection servers to the PSMN is available  [[documentation:clusters:services#serveurs_de_compilation|here]]. 
- 
-This example file already implement hops. For more explanations, see the documentation on hops and how to automate them [[en:documentation:tutorials:ssh:multihop_ssh| available here]]. 
- 
- 
-==== export X for MacOS X ==== 
- 
- 
-To be able to use "export X" on a Mac, you have to start the X11 software (in Applications/Utilities, like Terminal) before initiating an SSH connection. 
-==== Hops and multihops ==== 
- 
-For more explanation on hops and their automation, [[en:documentation:tutorials:ssh:multihop_ssh|see this page]]. 
en/documentation/tutorials/ssh/clef_agent_ssh.1588866687.txt.gz · Dernière modification : 2020/08/25 15:58 (modification externe)