Difference between revisions of "SSH keys (Italiano)"

From ArchWiki
Jump to: navigation, search
Line 5: Line 5:
 
{{translateme}}
 
{{translateme}}
  
= What are SSH Keys? =
+
= Cosa sono le chiavi SSH? =
  
By using SSH Keys (a public and private key to be precise), you can easily connect to a server, or multiple servers, without having to enter your password for each system.
+
Utilizzando le chiavi SSH (una chiave pubblica e privata per la precisione), si può facilmente connettersi a un server o più server, senza dover inserire la password per ogni sistema.
  
'''Note''' that it is possible to setup your keys without a passphrase, however that is unwise as if anyone gets hold of your key they can use it. This guide describes how to setup your system so that passphrases are remembered securely.
+
'''Note''' È possibile impostare le chiavi senza password, tuttavia questo approccio non è raccomandabile, dato che se qualcuno scopre le chiavi le potrebbe utilizzare. Questa guida descrive come configurare un sistema in modo che le passphrase vengono ricordate in modo sicuro.
  
== Generating SSH Keys ==
+
== Generare la chiavi SSH ==
  
If you don't already have OpenSSH installed, install it now as it is not installed by default on Arch.
+
Se OpenSSH non è già installato sul sistema, provvedere ora con:
  
 
  # pacman -S openssh
 
  # pacman -S openssh
  
The keys can then be generated by running the ssh-keygen command as a user:
+
Le chiavi possono essere generate eseguendo il comando ssh-keygen come utente:
  
 
  $ ssh-keygen -b 1024 -t dsa
 
  $ ssh-keygen -b 1024 -t dsa
Line 29: Line 29:
 
  x6:68:xx:93:98:8x:87:95:7x:2x:4x:x9:81:xx:56:94 mith@middleearth
 
  x6:68:xx:93:98:8x:87:95:7x:2x:4x:x9:81:xx:56:94 mith@middleearth
  
It will prompt you for a location (which you should leave as the default), however the passphrase is the important bit! I hopefully need not tell you the rules of a good passphrase?
+
Verrà chiesto di specificare un percorso (che si dovrebbe lasciare come di default), comunque è la frase il bit importante! Tralasceremo, in questa guida, le regole per una buona passphrase, dando per scontato che le si sappiano.
  
So what did we just do? We generated a 1024 bit long (<code>-b 1024</code>) public/private dsa (<code>-t dsa</code>) key pair with the <code>ssh-keygen</code> command.
+
Allora, cosa si ha appena fatto? Si ha generato una coppia di chiavi a 1024 bit di lunghezza (<code>-b 1024</code>) dsa pubblica/privata (<code>-t dsa</code>) con il comando <code>ssh-keygen</code>.
  
If you want to create a rsa key pair instead of dsa just use <code>-t rsa</code> (do not specify key length "-b" as default key length for rsa is 2048 and is sufficient).
+
Se si desidera creare una coppia di chiavi RSA invece di dsa, usare <code>-t rsa</code> (non specificare la lunghezza della chiave "-b" come lunghezza predefinita, per rsa il default equivale a 2048, ed è sufficiente).
  
== Copying the keys to the remote server ==  
+
== Copiare le chiavi al server remoto ==  
  
Now you have generated the keys you need to copy them to the remote server. By default, for OpenSSH, the public key needs to be concatinated into <code>~/.ssh/authorized_keys</code>.
+
Ora che si sono generatoe le chiavi, bisogna copiarle al server remoto. Per impostazione predefinita di OpenSSH, la chiave pubblica deve essere concatenata in <code>~/.ssh/authorized_keys</code>.
  
 
  $ scp ~/.ssh/id_dsa.pub mith@metawire.org:
 
  $ scp ~/.ssh/id_dsa.pub mith@metawire.org:
  
This copies the public key (<code>id_dsa.pub</code>) to your remote server via scp (note the '''<code>:</code>''' at the end of the server address). The file ends up in the home directory, but you can specify another path if you like.
+
Questa operazione copia la chiave pubblica (<code>id_dsa.pub</code>) al server remoto tramite scp (notare il '''<code>:</code>''' alla fine dell'indirizzo del server). Il file finisce nella cartella home, ma è comunque possibile specificare un altro percorso.
  
