Difference between revisions of "Talk:SSH keys"

From ArchWiki
Jump to: navigation, search
m (Minor addition suggested to GnuPG implementation.)
(cache time: new section)
(5 intermediate revisions by 3 users not shown)
Line 3: Line 3:
 
I have just completed a tidyup, this including removing the section on connection control as I deemed it irrelivant. If needed, it is available in [http://wiki.archlinux.org/index.php?title=Using_SSH_Keys&oldid=66756#SSH_connection_control the history]. [[User:Thelucster|Thelucster]] 13:51, 13 April 2009 (EDT)
 
I have just completed a tidyup, this including removing the section on connection control as I deemed it irrelivant. If needed, it is available in [http://wiki.archlinux.org/index.php?title=Using_SSH_Keys&oldid=66756#SSH_connection_control the history]. [[User:Thelucster|Thelucster]] 13:51, 13 April 2009 (EDT)
  
I'm hesitant to make the edit myself, as I'm new the the whole 'wiki' thing, but I noticed that the Gnupg instructions here seem incomplete. After following them several times myself, I turned to the man pages and found the solution. See below: [[User:Ryeguy146|Ryeguy146]] 21:19, 22 March 2011 (PDT)
+
I'm hesitant to make the edit myself, as I'm new the the whole 'wiki' thing, but I noticed that the Gnupg instructions here seem incomplete. After following them several times myself, I turned to the man pages and found the solution. Edit: Nevermind. My problem was something different, and the current /etc/profile.d script handles the proper exports. [[User:Ryeguy146|Ryeguy146]] 21:19, 22 March 2011 (PDT)
  
 
== sshd_config ==
 
== sshd_config ==
Line 17: Line 17:
 
or in the AUR to decrypt the ssh key on login and automatically start ssh-agent and add the keys.
 
or in the AUR to decrypt the ssh key on login and automatically start ssh-agent and add the keys.
 
This way one would have a truely password less ssh session and in the same way not compromise security by using a passphrase less key.
 
This way one would have a truely password less ssh session and in the same way not compromise security by using a passphrase less key.
 +
 +
:I have opened a new section on using pam_ssh to descrypt a user's ssh keys upon login.  My experience with PAM in general is limited, so the content currently consists of a description of pam_ssh, some basic configuration instructions, and some of the limitations of pam_ssh which I have personally encountered. — [[User:Ntwk|Ntwk]] 16:37, 18 December 2011 (EST)
  
 
== ssh-agent ==
 
== ssh-agent ==
Line 48: Line 50:
 
We might want to mention that there's a script called 'ssh-copy-id' which comes with OpenSSH that install your public key in a remote machine's authorized_keys. There's a few caveat with it (it changes permissions of the user home directory, which should be a no-op in most situations; see the man page of ssh-copy-id -- and it also tells the user to make sure the script hasn't added extra keys, which might be a bit confusing for some).
 
We might want to mention that there's a script called 'ssh-copy-id' which comes with OpenSSH that install your public key in a remote machine's authorized_keys. There's a few caveat with it (it changes permissions of the user home directory, which should be a no-op in most situations; see the man page of ssh-copy-id -- and it also tells the user to make sure the script hasn't added extra keys, which might be a bit confusing for some).
  
== GnuPG ==
+
: The article currently gives a description of how to use {{ic|ssh-copy-id}} as well providing instructions on how to manually copy your pivate key to the remote server. I can't find any mention of {{ic|ssh-copy-id}} altering file or directory permissions on the remote server.  On the contrary, the {{ic|ssh-copy-id}} man page dated 14 November 1999 currently included in the OpenSSH man page states that it "does not modify the permissions of any pre-existing files of directories." — [[User:Ntwk|Ntwk]] 11:22, 21 December 2011 (EST)
 
+
In addition to the /etc/profile.d script described, the man pages for gnupg2 call for the following to be called for each session (edited in accordance with existing instructions):
+
  
if [ -f "${HOME}/.gnupg/gpg-agent.info" ]; then
+
== cache time ==
    . "${HOME}/.gnupg/gpg-agent.info"
+
    export GPG_AGENT_INFO
+
    export SSH_AUTH_SOCK
+
fi
+
  
