Experimenting with Amazon AWS virtual server instances, I found
out, that using a pre-generated file - key or certificate known both to
server and client, the client does not have to connect to server using
password. It is easy, when connecting to server using ssh command line
with -i parameter (identity file), pass a link to .pem file stored on
you local computer, for example:
$ ssh -i ~/ec2.pem ubuntu@12.34.56.78
Ec2.pem is a file containing public certificate, ubuntu is username
and then add @your.public.ip.address or hostname. PEM file is not hard
to get, for example Amazon AWS EC2 Console will let you generate this
file.
Server with SSH access and password - enable authentication without using password
I have recently paid for a server in German hosting company
Hetzner, they provided me with login information: my public IP address,
username: root and password: pre-generated password. It is a standard
procedure, now how to make this work without using password, using just a
.pem file?
- First step is to generate Key Pair and PEM file.
- Next step is to upload certificate to your remote server in command line using SSH, first time with password.
- Last step, testing connection client to server without using a password.
1) How to generate a Key Pair for authentication without password
$ ssh-keygen -t rsa -b 2048 -v
Enter this command to generate 2,048 bit RSA key using verbose
(questions asked during) mode, and a public .pem X.509 certificate.
Generating public/private rsa key pair.
Enter file in which to save the key (/home/anonymouse/.ssh/id_rsa):
hetznerEnter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in hetzner.
Your public key has been saved in hetzner.pub.
The key fingerprint is:
bb:c6:9c:ee:6b:c0:67:58:b2:bb:4b:44:72:d3:cc:a5 localhost@localhost
The key's randomart image is:
You will be asked for a file name, I inserted a name of the hosting
provider hetzner, it will generate a hetzner.pub file and the hetzner
file without file extension, rename it to hetzner.pem, files are created
in the current directory you have open in terminal window. You will be
asked to enter passphrase, it is for securing the certificate on your
local machine, I ignored this option by pressing enter, as it is
voluntary option and I feel confident about my local computer security.
2) Uploading the generated certificate from client computer to server
This is done so
server can recognize client, the both have access to these certificates
and compare them. To upload certificate on the server, we need to
establish a secure connection and this time, if everything goes well, it
may be the last time using the password.
$ ssh-copy-id -i ~/hetzner.pub root@
12.34.56.78
root@12.34.56.78's password:
Now try logging into the machine, with "ssh 'root@12.34.56.78'", and check in:
~/.ssh/authorized_keys
to make sure we haven't added extra keys that you weren't expecting, you may still want to use a password.
So to check, id you have successfully uploaded your key to the server, login to the server:
$ sudo nano ~/.ssh/authorized_keys
or $ sudo cat
~/.ssh/authorized_keys
,
you should see a file with a one or more lines of random characters,
these are the uploaded or generated keys known to this machine.
Mine
~/.ssh/authorized_keys
looks like this, i cut off few hundred of characters from right of both lines:ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAX ...
ssh-rsa
AQCqFd4B798zz9Lu+a3jGjhVXBRx ...
Each line is a ssh-rsa key, you may want to check that you
accidentally did not upload anything unwanted, but first of all, one of
the lines should contain the exactly same content, as the hetzner.pub
(your .pub file, that was uploaded), you may open .pub file in any text
editor on you local machine to make sure,
3) Test the connection
$ sudo ssh -i ~/hetzner.pem root@12.34.56.78
On client side
If you do not wish to supply the key path every time on client computer when connecting to remote server, one must tell OpenSSH where to look for private key, by default it looks in ~/.ssh/id_rsa and other folders, use ssh with -v parameter, verbose mode will print what it does step by step on screen. Usually this file should contain something like-----BEGIN RSA PRIVATE KEY-----
fjksdfjsdlfjksdlfjlsdjfsdl0GrdNS326iv4CcJHASJ2EMpXnIaUpBtc5U2SY14yq8/4gfRLHLdbwzzx/O
PEjlPv1BX4OJlxSWtKPaQsb5QsgwJseoNmBl1djTSY3haZS9P89MsNKiqlv1XtwbcMYOQRVydFdn
.....
.....
......
NHfo3MomYtSoawyBFfsdfsdfasdfasdfasdfasJKJFLSJLDJKSJDVXG58e2Vn7vmY4DYHDDkBd3Y=
-----END RSA PRIVATE KEY-----
You may have this file with .pem suffix. Pem is your private key, unlike .pub - the public key, private key stays always only on you computer, newer give up your private key. Content of ~/.ssh/id_rsa can be replaced with .pem file, it works fine, no conversion is needed.
Two or more private keys
If you have more servers and you wish to connect using multiple private keys, create ~/.ssh/config file, that contain following lines:Host server1 server1.company.com
Hostname 12.34.56.78
User ubuntu
IdentityFile /media/11361B1123123634/server1.pem
Host server2 server2.company.com
Hostname server2.company.com
User root
IdentityFile /media/11361B1123123634/server2.pem
Host myPC myPC.local
Hostname 192.168.0.106
User mike
IdentityFile /home/mike/.ssh/id_rsa
$ ssh server1
Troubleshooting
Agent admitted failure to sign using the key
If you do some changes in permissions, change file location, you may need to run this on the client machine to get rid of the Agent admitted failure to sign using the key. error message.
# eval "$(ssh-agent)"
# ssh-add
Permissions on clients ~/.ssh should be dr-xr-x---
# chmod 550 .ssh
0 comments:
Post a Comment