Difference between revisions of "Passphrase for ssh-keys"
m |
m |
||
Line 35: | Line 35: | ||
Now if client tries to SSH to S2 then the keys located on clients machine can be used for authentication with the help of a local agent. More information on this can be read from http://www.unixwiz.net/techtips/ssh-agent-forwarding.html | Now if client tries to SSH to S2 then the keys located on clients machine can be used for authentication with the help of a local agent. More information on this can be read from http://www.unixwiz.net/techtips/ssh-agent-forwarding.html | ||
==Obtaining fingerprint of existing keys== | |||
To obtain fingerprint of existing keys use: | |||
<pre> | |||
ssh-keygen -lf /etc/ssh/ssh_host_rsa_key.pub | |||
</pre> | |||
==Extracting public key in .pub ssh format from .pem files== | |||
If SSH identity file is in PEM format (such as ones provided by AWS) then public key can be exported from pem to pub format using: | |||
<pre> | |||
ssh-keygen -y -f amazon-saurabh.pem > amazon-saurabh.pub | |||
</pre> | |||
<yambe:breadcrumb>OpenSSH server configuration|OpenSSH</yambe:breadcrumb> | <yambe:breadcrumb>OpenSSH server configuration|OpenSSH</yambe:breadcrumb> |
Revision as of 07:06, 8 November 2013
<yambe:breadcrumb>OpenSSH server configuration|OpenSSH</yambe:breadcrumb>
Passphrase for ssh-keys
When our public key, private key etc. can be used to access some sensitive information that it makes sense to protect our keys with some passphrase. If you already have keys without passphrase then you can set passphrase for them using
ssh-keygen -p
The same command can be used to change passphrase for existing keys.
Using agent for authentication
Now when one uses key based authentication he/she is asked for passphrase for key based authentication to work. If we are going to use key based authentication a lot then this asking of passphrase so many times can be irritating. To solve that problem replace current shell with ssh-agent using:
exec $(which ssh-agent) $SHELL
then use
ssh-add
command and enter passphrase only once. Now shell would remember the passphrase and you can ssh to various servers with keys protected by passphrase without requiring to enter passphrase for each login. ssh-agent started in this manner automatically closes whenever shell exits, so we do not have to worry about security problems because of added keys once we have exited shell.
Using Agent Forwarding for convenient ssh from remote machines
Consider situation where Client C1 has key based access to servers S1 and S2. Now if client tries to connect to S1 using SSH the agent can authorized the client and connection would get established without needing any password. But now if client tries to SSH to S2 from S1 then client would be forced to enter password as the clients key located on C1 is not automatically used by S1. To use C1's key while C1 is connected to S1, one can use 'ForwardAgent' option such as:
ssh -X root@<S1> -o 'ForwardAgent=yes'
This assumes two things:
- authorized_keys file on S1 does not restricts agent-forwarding. See Configuring authorized_keys file for public key based access
- connection to S1 is established using agent after using 'exec $(which ssh-agent) $SHELL' and 'ssh-add' and not directly.
Now if client tries to SSH to S2 then the keys located on clients machine can be used for authentication with the help of a local agent. More information on this can be read from http://www.unixwiz.net/techtips/ssh-agent-forwarding.html
Obtaining fingerprint of existing keys
To obtain fingerprint of existing keys use:
ssh-keygen -lf /etc/ssh/ssh_host_rsa_key.pub
Extracting public key in .pub ssh format from .pem files
If SSH identity file is in PEM format (such as ones provided by AWS) then public key can be exported from pem to pub format using:
ssh-keygen -y -f amazon-saurabh.pem > amazon-saurabh.pub
<yambe:breadcrumb>OpenSSH server configuration|OpenSSH</yambe:breadcrumb>