Next up, on the remote server, you need to create the ~/.ssh directory if it doesn't exist and concatinate the key authorized_keys file:
+
A continuazione, sul server remoto, è necessario creare la cartella ~/.ssh se non esiste, e concatenare il file chiave authorized_keys:
  
 
  $ ssh mith@metawire.org
 
  $ ssh mith@metawire.org
Line 52: Line 52:
 
  $ chmod 600 ~/.ssh/authorized_keys
 
  $ chmod 600 ~/.ssh/authorized_keys
  
The last two commands remove the public key from the server (which isn't needed now), and sets the correct permissions on the authorized_keys file.
+
Gli ultimi due comandi rimuovonon la chiave pubblica dal server (non necessaria adesso), e ne definisce i permessi corretti sul file authorized_keys.
  
If you now disconnect from the server, and attempt to reconnect, you should be asked for the passphrase of the key:
+
Se ora ci si disconnette dal server, e si tenta di riconnettersi, dovrebbe venire richiesta la passphrase della chiave:
  
 
  $ ssh mith@metawire.org
 
  $ ssh mith@metawire.org
 
  Enter passphrase for key '/home/mith/.ssh/id_dsa':
 
  Enter passphrase for key '/home/mith/.ssh/id_dsa':
  
If you are unable to login with the key, double check the permissions on the <code>authorized_keys</code> file.
+
Se non è possibile effettuare il login con la chiave, controllare i permessi sul file  <code>authorized_keys</code>.
  
Also check the permissions on the <code>~/.ssh</code> directory, which should have write permissions off for 'group' and 'other'. Run the following command to disable 'group' and 'other' write permissions for the <code>~/.ssh</code> directory:
+
Controllate anche i permessi della cartella <code>~/.ssh</code>, che non dovrebbe avere permessi di scrittura per "group" e "other". Eseguire il seguente comando per disattivare i permessi di scrittura di "group" e "other" alla cartella <code>~/.ssh</code>:
 
  $ chmod go-w ~/.ssh
 
  $ chmod go-w ~/.ssh
  

Revision as of 18:09, 9 July 2010


Tango-preferences-desktop-locale.pngThis article or section needs to be translated.Tango-preferences-desktop-locale.png

Notes: please use the first argument of the template to provide more detailed indications. (Discuss in Talk:SSH keys (Italiano)#)

Cosa sono le chiavi SSH?

Utilizzando le chiavi SSH (una chiave pubblica e privata per la precisione), si può facilmente connettersi a un server o più server, senza dover inserire la password per ogni sistema.

Note È possibile impostare le chiavi senza password, tuttavia questo approccio non è raccomandabile, dato che se qualcuno scopre le chiavi le potrebbe utilizzare. Questa guida descrive come configurare un sistema in modo che le passphrase vengono ricordate in modo sicuro.

Generare la chiavi SSH

Se OpenSSH non è già installato sul sistema, provvedere ora con:

# pacman -S openssh

Le chiavi possono essere generate eseguendo il comando ssh-keygen come utente:

$ ssh-keygen -b 1024 -t dsa
Generating public/private dsa key pair.
Enter file in which to save the key (/home/mith/.ssh/id_dsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/mith/.ssh/id_dsa.
Your public key has been saved in /home/mith/.ssh/id_dsa.pub.
The key fingerprint is:
x6:68:xx:93:98:8x:87:95:7x:2x:4x:x9:81:xx:56:94 mith@middleearth

Verrà chiesto di specificare un percorso (che si dovrebbe lasciare come di default), comunque è la frase il bit importante! Tralasceremo, in questa guida, le regole per una buona passphrase, dando per scontato che le si sappiano.

Allora, cosa si ha appena fatto? Si ha generato una coppia di chiavi a 1024 bit di lunghezza (-b 1024) dsa pubblica/privata (-t dsa) con il comando ssh-keygen.

Se si desidera creare una coppia di chiavi RSA invece di dsa, usare -t rsa (non specificare la lunghezza della chiave "-b" come lunghezza predefinita, per rsa il default equivale a 2048, ed è sufficiente).

Copiare le chiavi al server remoto

Ora che si sono generatoe le chiavi, bisogna copiarle al server remoto. Per impostazione predefinita di OpenSSH, la chiave pubblica deve essere concatenata in ~/.ssh/authorized_keys.

$ scp ~/.ssh/id_dsa.pub mith@metawire.org:

Questa operazione copia la chiave pubblica (id_dsa.pub) al server remoto tramite scp (notare il : alla fine dell'indirizzo del server). Il file finisce nella cartella home, ma è comunque possibile specificare un altro percorso.

A continuazione, sul server remoto, è necessario creare la cartella ~/.ssh se non esiste, e concatenare il file chiave authorized_keys:

$ ssh mith@metawire.org
mith@metawire.org's password:
$ mkdir ~/.ssh
$ cat ~/id_dsa.pub >> ~/.ssh/authorized_keys
$ rm ~/id_dsa.pub
$ chmod 600 ~/.ssh/authorized_keys

Gli ultimi due comandi rimuovonon la chiave pubblica dal server (non necessaria adesso), e ne definisce i permessi corretti sul file authorized_keys.

Se ora ci si disconnette dal server, e si tenta di riconnettersi, dovrebbe venire richiesta la passphrase della chiave:

$ ssh mith@metawire.org
Enter passphrase for key '/home/mith/.ssh/id_dsa':

Se non è possibile effettuare il login con la chiave, controllare i permessi sul file authorized_keys.

Controllate anche i permessi della cartella ~/.ssh, che non dovrebbe avere permessi di scrittura per "group" e "other". Eseguire il seguente comando per disattivare i permessi di scrittura di "group" e "other" alla cartella ~/.ssh:

$ chmod go-w ~/.ssh

Remember key passphrases

Now you can login to your servers by using a key instead of a password, but how is this any easier, as you still need to enter the key passphrase? The answer is to use a SSH agent, a program which remembers the passphrases of your keys! There a number of different tools available, so have a read through and choose the one which seems best for you.

ssh-agent

ssh-agent is the default agent included with OpenSSH.

$ ssh-agent
SSH_AUTH_SOCK=/tmp/ssh-vEGjCM2147/agent.2147; export SSH_AUTH_SOCK;
SSH_AGENT_PID=2148; export SSH_AGENT_PID;
echo Agent pid 2148;

When you run ssh-agent it will print out what environment variables it would use... To make use of these variables run the command through the eval command.

$ eval `ssh-agent`
Agent pid 2157

You can add this to your .bashrc so that it will be run whenever you create a new shell:

$ echo 'eval `ssh-agent`' >> ~/.bashrc

Note the correct quotes, the first ones are single quotes, where as the second are curly single quotes!

Now that the ssh-agent is running, we need to tell it that we have a private key and where that is.

$ ssh-add ~/.ssh/id_dsa
Enter passphrase for /home/user/.ssh/id_dsa:
Identity added: /home/user/.ssh/id_dsa (/home/user/.ssh/id_dsa)

We were asked for our passphrase, entered it, that's all. Now you can login to your remote server without having to enter your password while your private key is password-protected. Sweet isn't it?

The only downside is that a new instance of ssh-agent needs to be created for every new console (shell) you open, that means you have to run ssh-add every time again on each console. There is a workaround to that with a program or rather a script called keychain which is covered in the next section.

Using GnuPG Agent

The GnuPG agent, distributed with the gnupg2 package, has OpenSSH agent emulation. If you use GPG you might consider using its agent to take care of all of your keys. Otherwise you might like the PIN entry dialog it provides and its passphrase management, which is different from keychain.