Prior to adding this to my .zshrc file, caching of the ssh key did not function without exporting the variables manually. Of course, there may be better ways to implement this, and I leave this merely as a suggestion.
+
In the description of gpg-agent.conf, it says that the example would cache the keys for 3 hours. If that's correct, gpg-agent seems to be using a rather odd unit of time. I tried to check in the man page for gpg-agent but couldn't find the options documented. Is the figure really correct? Or should it be 18000? --[[User:Margali|cfr]] ([[User talk:Margali|talk]]) 21:15, 13 September 2012 (UTC)

Revision as of 21:15, 13 September 2012

Maybe the default 2048 bit rsa key is better?Vogt 01:54, 31 August 2008 (EDT)

I have just completed a tidyup, this including removing the section on connection control as I deemed it irrelivant. If needed, it is available in the history. Thelucster 13:51, 13 April 2009 (EDT)

I'm hesitant to make the edit myself, as I'm new the the whole 'wiki' thing, but I noticed that the Gnupg instructions here seem incomplete. After following them several times myself, I turned to the man pages and found the solution. Edit: Nevermind. My problem was something different, and the current /etc/profile.d script handles the proper exports. Ryeguy146 21:19, 22 March 2011 (PDT)

sshd_config

Sometimes the 'ssh-add' is not enough to log in without a password. It is possible that ssh is configured in such way that only a limited group of users is allowed to the machine. In this case - you need root-access to the server! - you have to change the configuration-file. Mostly you can find it as /etc/ssh/sshd_config. If the last line(s) of this file read(s): 'AllowUsers <username>', you will have to add a similar line with your own username. Don't forget to restart the ssh deamon: '/etc/init.d/sshd restart'.

Using pam_ssh module

I just want to add that one could also use the pam_ss module, available here http://pam-ssh.sourceforge.net/ or in the AUR to decrypt the ssh key on login and automatically start ssh-agent and add the keys. This way one would have a truely password less ssh session and in the same way not compromise security by using a passphrase less key.

I have opened a new section on using pam_ssh to descrypt a user's ssh keys upon login. My experience with PAM in general is limited, so the content currently consists of a description of pam_ssh, some basic configuration instructions, and some of the limitations of pam_ssh which I have personally encountered. — Ntwk 16:37, 18 December 2011 (EST)

ssh-agent

The current wiki entries tells to "$ echo 'eval `ssh-agent`' >> ~/.bashrc" which will everytime spawn a new ssh-agent. I think a more elegant way is only to add the export commands of ssh-agent to the .bashrc, so one ssh-agent can be used from every shell. This could be put in a small wrapper script:

#!/bin/sh
# check if ssh-agent is running
if [ -n "`ps -e|grep ssh-agent`" ];then
        echo "ssh-agent is already running" >&2
        exit 1
fi
# get new sock and pid
agent=`ssh-agent |head -2`
# delete old sock, pid and comment
sed -i -e "/SSH_\(AUTH_SOCK\|AGENT_PID\)/d" ~/.bashrc
# insert new sock and pid for new shells
echo -e "# auto generated SSH_AUTH_SOCK and SSH_AGENT_PID" >> ~/.bashrc
echo $agent >> ~/.bashrc
# for evaluation in the current shell
echo $agent
$ eval `./ssh_agent_wrapper.sh` " 

this would make ssh-agent available on the current and all new shells.

Be sure you have added the key to your /etc/ssh/ssh_config:

IdentityFile path/to/key

Alternative to manual key installation

We might want to mention that there's a script called 'ssh-copy-id' which comes with OpenSSH that install your public key in a remote machine's authorized_keys. There's a few caveat with it (it changes permissions of the user home directory, which should be a no-op in most situations; see the man page of ssh-copy-id -- and it also tells the user to make sure the script hasn't added extra keys, which might be a bit confusing for some).

The article currently gives a description of how to use ssh-copy-id as well providing instructions on how to manually copy your pivate key to the remote server. I can't find any mention of ssh-copy-id altering file or directory permissions on the remote server. On the contrary, the ssh-copy-id man page dated 14 November 1999 currently included in the OpenSSH man page states that it "does not modify the permissions of any pre-existing files of directories." — Ntwk 11:22, 21 December 2011 (EST)

cache time

In the description of gpg-agent.conf, it says that the example would cache the keys for 3 hours. If that's correct, gpg-agent seems to be using a rather odd unit of time. I tried to check in the man page for gpg-agent but couldn't find the options documented. Is the figure really correct? Or should it be 18000? --cfr (talk) 21:15, 13 September 2012 (UTC)