|Department of Planetary Sciences |
Lunar and Planetary Laboratory
LPL Central Computing Systems (LCS)
The most secure method of unchallenged SSH authentication is to use RSA/DSA keys with authentication agents. SSH agents give another host secure access to your private keys as if it were local, permitting you to ssh, sftp, or scp using your private keys for authentication, without typing a password. A less secure method is to use RSA/DSA keys without agents. To do this, follow the instructions below, but enter no passphrase when prompted (just press enter/return), and skip Phase II. Unchallenged SSH access using agents is set up in two phases: Phase I: Use RSA and DSA keys to set up passphrase-challenged SSH access. 1. Use ssh-keygen to create public and private keys. 2. Populate other from-hosts with the public and private keys (stored securely). 3. Populate to-hosts with the public keys. 4. Test challenged SSH access. Phase II: Use ssh-agent and ssh-add to set up unchallenged SSH access. 1. Use ssh-agent to start an authentication agent. 2. Use ssh-add to add your private keys to the agent. 3. Launch terminal windows as child processes of the SSH agent. 4. Test unchallenged SSH access from these windows. Detailed Instructions Phase I: Use RSA and DSA keys to set up passphrase-challenged SSH access. 1. Use ssh-keygen to generate keys on the host from which you wish to connect. By default, ssh-keygen stores generated public and private key files in $HOME/.ssh. At LPL this is an NFS file system, so the data would cross the network in the clear if stored there. Since this data is used to identify the user, the contents must be kept secret, so we use ssh-keygen's -f option to put the key files in /var/.ssh/yourname instead. Contact your system admin to have this directory created, if necessary, using these commands, on all of the from-hosts: # mkdir /var/.ssh/yourname # chmod 700 /var/.ssh/yourname # chown yourname /var/.ssh/yourname # chgrp yourgroup /var/.ssh/yourname Always use a good passphrase when creating a private key. A passphrase is between 10 and 30 characters long and does not consist of a simple sentence, as a normal English sentence only generates one or two bits of entropy. If you wish to use unchallenged SSH without agents (less secure), then enter no passphrase (just press enter/return). $ ssh-keygen -t rsa -f /var/.ssh/yourname/id_rsa -C "yourname@from-host" $ ssh-keygen -t dsa -f /var/.ssh/yourname/id_dsa -C "yourname@from-host" Create an SSH config file so SSH knows where to find your private keys. $ echo "IdentityFile /var/.ssh/yourname/id_rsa" > ~/.ssh/config $ echo "IdentityFile /var/.ssh/yourname/id_dsa" >> ~/.ssh/config 2. Populate the other from-hosts with securely stored public and private keys. $ cd /var/.ssh/yourname $ scp id_rsa you@other-from-host:/var/.ssh/yourname you@to-host's password: $ ssh you@other-from-host 'chmod 600 /var/.ssh/yourname/id_rsa' you@to-host's password: $ scp id_dsa you@other-from-host:/var/.ssh/yourname you@to-host's password: $ ssh you@other-from-host 'chmod 600 /var/.ssh/yourname/id_dsa' you@to-host's password: If you have a separate (non-NFS-mounted) home directory on any of these from-hosts, you'll need to create ~/.ssh/config as in step 1 above. 3. Populate the to-hosts with the public keys. Since LPL home directories are NFS-mounted, adding your public keys to one file under your home dir will populate all of the LPL UNIX to-hosts that mount your home directory. $ touch ~/.ssh/authorized_keys; chmod 600 ~/.ssh/authorized_keys $ touch ~/.ssh/authorized_keys2; chmod 600 ~/.ssh/authorized_keys2 $ cd /var/.ssh/yourname $ cat id_rsa.pub >> ~/.ssh/authorized_keys $ cat id_dsa.pub >> ~/.ssh/authorized_keys $ cat id_rsa.pub >> ~/.ssh/authorized_keys2 $ cat id_dsa.pub >> ~/.ssh/authorized_keys2 4. Test passphrase-challenged access. $ ssh you@to-host Enter passphrase for DSA key 'you@to-host': If you entered a passphrase when running keygen and you don't get the prompt for your passphrase, then something is wrong. After completing Phase I, the login process has been changed from being password-prompting to passphrase-prompting. This enables us to use an SSH authentication agent to send our keys, so we may login without any prompting. Phase II: Use ssh-agent and ssh-add to set up unchallenged SSH access. Ideally, we will type a passphrase once when we sit down at our computer, and every session we establish will use the authentication agent, so we will not need to type passphrases again. 1. Use ssh-agent to start an authentication agent. $ ssh-agent csh or $ ssh-agent tcsh or $ ssh-agent bash 2. Use ssh-add to add your private keys to the agent. When prompted, enter the passphrases you used in Phase I Step 1. $ ssh-add /var/.ssh/yourname/id_rsa $ ssh-add /var/.ssh/yourname/id_dsa 3. Launch terminal windows as child processes of the SSH agent. From the SSH agent's c-shell, launch terminal windows, and other windows from them: $ xterm & 4. Test unchallenged SSH access. From any of these xterm windows: $ ssh to-host How to automate ssh-agent startup. There are several ways to configure your account to automatically start an ssh-agent. You can have it create a subprocess which inherits the SSH_AUTH_SOCK env variable, or you can run it as a daemon. For example, if you are using gnome on Redhat, put the following line at the end of your ~/.xsession file: ssh-agent gnome-session Now ssh-agent will start, create a socket, set environment variables, and start an X session. All of the child programs of the X server will have access to the agent. If you are a bash user, an alternative is to start ssh-agent from your ~/.profile or ~/.bash_profile. To do this, add these lines to your ~/.bash_profile: SSHAGENT=/usr/bin/ssh-agent [ -z "$SSH_AUTH_SOCK" -a -x "$SSHAGENT" ] && eval `$SSHAGENT` This brings SSH_AUTH_SOCK and SSH_AGENT_PID as env variables into the current shell. You still need to run ssh-add after to add your keys. To kill all ssh-agent daemons when you logout, add the following to your ~/.logout: kill $SSH_AGENT_PID How to change your passphrase. If your passphrase (the password you type to decrypt your private key) has been guessed, or you have typed it over the network by accident, you should change it. To do so, do the following: $ ssh-keygen -p How to indicate whether you are in SSH. To indicate in your shell prompt whether or not you have logged in through SSH, add these lines to your .cshrc file: if ($?SSH_TTY || $?SSH_CLIENT|| $?SSH_AUTHENTICATION_SOCKET) then set prompt_ssh="ssh:" else set prompt_ssh="" endif set prompt = "$prompt_ssh% " If your prompt begins with the letters "ssh:", you are using SSH, and anything you type is protected through encryption.
Back to the LCS FAQ page
rn to LPL homepage