Re: ssh keys from two behind-the-firewall boxes?
On 1 Feb 2003, Jean-Marc V. Liotier wrote: # On the local host : ssh-keygen -t dsa -f id_dsa # When prompted for a password, just press 'enter'. scp id_dsa.pub [EMAIL PROTECTED]:~/ I would strongly recommend using a good pass phrase and ssh-agent. If someone gets your password less private key then they can have access to all the machine you connect to (that have your public key). It's like having a plain text file on your local machine with the username and password of all the machines you connect to. # On the remote host : test -d ~/.ssh || mkdir ~/.ssh chmod 700 ~/.ssh cd ~/.ssh touch authorized_keys2 cat ~/id_dsa.pub authorized_keys2 chmod 640 authorized_keys2 rm -f ~/id_dsa.pub You also need to check which sshd server is running on the remote. This caused me a bit of pain one day: If the remote machine is using a SSH Communications (ssh.com) server, you need to convert your public keys with the ssh-keygen $ ssh-keygen -e -f id_dsa.pub id_dsa.pub.secsh then scp that to ~/.ssh2/ on the remote machine and then add that key's file name to the ~/.ssh2/authorization file: key id_dsa.pub.secsh There was an article in Sys Admin magazine not too long about about how to setup more secure password-less for use with cron and other automated tasks, although I can't remember the tool right now. Anyone? -- Bill Moseley [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: ssh keys from two behind-the-firewall boxes?
will trillich said: at what point are the passphrases required? if passwordless login/scp is the objective, where are the passphrases used? ssh-agent is designed to prompt you for your passphrase, then it stores it in memory, and automatically 'inputs' it when you connect. That is until you logout or reboot or something. I have never used ssh-agent myself. for my personal account I use SSH w/passphrase and just input it every time. I use passphrase-less keys for mostly non interactive stuff. running w/o a passphrase is still probably the most common way to perform automated tasks. that is, stuff from cron etc. if the system is properly secured the chance of a key getting compromised is not that great. on my more secure systems I lock them down to key logins only, so even if they have my root password or account password they have no opportunity to input them. nate -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: ssh keys from two behind-the-firewall boxes?
On Sat, Feb 01, 2003 at 12:57:08PM -0800, nate wrote: will trillich said: at what point are the passphrases required? if passwordless login/scp is the objective, where are the passphrases used? ssh-agent is designed to prompt you for your passphrase, then it stores it in memory, and automatically 'inputs' it when you connect. That is until you logout or reboot or something. I have never used ssh-agent myself. for my personal account I use SSH w/passphrase and just input it every time. I use passphrase-less keys for mostly non interactive stuff. afaik ssh-agent stores the key in memory, not the passphrase (you never give ssh-agent the passphrase, that's from ssh-add). ssh-agent outputs some environment variables that can be inherited by child processes, and then you load in your key with ssh-add or ssh-askpass. all the child processes that get spawned from the process that launched ssh-agent inheret certain env variables that let them know how to communicate with the agent, that then provides the key-based authentication for connections. this process can further be forwarded onto another machine, and the real beauty of it is that on the remote machine nothing is stored other than a socket to talk back to the agent on the home machine. for example, this is in my .xsession, and lets me ssh without a password even though i have a passphrase on my key in any child process of my xsession (xterms, et c.): eval `ssh-agent` ssh-add .ssh/id_dsa /dev/null running w/o a passphrase is still probably the most common way to perform automated tasks. that is, stuff from cron etc. true. you can however limit what commands can be executed from authorizing with a specific key. it'd be neat to see some way someone could spawn off cron using ssh-agent, but it'd make boot-up require someone be at the console. if the system is properly secured the chance of a key getting compromised is not that great. that's no attitude to take towards security. on my more secure systems I lock them down to key logins only, so even if they have my root password or account password they have no opportunity to input them. right, but if they're storing a passphraseless key on another machine to which someone else has root, that someone else now has access to your machine too. if that's your root key... sean msg27985/pgp0.pgp Description: PGP signature
Re: ssh keys from two behind-the-firewall boxes?
sean finney said: right, but if they're storing a passphraseless key on another machine to which someone else has root, that someone else now has access to your machine too. if that's your root key... yes thats a good point, forgot about that. I can't remember the last time I had access to another system and didn't have root on it so I guess it just didn't pop into my head. And of course I don't store my personal keys even on servers where another trusted person has access(e.g. my former company's servers, though I stored them on my desktop, to which nobody but I had root to and even then they were not passphrase-less, yeah I'm paranoid :) ). nate -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
ssh keys from two behind-the-firewall boxes?
