Monday, May 19, 2014

Authentication without password using OpenSSH Key, certificates .pem and .pub

Experimenting with Amazon AWS virtual server instances, I found out, that using a pre-generated file - key or certificate known both to server and client, the client does not have to connect to server using password. It is easy, when connecting to server using ssh command line with -i parameter (identity file), pass a link to .pem file stored on you local computer, for example:

$ ssh -i ~/ec2.pem ubuntu@12.34.56.78

Ec2.pem is a file containing public certificate, ubuntu is username and then add @your.public.ip.address or hostname. PEM file is not hard to get, for example Amazon AWS EC2 Console will let you generate this file.

Server with SSH access and password - enable authentication without using password

I have recently paid for a server in German hosting company Hetzner, they provided me with login information: my public IP address, username: root and password: pre-generated password. It is a standard procedure, now how to make this work without using password, using just a .pem file?
  1. First step is to generate Key Pair and PEM file.
  2. Next step is to upload certificate to your remote server in command line using SSH, first time with password.
  3. Last step, testing connection client to server without using a password.

1) How to generate a Key Pair for authentication without password

$ ssh-keygen -t rsa -b 2048 -v

Enter this command to generate 2,048 bit RSA key using verbose (questions asked during) mode, and a public .pem X.509 certificate.

Generating public/private rsa key pair.
Enter file in which to save the key (/home/anonymouse/.ssh/id_rsa): hetzner
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in hetzner.
Your public key has been saved in hetzner.pub.
The key fingerprint is:
bb:c6:9c:ee:6b:c0:67:58:b2:bb:4b:44:72:d3:cc:a5 localhost@localhost
The key's randomart image is:

You will be asked for a file name, I inserted a name of the hosting provider hetzner, it will generate a hetzner.pub file and the hetzner file without file extension, rename it to hetzner.pem, files are created in the current directory you have open in terminal window. You will be asked to enter passphrase, it is for securing the certificate on your local machine, I ignored this option by pressing enter, as it is voluntary option and I feel confident about my local computer security.

2) Uploading the generated certificate from client computer to server

This is done so server can recognize client, the both have access to these certificates and compare them. To upload certificate on the server, we need to establish a secure connection and this time, if everything goes well, it may be the last time using the password.

$ ssh-copy-id -i ~/hetzner.pub root@12.34.56.78

root@12.34.56.78's password: 
Now try logging into the machine, with "ssh 'root@12.34.56.78'", and check in: ~/.ssh/authorized_keys to make sure we haven't added extra keys that you weren't expecting, you may still want to use a password. 

So to check, id you have successfully uploaded your key to the server, login to the server:

$ sudo nano ~/.ssh/authorized_keys or $ sudo cat ~/.ssh/authorized_keys, you should see a file with a one or more lines of random characters, these are the uploaded or generated keys known to this machine.

Mine ~/.ssh/authorized_keys looks like this, i cut off few hundred of characters from right of both lines:

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAX ...
ssh-rsa AQCqFd4B798zz9Lu+a3jGjhVXBRx ...

Each line is a ssh-rsa key, you may want to check that you accidentally did not upload anything unwanted, but first of all, one of the lines should contain the exactly same content, as the hetzner.pub (your .pub file, that was uploaded), you may open .pub file in any text editor on you local machine to make sure,

3) Test the connection

$ sudo ssh -i ~/hetzner.pem root@12.34.56.78

Should connect you without using a password, notice, that I am not using .pub but .pem now, that is a file hetzner, that we have renamed in step 1 to hetzner.pem. You may have to confirm the Key Pair with "yes" on the first login. Both files were generated in step 1 using $ ssh-keygen -t rsa -b 2048 -v command, but one is generated bwithout suffix.

On client side

If you do not wish to supply the key path every time on client computer when connecting to remote server, one must tell OpenSSH where to look for private key, by default it looks in ~/.ssh/id_rsa and other folders, use ssh with -v parameter, verbose mode will print what it does step by step on screen. Usually this file should contain something like

-----BEGIN RSA PRIVATE KEY-----
fjksdfjsdlfjksdlfjlsdjfsdl0GrdNS326iv4CcJHASJ2EMpXnIaUpBtc5U2SY14yq8/4gfRLHLdbwzzx/O
PEjlPv1BX4OJlxSWtKPaQsb5QsgwJseoNmBl1djTSY3haZS9P89MsNKiqlv1XtwbcMYOQRVydFdn
.....
.....
......
NHfo3MomYtSoawyBFfsdfsdfasdfasdfasdfasJKJFLSJLDJKSJDVXG58e2Vn7vmY4DYHDDkBd3Y=
-----END RSA PRIVATE KEY-----
You may have this file with .pem suffix. Pem is your private key, unlike .pub - the public key, private key stays always only on you computer, newer give up your private key. Content of  ~/.ssh/id_rsa can be replaced with .pem file, it works fine, no conversion is needed.

Two or more private keys

If you have more servers and you wish to connect using multiple private keys, create ~/.ssh/config file, that contain following lines:
Host server1 server1.company.com
Hostname 12.34.56.78
User ubuntu
IdentityFile /media/11361B1123123634/server1.pem

Host server2 server2.company.com
Hostname server2.company.com
User root
IdentityFile /media/11361B1123123634/server2.pem

Host myPC myPC.local
Hostname 192.168.0.106
User mike
IdentityFile /home/mike/.ssh/id_rsa
This file is recognized by ssh by default, it must be named config full path: ~/.ssh/config and if you wish to use sudo (for example later in cron with rsync), this file must be also accessible as /root/.ssh/config. In above file /media/11361B1123123634/ is my encrypted USB drive, so the upper two connections works only if the drive is mounted. In Host, first name is short name that can be used with ssh command, for example:
$ ssh server1
This should now connect you to server1.company.com without typing a password, this way also rsync and other command that use ssh may be used to work with other servers without supplying typed or visible passwords every time they communicate.

Troubleshooting

Agent admitted failure to sign using the key

If you do some changes in permissions, change file location, you may need to run this on the client machine to get rid of the Agent admitted failure to sign using the key. error message.

# eval "$(ssh-agent)"
# ssh-add

Permissions on clients ~/.ssh should be dr-xr-x---

# chmod 550 .ssh

Troubles with key path, rsync prompting for password when should not

If using rsync with sudo, it looks for key file in /root/.ssh/config not in /home/user/.ssh/config, so be sure to copy or link this file to correct location, otherwise ssh and scp will be working fine while rsync will prompt for password.

0 comments: