Difference between revisions of "Passphrase for ssh-keys"

From Notes_Wiki
m
m
 
(2 intermediate revisions by the same user not shown)
Line 1: Line 1:
<yambe:breadcrumb>OpenSSH server configuration|OpenSSH</yambe:breadcrumb>
[[Main Page|Home]] > [[CentOS]] > [[CentOS 6.x]] > [[OpenSSH server configuration]] > [[Passphrase for ssh-keys]]
=Passphrase for ssh-keys=


When our public key, private key etc. can be used to access some sensitive information that it makes sense to protect our keys with some passphrase. If you already have keys without passphrase then you can set passphrase for them using
When our public key, private key etc. can be used to access some sensitive information that it makes sense to protect our keys with some passphrase. If you already have keys without passphrase then you can set passphrase for them using
Line 21: Line 20:
command and enter passphrase only once. Now shell would remember the passphrase and you can ssh to various servers with keys protected by passphrase without requiring to enter passphrase for each login. ssh-agent started in this manner automatically closes whenever shell exits, so we do not have to worry about security problems because of added keys once we have exited shell.
command and enter passphrase only once. Now shell would remember the passphrase and you can ssh to various servers with keys protected by passphrase without requiring to enter passphrase for each login. ssh-agent started in this manner automatically closes whenever shell exits, so we do not have to worry about security problems because of added keys once we have exited shell.


To execute ssh-agent automatically on remote machines during SSH use:
<pre>
    eval `ssh-agent -s`
</pre>
in ~/.bashrc.  This was learned from http://stackoverflow.com/questions/17846529/could-not-open-a-connection-to-your-authentication-agent




Line 44: Line 48:
</pre>
</pre>


==Extracting public key in .pub ssh format from .pem files==
If SSH identity file is in PEM format (such as ones provided by AWS) then public key can be exported from pem to pub format using:
<pre>
ssh-keygen -y -f amazon-saurabh.pem > amazon-saurabh.pub
</pre>




<yambe:breadcrumb>OpenSSH server configuration|OpenSSH</yambe:breadcrumb>
[[Main Page|Home]] > [[CentOS]] > [[CentOS 6.x]] > [[OpenSSH server configuration]] > [[Passphrase for ssh-keys]]

Latest revision as of 09:47, 14 July 2022

Home > CentOS > CentOS 6.x > OpenSSH server configuration > Passphrase for ssh-keys

When our public key, private key etc. can be used to access some sensitive information that it makes sense to protect our keys with some passphrase. If you already have keys without passphrase then you can set passphrase for them using

   ssh-keygen -p

The same command can be used to change passphrase for existing keys.


Using agent for authentication

Now when one uses key based authentication he/she is asked for passphrase for key based authentication to work. If we are going to use key based authentication a lot then this asking of passphrase so many times can be irritating. To solve that problem replace current shell with ssh-agent using:

   exec $(which ssh-agent) $SHELL

then use

   ssh-add

command and enter passphrase only once. Now shell would remember the passphrase and you can ssh to various servers with keys protected by passphrase without requiring to enter passphrase for each login. ssh-agent started in this manner automatically closes whenever shell exits, so we do not have to worry about security problems because of added keys once we have exited shell.

To execute ssh-agent automatically on remote machines during SSH use:

    eval `ssh-agent -s`

in ~/.bashrc. This was learned from http://stackoverflow.com/questions/17846529/could-not-open-a-connection-to-your-authentication-agent


Using Agent Forwarding for convenient ssh from remote machines

Consider situation where Client C1 has key based access to servers S1 and S2. Now if client tries to connect to S1 using SSH the agent can authorized the client and connection would get established without needing any password. But now if client tries to SSH to S2 from S1 then client would be forced to enter password as the clients key located on C1 is not automatically used by S1. To use C1's key while C1 is connected to S1, one can use 'ForwardAgent' option such as:

ssh -X root@<S1> -o 'ForwardAgent=yes'

This assumes two things:

Now if client tries to SSH to S2 then the keys located on clients machine can be used for authentication with the help of a local agent. More information on this can be read from http://www.unixwiz.net/techtips/ssh-agent-forwarding.html


Obtaining fingerprint of existing keys

To obtain fingerprint of existing keys use:

ssh-keygen -lf /etc/ssh/ssh_host_rsa_key.pub


Home > CentOS > CentOS 6.x > OpenSSH server configuration > Passphrase for ssh-keys