Using ssh keys to login to machines without having to know the password on the remote machine can be both convenient and provide some additional security by preventing exposure of the password. However, the security of the feature is only guaranteed by the careful generation and protection of a good private key. You should always make sure that
The version of ssh installed on centrally managed machines (lxplus or SUE) at CERN is configured to accept your Kerberos/AFS token for authentication. So you will not usually need an ssh key to login from one such CERN machine to another from an AFS account. More information about ssh at CERN is available from CERN Computer Security Team at http://security.web.cern.ch/security/ssh/. Login to a non-AFS account (such as root) or onto a machine without AFS installed can be achieved by configuring the target account to accept your ssh key. A simple recipe for doing this is given by following the steps below.
You must also remember that SSH is only secure if it is not combined with some other insecure protocol such as telnet. You must use SSH end-to-end.
Before you start you should choose a good password. You will be asked for this when you generate your key-pair. You MUST protect your private key by a good password. Advice on selecting a good password is available from CERN Computer Security Team at http://security.web.cern.ch/security/passwords/. It is also good practice to change the password periodically (this can be done with the ssh-keygen command).
For Linux/Unix, the OpenSSH package provides the ssh-keygen command to generate key pairs. Using the command
ssh-keygen -t rsa1
generates an RSA key. The default key length (related to the difficulty to 'crack' the key) is 1024 bits and this is sufficient for most normal uses and shorted key lengths should not be used. Using longer key lengths can slow things down. The ssh-keygen command generates a key pair as indicated in the example replay below -
[lxplus038] ~ > ssh-keygen
-t rsa1
Generating public/private rsa1 key pair.
Enter file in which to save the key (/afs/cern.ch/user/i/ineilson/.ssh/identity):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /afs/cern.ch/user/i/ineilson/.ssh/identity.
Your public key has been saved in /afs/cern.ch/user/i/ineilson/.ssh/identity.pub.
The key fingerprint is:
b0:4b:5b:1d:e7:fb:3e:82:f1:93:6b:9a:f3:cb:24:7f ineilson@lxplus038
Using the default locations, the file ~/.ssh/id_rsa contains your private key and ~/.ssh/id_rsa.pub contains your public key. The ssh-keygen command used above will create these files with the correct permissions: your private key only readable by you. If you need to reset the permissions on these files use the commands:
chmod 700 ~/.ssh
chmod go-rwx ~/.ssh/*
If you are using AFS at CERN it is also a good idea to store your private key in your private directory and link to it.
mkdir ~/private/ssh
mv ~/.ssh/identity ~/private/ssh
ln -s ~/private/ssh/identity ~/.ssh/identity
To enable your login on the remote host you, or the target machine system administrator, must append your public key (identity.pub) to the file authorized_keys in the ~/.ssh directory for the target user on the remote machine.
No. You can use the commands ssh-agent and ssh-add to unlock your private key just once per session. See man ssh-agent for more details
ssh-agent /bin/bash
ssh-add
Enter passphrase for ineilson@lxplus038:
Identity added: /afs/cern.ch/user/i/ineilson/.ssh/identity (ineilson@lxplus038)
SSH is a flexible and secure remote connection tool. The recipes given above cover only one of several combinations of key types and underlying connection protocols. The manual pages for SSH fully describe the other options and there can be much debate about which combination of options is most appropriate to use in any particular circumstance. However, the description above is the most appropriate for compatibility with software in use at CERN. See the CERN Computer Security Team's SSH homepage for more details.
The PUTTY package, available for installation from CERN through the "Add or Remove Programs" icon on the Windows Control Panel provides flexible and convenient functionality for SSH from Windows. Full documentaion is included with the program, but the same rules always apply: use a good password and keep the private-key safe.
Ian Neilson
September 17, 2004