this is probably item #2 of the really-obvious-faq that i'm not yet aware of, so i'll go ahead and ask because i haven't taken the opportunity to look like a goober in, oh, about half a day, now... doing the ssh-keygen thing works like a charm; you copy your private keys to the remote box and then just slap it into your ~/.ssh/authorized_keys file and poof, no more passwords! so now you can run ssh-driven scripts without having to worry about the username/password interruption. it's ip-based, isn't it? workstation workstation workstation 192.168.1.2192.168.1.100192.168.1.201 key xyzpdq key 1234567 key x0x0x0x0 | || +---++ | 192.168.1.5 firewall 208.33.90.85 | {web} | 11.22.33.44 remote box but the remote just sees all the 192.168.1.* boxes as 208.33.90.85, right? where's the doc on getting ALL the 192.168.1.* boxes to ssh password-free to the remote machine? (or, when it challenges, the challenge only reaches the firewall, something like that. hmm?) so far, my experience has been that i can ssh password-free only from the 'on-the-public-link' firewall. -- I use Debian/GNU Linux version 3.0; Linux server 2.4.20-k6 #1 Mon Jan 13 23:49:14 EST 2003 i586 unknown DEBIAN NEWBIE TIP #65 from der.hans [EMAIL PROTECTED] : Wondering about which KEYBOARD SHORTCUTS ARE UNDERSTOOD BY BASH? Enter this at your bash shell prompt: bind -p | less and see how much of that you can interpret :). For more info about all of this stuff, do man bash then search for emacs and readline (to search a manpage, press / and then the pattern to look for). Also see http://newbieDoc.sourceForge.net/ ... -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: ssh keys from two behind-the-firewall boxes?
will trillich said: it's ip-based, isn't it? in my experience it is key based. though I think with ssh2 you have a more extensive set of options available to you to restrict access further, perhaps to the IP level. but if you just have the keys themselves in ~/.ssh/authorized_keys it should be allowed in, doesn't matter what the IP is. Though I still use SSH v1 RSA keys for my stuff, haven't gotten around to migrating to SSH v2 yet. nate -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: ssh keys from two behind-the-firewall boxes?
Hi, On Fri, Jan 31, 2003 at 06:08:31PM -0600, will trillich wrote: this is probably item #2 of the really-obvious-faq that i'm not yet aware of, so i'll go ahead and ask because i haven't taken the opportunity to look like a goober in, oh, about half a day, now... doing the ssh-keygen thing works like a charm; you copy your private keys to the remote box and then just slap it into your NO! You copy public key to remote machine. You keep private key in local machine in front of you securely :-) This way, even if this key is stolen, all the thief can do is send you a e-mail and invite you to log into their machine without key word. ~/.ssh/authorized_keys file and poof, no more passwords! so now you can run ssh-driven scripts without having to worry about the username/password interruption. it's ip-based, isn't it? SSH checks IP as a part of prudence but its core authentication process is not IP based. workstation workstation workstation 192.168.1.2192.168.1.100192.168.1.201 key xyzpdq key 1234567 key x0x0x0x0 | || +---++ | 192.168.1.5 firewall 208.33.90.85 | {web} | 11.22.33.44 remote box but the remote just sees all the 192.168.1.* boxes as 208.33.90.85, right? where's the doc on getting ALL the 192.168.1.* boxes to ssh password-free to the remote machine? (or, when it challenges, the challenge only reaches the firewall, something like that. hmm?) so far, my experience has been that i can ssh password-free only from the 'on-the-public-link' firewall. -- I use Debian/GNU Linux version 3.0; Linux server 2.4.20-k6 #1 Mon Jan 13 23:49:14 EST 2003 i586 unknown -- ~\^o^/~~~ ~\^.^/~~~ ~\^*^/~~~ ~\^_^/~~~ ~\^+^/~~~ ~\^:^/~~~ ~\^v^/~~~ + Osamu Aoki [EMAIL PROTECTED] Cupertino CA USA, GPG-key: A8061F32 .''`. Debian Reference: post-installation user's guide for non-developers : :' : http://qref.sf.net and http://people.debian.org/~osamu `. `' Our Priorities are Our Users and Free Software --- Social Contract -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: ssh keys from two behind-the-firewall boxes?
On Fri, Jan 31, 2003 at 06:08:31PM -0600, will trillich wrote: this is probably item #2 of the really-obvious-faq that i'm not yet aware of, so i'll go ahead and ask because i haven't taken the opportunity to look like a goober in, oh, about half a day, now... doing the ssh-keygen thing works like a charm; you copy your private keys to the remote box and then just slap it into your ~/.ssh/authorized_keys file and poof, no more passwords! so now you can run ssh-driven scripts without having to worry about the username/password interruption. Does anyone have a FAQ on how to set this all up? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: ssh keys from two behind-the-firewall boxes?
