SSH keys (Русский)

From ArchWiki
Revision as of 14:16, 8 March 2007 by Cheer (talk | contribs) (page started)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Tango-preferences-desktop-locale.pngThis article or section needs to be translated.Tango-preferences-desktop-locale.png

Notes: please use the first argument of the template to provide more detailed indications. (Discuss in Talk:SSH keys (Русский)#)

Использование SSH ключей для подключения к серверу

Зачем использовать эти ключи?

Использование ssh ключей, a public and a private key to be precise, is an easy way to connect to a server/a whole bunch of servers, using the same password OR using no password at all. You should prefer the password/ssh-agent combination!

Первый шаг - генерирование ключей

mith@middleearth||[[~]]:~ > ssh-keygen -b 2048 -t dsa
Generating public/private dsa key pair.
Enter file in which to save the key (/home/mith/.ssh/id_dsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/mith/.ssh/id_dsa.
Your public key has been saved in /home/mith/.ssh/id_dsa.pub.
The key fingerprint is:
x6:68:xx:93:98:8x:87:95:7x:2x:4x:x9:81:xx:56:94 mith@middleearth
mith@middleearth||[[~]]:~ >


Что было сделано? Была сгенерирована пара ключей public/private dsa (-t dsa) длиной 2048 bit (-b 2048) с помощью команды ssh-keygen. Вы также можете создать rsa ключ (-t rsa). Вы можете изменять параметр длины битов (по умолчанию она равна 1024).
Если вам не нравится имя ключа по умолчанию, вы можете указать имя, используя параметр -f name.
В процессе вам было предложено выбрать место сохранения для ключей. Был избран стандартный путь. Потом вас спросят о фразе-пароле.
Есть два пути, которые вы можете выбрать:
a) короткий, но небезопасный путь: не использовать фразу-пароль, иметь лёгкий доступ до удалённого сервера, бояться кражи ключа
b) более длинный, менее удобный, но безопасный путь: использовать фразу-пароль, использовать ssh-agent и чувствовать себя в безопасности.

шаг 2: копирование ключа на удалённый сервер {одинаково для A и B}

mith@middleearth||[[~]]:~ > scp .ssh/id_dsa.pub mith@metawire.org:


Скопируйте public ключ (id_dsa.pub) на ваш удалённый сервер с помощью scp (обратите внимание на : (двоеточие) в конце адреса сервера. Таким образом файл окажется в домашнем каталоге на сервере, но вы можете указать другой путь, если хотите.

step 3 - login to the remote computer and put your key into the right place {SAME for path A and B}

mith@middleearth||[[~]]:~ > ssh metawire.org
mith@metawire.org's password:
-bash-2.05b$ mkdir .ssh/
-bash-2.05b$ cat id_dsa.pub >> .ssh/authorized_keys
-bash-2.05b$ rm id_dsa.pub
-bash-2.05b$ chmod 700 .ssh
-bash-2.05b$ chmod 600 .ssh/authorized_keys


We connect to our remote server and use cat to add the content of id_dsa.pub to authorized_keys which is in the hidden directory .ssh. NOTE: In case you get an error because the .ssh directory doesn't exist you should simply create it (mkdir .ssh).
Now we remove the public key (rm id_dsa.pub) and set the correct permissions for .ssh and authorized_keys.
Log out and re-login. Depending on the path you chose, you will/won't be asked for a passphrase. Path a ends here...

...path b continues...

Now what makes this path almost as easy as a no-passphrase key? The magic word is ssh-agent.. What it does is basically asking you once every session for the passphrase of your private key and every time you would have to type it in, ssh-agent does it for you. ssh-agent is included in the openssh package so no trouble there...

mith@middleearth||[[~]]:~ > ssh-agent
SSH_AUTH_SOCK=/tmp/ssh-vEGjCM2147/agent.2147; export SSH_AUTH_SOCK;
SSH_AGENT_PID=2148; export SSH_AGENT_PID;
echo Agent pid 2148;


When you run ssh-agent it will print out what environment variables it would use... Well to make ssh-agent use these variables run

mith@middleearth||[[~]]:~ > eval `ssh-agent`
Agent pid 2157

The process id will vary for you of course. Adding eval `ssh-agent` to your .bashrc is an option so it's started every time you create a new shell.
Now that the ssh-agent is running, we need to tell it that we have a private key and where that is.

mith@middleearth||[[~]]:~ > ssh-add .ssh/id_dsa
Enter passphrase for .ssh/id_dsa:
Identity added: .ssh/id_dsa (.ssh/id_dsa)


We were asked for our passphrase, entered it, that's all. Now you can login to your remote server without having to enter your password while your private key is password-protected. Sweet isn't it? The only downside is that a new instance of ssh-agent needs to be created for every new console (shell) you open, that means you have to run ssh-add every time again on each console. There is a workaround to that with a program or rather a script called keychain which will be covered in the next part {...work in progress}.

Using keychain

Keychain manages one or more specified private keys. Once started it will ask your for the passphrase for that/each private key and stores it. That way your private key is password protected but you won't have to enter your password over and over again.

Get the package and install it.
Edit your ~/.bashrc and add the following lines:

/usr/bin/keychain ~/.ssh/id_dsa
[[ -f $HOME/.keychain/$HOSTNAME-sh ]] && source $HOME/.keychain/$HOSTNAME-sh

I am aware that not everyone is using bash. Run keychain --help and it will tell you how to set it up for other shells.
Close your shell and open it again. Keychain should come up and if it's your first run it will ask your for the passphrase of the specified private key.

Полезные ссылки и дополнительная информация