To start using GPG agent for your SSH keys you should first start the gpg-agent with the --enable-ssh-support option. You can do this from your ~/.xinitrc or shell profile file to start it with your session. Sample code for starting gpg-agent:

 # Start the GnuPG agent and enable OpenSSH agent emulation
 gnupginf="${HOME}/.gnupg/gpg-agent.info"
 
 if ( pgrep -u "${USER}" gpg-agent ); then
     eval `cat $gnupginf`
     eval `cut -d= -f1 $gnupginf | xargs echo export`
 else
     eval `gpg-agent --enable-ssh-support --daemon`
 fi

Once gpg-agent is running you can use ssh-add to approve keys, just like you did with plain ssh-agent. The list of approved keys is stored in the ~/.gnupg/sshcontrol file. Once your key is approved you will get a PIN entry dialog every time your passphrase is needed. You can control passphrase caching in the ~/.gnupg/gpg-agent.conf file. The following example would have gpg-agent cache your keys for 3 hours:

 # Cache settings
 default-cache-ttl 10800
 default-cache-ttl-ssh 10800

Other useful settings for this file include the PIN entry program (GTK, QT or ncurses version), keyboard grabbing and so on...:

 # Environment file
 write-env-file /home/username/.gnupg/gpg-agent.info
 
 # Keyboard control
 #no-grab
   
 # PIN entry program
 #pinentry-program /usr/bin/pinentry-curses
 #pinentry-program /usr/bin/pinentry-qt4
 pinentry-program /usr/bin/pinentry-gtk-2

Using keychain

Keychain manages one or more specified private keys. When initialized it will ask for the passphrase for the private key(s) and store it. That way your private key is password protected but you won't have to enter your password over and over again.

Install keychain from the extra repo:

# pacman -S keychain

Add to Template:Filename or Template:Filename the following:

eval `keychain --eval --nogui -Q -q id_rsa`

Or

/usr/bin/keychain -Q -q --nogui ~/.ssh/id_dsa
[[ -f $HOME/.keychain/$HOSTNAME-sh ]] && source $HOME/.keychain/$HOSTNAME-sh
Tip: If you want greater security replace -Q with --clear but will be less convenient.

If necessary, replace Template:Filename with Template:Filename. For those using a non-Bash compatible shell, see Template:Filename or Template:Filename for details on other shells.

Close your shell and open it again. Keychain should come up and if it's your first run it will ask your for the passphrase of the specified private key.

Using ssh-agent and x11-ssh-askpass

You need to start the ssh-agent everytime you start a new Xsession. The ssh-agent will be closed when the X session ends.

Install x11-ssh-askpass which will ask your passphrase everytime you open a new Xsession:

# pacman -S x11-ssh-askpass

Prepend this into your ~/.xsession:

eval `/usr/bin/ssh-agent`
SSH_ASKPASS=/usr/lib/openssh/x11-ssh-askpass ssh-add < /dev/null
# then the end of the file with for example "exec dwm"

GNOME Keyring

If you use the GNOME desktop, the GNOME Keyring tool can be used as an SSH agent. Setup is simple, first install it:

# pacman -S gnome-keyring

Next you need to add your SSH keys, and enter the passphrase.

$ ssh-add ~/.ssh/id_dsa
Enter passphrase for /home/mith/.ssh/id_dsa:

Now when you connect to a server, the key will be found and a dialog will popup asking you for the passphrase. It has an option to automatically unlock the key when you login. If you check this you won't need to enter your passphrase again!

PuTTY

The above procedure is a bit complicated when using PuTTY on Windows since PuTTY can't directly use keys generated by ssh-keygen. The private key needs to be converted using PuTTYgen which you can find here. The procedure is then as follows:

  1. Generate a 1024 bit RSA encrypted key pair with ssh-keygen on you Linux computer (you can log in with your usual username/password using PuTTY)
  2. Add the public key to the ~/.ssh/authorized_keys file
  3. Move the private key to the Windows machine
  4. Load the private key with PuTTYgen and click Save private key. This will convert the key so that PuTTY can use it.
  5. Start PuTTY, go to SSH->Auth and find the private key. Then simply connect to your Linux machine. You will be prompted for your username and passphrase (if you chose to enter one when you generated the keys).

Note that reversing the procedure, that is, generating the key pair with PuTTYgen and converting the public key with ssh-keygen, will NOT work.

Useful Links / Information