Changes between Version 5 and Version 6 of SystemAdministration/Security/OpenSSH

Timestamp:

07/21/15 12:54:21 (9 years ago)

Author:

Sander Maijers

Comment:

--

SystemAdministration/Security/OpenSSH

@@ -8 +8 @@
 == Generating a new ssh private/public key pair ==
 
+
 Issue the following command in '~/.ssh':
 {{{
-# using ed25519:
-ssh-keygen -t ed25519 -C "<email>" -f <username>@<hostname>
+ssh-keygen -t ed25519 -C "<description>" -f <username>@<host_shorthand>
+}}}
 
-#using rsa 4096 bits:
-ssh-keygen -t rsa -b 4096 -C  "<email>" -f <username>@<hostname>
+Ed25519 is advised as it is fast, small and particularly secure (has all paraneters set to known secure values by default). If you must use something else, use RSA:
+{{{
+ssh-keygen -t rsa -o -b 2048 -C  "<description>" -f <username>@<host_shorthand>
 }}}
 where:
- * <email> is your email address, this will be included as a comment and allows the administrators to contact you in case of questions.
- * <username> is your username on the server
- * <hostname> is the fully qualified hostname of the server
+ * <description> describes: your identity (suggested: your common Unix username), the date the key was generated and if possible more details.
+ * <username> is your OS username on the host the key pair is used to log in to.
+ * <hostname> is the shorthand in `~/.ssh/config` or, if absent, the canonical FQDN of the host the key pair is used to log in to.
 
-== Example ==
+For example: 
+{{{
+ssh-keygen -t ed25519 -C 'sanmai 21-7-2015' -n sanmai -f ~/.ssh/sanmai@clarinvm
 
-In order to generate a key pair for user 'wilelb' with the email adress 'willem@clarin.eu' on the 'clarinvm.ics.muni.cz' server, the following command would be used:
-{{{
+ssh-keygen -t ed25519 -C 'sanmai -> root 21-7-2015' -n root -f ~/.ssh/root@clarinvm
+
 ssh-keygen -t ed25519 -C "willem@clarin.eu" -f wilelb@clarinvm.ics.muni.cz
 }}}
 
-This will create two new files, the private and public (.pub) key, in your current working directory:
+This will create two new files, the private and public (same file name, with postfix `.pub`) key at the specified paths:
 {{{
 -rw-------  1 wilelb  staff    464 Jul  7 12:38 wilelb@clarinvm.ics.muni.cz
@@ -34 +38 @@
 }}}
 
-== OSX ==
+== Mac OS X ==
 
-If ed25519 is not available on OSX, install `openssh` via homebrew ([http://epocsquadron.com/a-comprehensive-ssh-key-primer/ reference]). 
+If Ed25519 is not available on your computer, install `openssh` via homebrew ([http://epocsquadron.com/a-comprehensive-ssh-key-primer/ reference]). 
+
+{{{
+$ brew update
+$ brew tap homebrew/dupes
+$ brew install homebrew/dupes/openssh
+}}}
 
 = Configuring an OpenSSH client and server for secure root login =
@@ -42 +52 @@
 Suppose you want to be able to log in to host B from host A, both as your user and as the superuser. The latter you need in case you want to use e.g. `rsync` from B to A as superuser to read otherwise inaccessible files on B's filesystem. You want to use key pairs with passphrase-protected private keys and no password authentication. The only exception where passwords are at play at all, is for your OS account and `sudo`. You want the barrier to log in as root to be at least as strong as logging in as your user and then performing `sudo su`.
 
-Generate two key pairs, with base file names `root@B` and `yourusername@B`. 
-
-Edit your OpenSSH client configuration on A to point to the file paths of these keys, for instance:
+* Generate two key pairs, with base file names `root@B` and `yourusername@B`. 
+* Make sure the contents of the public keys you generated have been appended to respectively `B:/root/.ssh/authorized_keys` and `B:/home/yourusername/.ssh/authorized_keys`.
+* Edit your OpenSSH client configuration on A to point to the file paths of these keys, for instance:
 `~/.ssh/config`:
 {{{
@@ -56 +66 @@
 }}}
 
-Make sure you can log in to B as your user and that you are allowed to perform `sudo -e`. Also make sure that the OpenSSH server configuration is otherwise secure, f.i. forbidding any authentication method other than `PubKeyAuthentication`.
-Now edit the OpenSSH server configuration and put at the end of the file:
+* Make sure you can log in to B as your user and that you are allowed to perform `sudo -e`. Also make sure that the OpenSSH server configuration is otherwise secure, f.i. forbidding any authentication method other than `PubKeyAuthentication`.
+* Now edit the OpenSSH server configuration and put at the end of the file:
 `/etc/ssh/sshd_config`:
 {{{
@@ -66 +76 @@
 }}}
 
-Replace {WAN-IP-B} with the WAN IP address of B (as in, the IP address that A uses to refer to B). Restart the OpenSSH daemon.
+* Replace `{WAN-IP-B}` with the WAN IP address of B (as in, the IP address that A uses to refer to B). 
+* Restart the OpenSSH daemon.
 
 You now have the following setup: 
 
-[[Image(https://trac.clarin.eu/attachment/wiki/ssh_key/OpenSSH%20root%20config.png)]]
+[[Image(OpenSSH root config.svg)]]
 
 == Logging in ==
 Using this setup is rather simple:
 `ssh yourusername@B`
-or
+vs.
 `ssh root@B`
 
 When authenticating as root, you will be asked both the passphrase of the private key you associated with yourusername as well as that or the private key for root.
-
+You can verify that `rsync` etc. work as well, without `sudo`:
 `rsync root@B:/etc/hostname /tmp/hostname`
 
@@ -85 +96 @@
 '''Only use the root private key when it's absolutely necessary.'''
 
-This way you concentrate your activity within the easier to audit sudo framework, and you will reduce your susceptibility to compromise of the passphrase for root@B by means of keylogging on A.
-
-{{{
-$ brew update
-$ brew tap homebrew/dupes
-$ brew install homebrew/dupes/openssh
-}}}
+This way you concentrate your activity within the easier to audit `sudo` framework, and you will reduce your susceptibility to a compromise of the passphrase for root@B due to keylogging on A.