| Version 5 (modified by , 9 years ago) (diff) |
|---|
Generating an OpenSSH key pair
Guidelines
- Algorithm: ed25519 or rsa 4096bits
- Supply a password for your private key
- Use a unique private/public key pair per server
Generating a new ssh private/public key pair
Issue the following command in '~/.ssh':
# using ed25519: ssh-keygen -t ed25519 -C "<email>" -f <username>@<hostname> #using rsa 4096 bits: ssh-keygen -t rsa -b 4096 -C "<email>" -f <username>@<hostname>
where:
- <email> is your email address, this will be included as a comment and allows the administrators to contact you in case of questions.
- <username> is your username on the server
- <hostname> is the fully qualified hostname of the server
Example
In order to generate a key pair for user 'wilelb' with the email adress 'willem@clarin.eu' on the 'clarinvm.ics.muni.cz' server, the following command would be used:
ssh-keygen -t ed25519 -C "willem@clarin.eu" -f wilelb@clarinvm.ics.muni.cz
This will create two new files, the private and public (.pub) key, in your current working directory:
-rw------- 1 wilelb staff 464 Jul 7 12:38 wilelb@clarinvm.ics.muni.cz -rw-r--r-- 1 wilelb staff 98 Jul 7 12:38 wilelb@clarinvm.ics.muni.cz.pub
OSX
If ed25519 is not available on OSX, install openssh via homebrew (reference).
Configuring an OpenSSH client and server for secure root login
Suppose you want to be able to log in to host B from host A, both as your user and as the superuser. The latter you need in case you want to use e.g. rsync from B to A as superuser to read otherwise inaccessible files on B's filesystem. You want to use key pairs with passphrase-protected private keys and no password authentication. The only exception where passwords are at play at all, is for your OS account and sudo. You want the barrier to log in as root to be at least as strong as logging in as your user and then performing sudo su.
Generate two key pairs, with base file names root@B and yourusername@B.
Edit your OpenSSH client configuration on A to point to the file paths of these keys, for instance:
~/.ssh/config:
Match originalhost B
HostName B.Bdomain.Btld
Match originalhost B user root
IdentityFile "%d/.ssh/keypairs/root@B"
ProxyCommand ssh yourusername@B -W %h:%p
Match originalhost B user yourusername
IdentityFile "%d/.ssh/keypairs/yourusername@B"
Make sure you can log in to B as your user and that you are allowed to perform sudo -e. Also make sure that the OpenSSH server configuration is otherwise secure, f.i. forbidding any authentication method other than PubKeyAuthentication.
Now edit the OpenSSH server configuration and put at the end of the file:
/etc/ssh/sshd_config:
PermitRootLogin no
Match Address {WAN-IP-B}
PermitRootLogin without-password
Replace {WAN-IP-B} with the WAN IP address of B (as in, the IP address that A uses to refer to B). Restart the OpenSSH daemon.
You now have the following setup:
Logging in
Using this setup is rather simple:
ssh yourusername@B
or
ssh root@B
When authenticating as root, you will be asked both the passphrase of the private key you associated with yourusername as well as that or the private key for root.
rsync root@B:/etc/hostname /tmp/hostname
Final remarks
Only use the root private key when it's absolutely necessary.
This way you concentrate your activity within the easier to audit sudo framework, and you will reduce your susceptibility to compromise of the passphrase for root@B by means of keylogging on A.
$ brew update $ brew tap homebrew/dupes $ brew install homebrew/dupes/openssh
Attachments (2)
-
OpenSSH root config.svg (4.6 KB) - added by 9 years ago.
Diagram of root login
- OpenSSH root config.png (12.7 KB) - added by 9 years ago.
Download all attachments as: .zip
