Ci-dessous, les différences entre deux révisions de la page.
Les deux révisions précédentesRévision précédenteProchaine révision | Révision précédente | ||
en:documentation:tutorials:ssh:clef_agent_ssh [2018/05/28 14:50] – cpetit | en:documentation:tutorials:ssh:clef_agent_ssh [2023/12/12 12:59] (Version actuelle) – supprimée ltaulell | ||
---|---|---|---|
Ligne 1: | Ligne 1: | ||
- | ====== Use SSK keys and SSH agent ====== | ||
- | |||
- | Most oftenly, the SSH client is used with a pair '' | ||
- | |||
- | However, it is possible to use keys | ||
- | (authentication via private/ | ||
- | to connect to a remote server. \\ Moreover, using an SSH agent, you can avoid typing passwords. | ||
- | |||
- | ===== Generate a set of key ===== | ||
- | |||
- | To generate your personal key set, use the same commands as the one to generate the [[en: | ||
- | |||
- | <note important> | ||
- | |||
- | For Windows users, [[documentation: | ||
- | |||
- | For Linux, BSD et MacOS X, here are the main steps to follow: | ||
- | |||
- | ==== Step 1 : Start generating a set of keys ==== | ||
- | |||
- | In a '' | ||
- | |||
- | <code bash> | ||
- | user@host: | ||
- | Generating public/ | ||
- | Enter file in which to save the key (/ | ||
- | <Appuyer la touche Enter> | ||
- | Created directory '/ | ||
- | Enter passphrase (empty for no passphrase): | ||
- | </ | ||
- | |||
- | ==== Step 2 : Choose a good/strong passphrase ==== | ||
- | |||
- | The passphrase is important, it locks your private key. A good passphrase must include ** at least 15 characters **. | ||
- | |||
- | This is a **bad passphrase** : | ||
- | < | ||
- | toto | ||
- | </ | ||
- | |||
- | If the passphrase is too short or too poor, the program will answer: | ||
- | <code bash> | ||
- | Enter same passphrase again: | ||
- | passphrase too short: have 4 bytes, need > 4 | ||
- | Saving the key failed: / | ||
- | </ | ||
- | |||
- | **failed...** | ||
- | |||
- | This is a **good passphrase** : | ||
- | < | ||
- | V0ici 1 ex3mple de passphrase c0mpl1quée, | ||
- | </ | ||
- | |||
- | This is also an example of a **good passphrase** : | ||
- | < | ||
- | A bottle of " | ||
- | </ | ||
- | |||
- | ==== Step 3: Finish the keyset generation ==== | ||
- | |||
- | Finally '' | ||
- | <code bash> | ||
- | Enter same passphrase again: | ||
- | Your identification has been saved in / | ||
- | Your public key has been saved in / | ||
- | </ | ||
- | |||
- | A fingerprint is also generated (see below): | ||
- | |||
- | <code bash> | ||
- | The key fingerprint is: | ||
- | 7a: | ||
- | The key's randomart image is: | ||
- | +--[ RSA 2048]----+ | ||
- | | | | ||
- | | | | ||
- | | . | | ||
- | | o . | ||
- | | o | ||
- | | . o . . . | | ||
- | | o + + + + | | ||
- | | | ||
- | | o+.o. ..o | | ||
- | +-----------------+ | ||
- | </ | ||
- | |||
- | ==== Step 4: Save your ssh key set ==== | ||
- | |||
- | You can copy/paste the fingerprint verification (fingerprint + image) into a file '' | ||
- | |||
- | **Save** your private key ('' | ||
- | ===== Load agent-ssh ===== | ||
- | |||
- | ==== Linux / BSD ==== | ||
- | |||
- | Il existe tout un tas de méthodes : | ||
- | |||
- | * Utiliser les programmes '' | ||
- | * charger l' | ||
- | |||
- | <code bash> | ||
- | eval `ssh-agent` | ||
- | ssh-add | ||
- | </ | ||
- | |||
- | * Installer et utiliser [[http:// | ||
- | |||
- | Vous pouvez utiliser un script (dans votre '' | ||
- | <code bash> | ||
- | # add key(s) to agent | ||
- | eval `keychain --eval --agents ssh id_rsa` | ||
- | </ | ||
- | |||
- | ==== MacOS X ==== | ||
- | |||
- | Sur MacOS X, il existe aussi différentes méthodes : | ||
- | |||
- | * Installer et utiliser [[http:// | ||
- | |||
- | Vous pouvez utiliser un script (dans votre '' | ||
- | <code bash> | ||
- | # add key(s) to agent | ||
- | eval `keychain --eval --agents ssh id_rsa` | ||
- | </ | ||
- | |||
- | * Si vous utilisez MacOSX Keychain, ajoutez l' | ||
- | <code bash> | ||
- | # add key(s) to agent | ||
- | eval `keychain --eval --agents ssh --inherit any id_rsa` | ||
- | </ | ||
- | |||
- | <note important> | ||
- | |||
- | * Installer et utiliser [[http:// | ||
- | |||
- | |||
- | <note tip>Pour bénéficier de " | ||
- | |||
- | |||
- | |||
- | ==== Windows ==== | ||
- | |||
- | Sur Windows, il faut utiliser le logiciel PuTTY, dont l' | ||
- | |||
- | ===== Broadcast the public key ===== | ||
- | |||
- | For the automatic loggin to work (//ie//: without password, ** but with passphrase **), your public key (id_rsa.pub) must be on all target servers, in the '' | ||
