Technote (FAQ)
How do I protect my ssh keys from unauthorized use?
Answer
You can protect ssh keys from unauthorized use by using a passphrase and letting ssh-agent manage your keys.
1. Generate key pair with a passphrase.
If you already have keys setup with an empty passphrase, you can add a passphrase using ssh-keygen -p
No changes are necessary on the remote host, since we are using the same key pair.
If you have not yet set up your keys, you can do that with ssh-keygen as well.
However, to save a few steps, you can tell it to execute the statements by calling ssh-agent with 'eval'
Try to ssh to the remote host that you added your public key to. You should get logged in without a prompt.
# ssh-keygen -p
Enter file in which the key is (/home/testuser/.ssh/id_rsa):
Key has comment '/home/testuser/.ssh/id_rsa'
Enter new passphrase (empty for no passphrase): <ENTER PASSPHRASE HERE>
Enter same passphrase again:
Your identification has been saved with the new passphrase.
Enter file in which the key is (/home/testuser/.ssh/id_rsa):
Key has comment '/home/testuser/.ssh/id_rsa'
Enter new passphrase (empty for no passphrase): <ENTER PASSPHRASE HERE>
Enter same passphrase again:
Your identification has been saved with the new passphrase.
No changes are necessary on the remote host, since we are using the same key pair.
If you have not yet set up your keys, you can do that with ssh-keygen as well.
# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/testuser/.ssh/id_rsa):
Enter passphrase (empty for no passphrase): <ENTER PASSPHRASE HERE>
Enter same passphrase again:
Your identification has been saved in /home/testuser/.ssh/id_rsa.
Your public key has been saved in /home/testuser/.ssh/id_rsa.pub.
The key fingerprint is:
fa:c8:4d:a3:85:40:92:b2:f4:b9:44:b6:fb:87:f1:47 testuser@testserver1
The key's randomart image is:
+--[ RSA 2048]----+
| |
| . |
|..oo. |
|.o+oo |
|. =. S |
| . oo o E |
| o * = |
| .o X o |
| .= + |
+-----------------+
Then add the public key to the $HOME/.ssh/authorized_keys file on the remote host.Generating public/private rsa key pair.
Enter file in which to save the key (/home/testuser/.ssh/id_rsa):
Enter passphrase (empty for no passphrase): <ENTER PASSPHRASE HERE>
Enter same passphrase again:
Your identification has been saved in /home/testuser/.ssh/id_rsa.
Your public key has been saved in /home/testuser/.ssh/id_rsa.pub.
The key fingerprint is:
fa:c8:4d:a3:85:40:92:b2:f4:b9:44:b6:fb:87:f1:47 testuser@testserver1
The key's randomart image is:
+--[ RSA 2048]----+
| |
| . |
|..oo. |
|.o+oo |
|. =. S |
| . oo o E |
| o * = |
| .o X o |
| .= + |
+-----------------+
2. Test your keys.
When you login to the remote host, you will be prompted for your passphrase but should not be prompted for a login password. If you are prompted for a password, we will need to troubleshoot the key setup before proceeding.3. Start the ssh-agent
If you run ssh-agent with no arguments, it will write, to standard out, the commands you need to run to set the necessary environment variables.
# ssh-agent
SSH_AUTH_SOCK=/tmp/ssh-CSje397480/agent.397480; export SSH_AUTH_SOCK;
SSH_AGENT_PID=454734; export SSH_AGENT_PID;
echo Agent pid 454734;
SSH_AUTH_SOCK=/tmp/ssh-CSje397480/agent.397480; export SSH_AUTH_SOCK;
SSH_AGENT_PID=454734; export SSH_AGENT_PID;
echo Agent pid 454734;
However, to save a few steps, you can tell it to execute the statements by calling ssh-agent with 'eval'
# eval `ssh-agent`
Agent pid 397486
# env |grep SSH_A
SSH_AUTH_SOCK=/tmp/ssh-GsJh205030/agent.205030
SSH_AGENT_PID=397486
Agent pid 397486
# env |grep SSH_A
SSH_AUTH_SOCK=/tmp/ssh-GsJh205030/agent.205030
SSH_AGENT_PID=397486
4. Add your key to the agent
The next step is to add your key to the agent with ssh-add. If ssh-add is run with no arguments, it will add ~/.ssh/id_rsa, ~/.ssh/id_dsa and ~/.ssh/identity and prompt you for their associated passphrases.
# ssh-add
Enter passphrase for /home/testuser/.ssh/id_rsa:
Identity added: /home/testuser/.ssh/id_rsa (/home/testuser/.ssh/id_rsa)
Enter passphrase for /home/testuser/.ssh/id_rsa:
Identity added: /home/testuser/.ssh/id_rsa (/home/testuser/.ssh/id_rsa)
5. Test
Now that the ssh-agent knows your passphrase, you have "unlocked" your keys and the agent will provide the passphrase for you when needed.Try to ssh to the remote host that you added your public key to. You should get logged in without a prompt.
0 blogger-disqus:
Post a Comment