Matthew Daubenspeck said: Does anyone have a FAQ on how to set this all up? i have a real quick basic thing with SSH v1 on my mrtg page: http://howto.aphroland.de/HOWTO/MRTG/IPFWCountersWithMRTG SSH v2 is not *too* much different. though it's been a while since I tried it with DSA authentication, last time I tried it, it was a real bitch to get working(this was about a year ago) nate -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: ssh keys from two behind-the-firewall boxes?
On Sat, 2003-02-01 at 01:55, Matthew Daubenspeck wrote: On Fri, Jan 31, 2003 at 06:08:31PM -0600, will trillich wrote: doing the ssh-keygen thing works like a charm; you copy your private keys to the remote box and then just slap it into your ~/.ssh/authorized_keys file and poof, no more passwords! so now you can run ssh-driven scripts without having to worry about the username/password interruption. Does anyone have a FAQ on how to set this all up? Below is what worked for me. I think that it may vary according to the version of the SSH protocol that you want to use, but it works like that on a stock Debian unstable. # On the local host : ssh-keygen -t dsa -f id_dsa # When prompted for a password, just press 'enter'. scp id_dsa.pub [EMAIL PROTECTED]:~/ # On the remote host : test -d ~/.ssh || mkdir ~/.ssh chmod 700 ~/.ssh cd ~/.ssh touch authorized_keys2 cat ~/id_dsa.pub authorized_keys2 chmod 640 authorized_keys2 rm -f ~/id_dsa.pub That's it, you are set with passwordless SSH. Taking advantage of ssh-agent to avoid using passwordless keys would be the next evolutionary step, but I'm not there yet and I am already very happy to be able to script scp, rsync and unison sessions, and to be able to login everywhere without repetitive keyboard entry. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: ssh keys from two behind-the-firewall boxes?
On Fri, Jan 31, 2003 at 05:39:22PM -0800, nate wrote: SSH v2 is not *too* much different. though it's been a while since I tried it with DSA authentication, last time I tried it, it was a real bitch to get working(this was about a year ago) erm, iirc it's the same thing, only if you're using an older version of sshd you need to put the public key in ~/.ssh/authorized_keys2 instead. here's a really simple example: oil[~]20:58:57$ ssh-keygen -t dsa Generating public/private dsa key pair. Enter file in which to save the key (/home/finney/.ssh/id_dsa): Created directory '/home/finney/.ssh'. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/finney/.ssh/id_dsa. Your public key has been saved in /home/finney/.ssh/id_dsa.pub. The key fingerprint is: e1:a2:6a:bc:e3:c9:b8:19:57:bc:a7:6c:b6:82:87:ac [EMAIL PROTECTED] oil[~]20:59:34$ cat .ssh/id_dsa.pub .ssh/authorized_keys2 oil[~]21:00:18$ ssh oil # == look ma, no passwd! Kickstart-installed Red Hat Linux Thu Jan 16 10:36:39 EST 2003 # ^===(disclaimer: not my machine) :) oil[~]21:00:26$ logout Connection to oil closed. oil[~]21:00:27$ however, the above example uses a passphraseless key, which isn't the best wrt security (same goes if you're using sshv1 rsa keys too). what's better is to use ssh-agent and a passphrase on your key. sean msg2/pgp0.pgp Description: PGP signature
Re: ssh keys from two behind-the-firewall boxes?
On Sat, Feb 01, 2003 at 02:57:01AM +0100, Jean-Marc V. Liotier wrote: On Sat, 2003-02-01 at 01:55, Matthew Daubenspeck wrote: Does anyone have a FAQ on how to set this all up? Below is what worked for me. I think that it may vary according to the version of the SSH protocol that you want to use, but it works like that on a stock Debian unstable. # On the local host : ssh-keygen -t dsa -f id_dsa # When prompted for a password, just press 'enter'. scp id_dsa.pub [EMAIL PROTECTED]:~/ # On the remote host : test -d ~/.ssh || mkdir ~/.ssh chmod 700 ~/.ssh cd ~/.ssh touch authorized_keys2 cat ~/id_dsa.pub authorized_keys2 chmod 640 authorized_keys2 rm -f ~/id_dsa.pub authorized_keys2 is for backward compatibility. You can simply use authorized_keys. The ssh-copy-id script shipped with ssh automates this process, except for the initial ssh-keygen stage. Cheers, -- Colin Watson [[EMAIL PROTECTED]] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]