- | |||
- | * At PSMN, simply do as below (your ''/ | ||
- | |||
- | <code bash> | ||
- | scp ~/ | ||
- | |||
- | yourlogin@allo-psmn' | ||
- | id_rsa.pub | ||
- | </ | ||
- | |||
- | <note important> | ||
- | |||
- | <code bash> | ||
- | scp ~/ | ||
- | yourlogin@allo-psmn' | ||
- | id_rsa.pub | ||
- | </ | ||
- | |||
- | <code bash> | ||
- | ssh yourlogin@allo-psmn | ||
- | yourlogin@allo-psmn' | ||
- | |||
- | > cat .ssh/ | ||
- | > exit | ||
- | </ | ||
- | |||
- | If you have successfully loaded your ssh-agent, you can now login to '' | ||
- | |||
- | <code bash> | ||
- | user@host: | ||
- | </ | ||
- | (yourlogin correspond to your login at PSMN) | ||
- | |||
- | ===== Examples and use cases ===== | ||
- | |||
- | ==== Linux and BSD configuration example ==== | ||
- | |||
- | You can automate the connection steps by using the SSH config file on your workstation. Here is an example: | ||
- | |||
- | * '' | ||
- | |||
- | <code bash config> | ||
- | Host * | ||
- | ServerAliveInterval 60 | ||
- | ForwardX11Timeout 1d | ||
- | TCPKeepAlive yes | ||
- | ForwardAgent yes | ||
- | ForwardX11 yes # pour Linux | ||
- | # ForwardX11Trusted yes # pour MacOSX | ||
- | Compression yes | ||
- | StrictHostKeyChecking no | ||
- | HashKnownHosts no | ||
- | |||
- | ### | ||
- | # internal gateway | ||
- | Host allo-psmn | ||
- | User <login PSMN> | ||
- | HostName allo-psmn.psmn.ens-lyon.fr | ||
- | |||
- | # connection to x5650comp1 from within ENS network | ||
- | Host comp1 | ||
- | User <login PSMN> | ||
- | Hostname x5650comp1 | ||
- | ProxyCommand ssh <login PSMN> | ||
- | |||
- | # connection to e5-2670comp2 from within ENS netwoek | ||
- | Host comp2 | ||
- | User <login PSMN> | ||
- | Hostname e5-2670comp2 | ||
- | ProxyCommand ssh <login PSMN> | ||
- | |||
- | ### | ||
- | # external gateway | ||
- | Host allo-externe | ||
- | User <login PSMN> | ||
- | ProxyCommand ssh <login PSMN> | ||
- | # User <login ENS> | ||
- | # ProxyCommand ssh <login ENS> | ||
- | |||
- | # connection to x5650comp1 from outside ENS network | ||
- | Host comp1-ext | ||
- | User <login PSMN> | ||
- | HostName x5650comp1 | ||
- | ProxyCommand ssh <login PSMN> | ||
- | |||
- | # connection to e5-2670comp2 from outside ENS network | ||
- | Host comp2-ext | ||
- | User <login PSMN> | ||
- | Hostname e5-2670comp2 | ||
- | ProxyCommand ssh <login PSMN> | ||
- | |||
- | </ | ||
- | |||
- | You need to replace ''< | ||
- | |||
- | The list of connection servers to the PSMN is available | ||
- | |||
- | This example file already implement hops. For more explanations, | ||
- | |||
- | ==== MacOS X configuration example ==== | ||
- | |||
- | On MacOS X, you need to use the '' | ||
- | |||
- | * '' | ||
- | |||
- | <code bash config> | ||
- | Host * | ||
- | ServerAliveInterval 60 | ||
- | ForwardX11Timeout 1d | ||
- | TCPKeepAlive yes | ||
- | ForwardAgent yes | ||
- | # ForwardX11 yes # for Linux | ||
- | ForwardX11Trusted yes # for MacOSX | ||
- | Compression yes | ||
- | StrictHostKeyChecking no | ||
- | HashKnownHosts no | ||
- | |||
- | ### | ||
- | # internal gateway | ||
- | Host allo-psmn | ||
- | User <login PSMN> | ||
- | HostName allo-psmn.psmn.ens-lyon.fr | ||
- | |||
- | # connection to x5650comp1 from inside ENS network | ||
- | Host comp1 | ||
- | User <login PSMN> | ||
- | Hostname x5650comp1 | ||
- | ProxyCommand ssh <login PSMN> | ||
- | |||
- | # connection to e5-2670comp2 from inside ENS network | ||
- | Host comp2 | ||
- | User <login PSMN> | ||
- | Hostname e5-2670comp2 | ||
- | ProxyCommand ssh <login PSMN> | ||
- | |||
- | ### | ||
- | # external gateway | ||
- | Host allo-externe | ||
- | User <login PSMN> | ||
- | #HostName allo-psmn | ||
- | ProxyCommand ssh <login PSMN> | ||
- | |||
- | # connection to x5650comp1 from outside ENS network | ||
- | Host comp1-ext | ||
- | User <login PSMN> | ||
- | HostName x5650comp1 | ||
- | ProxyCommand ssh <login PSMN> | ||
- | |||
- | # connection to e5-2670comp2 from outside ENS network | ||
- | Host comp2-ext | ||
- | User <login PSMN> | ||
- | Hostname e5-2670comp2 | ||
- | ProxyCommand ssh <login PSMN> | ||
- | |||
- | </ | ||
- | |||
- | You need to replace ''< | ||
- | |||
- | The list of connection servers to the PSMN is available | ||
- | |||
- | This example file already implement hops. For more explanations, | ||
- | |||
- | |||
- | ==== export X for MacOS X ==== | ||
- | |||
- | |||
- | To be able to use " | ||
- | ==== Hops and multihops ==== | ||
- | |||
- | For more explanation on hops and their automation, [[en: |