Difference between revisions of "Talk:SSH keys"

From ArchWiki
Jump to: navigation, search
m (Minor addition suggested to GnuPG implementation.)
(use https for links to archlinux.org)
(14 intermediate revisions by 6 users not shown)
Line 1: Line 1:
Maybe the default 2048 bit rsa key is better?[[User:Vogt|Vogt]] 01:54, 31 August 2008 (EDT)
+
== <s>Default RSA key size</s> ==
 +
Maybe the default 2048 bit RSA key is better?<br>
 +
--[[User:Vogt|Vogt]] 01:54, 31 August 2008 (EDT)
  
I have just completed a tidyup, this including removing the section on connection control as I deemed it irrelivant. If needed, it is available in [http://wiki.archlinux.org/index.php?title=Using_SSH_Keys&oldid=66756#SSH_connection_control the history]. [[User:Thelucster|Thelucster]] 13:51, 13 April 2009 (EDT)
+
:I have just completed a tidyup, this including removing the section on connection control as I deemed it irrelevant. If needed, it is available in [https://wiki.archlinux.org/index.php?title=Using_SSH_Keys&oldid=66756#SSH_connection_control the history].
 +
:-- [[User:Thelucster|Thelucster]] 13:51, 13 April 2009 (EDT)
  
I'm hesitant to make the edit myself, as I'm new the the whole 'wiki' thing, but I noticed that the Gnupg instructions here seem incomplete. After following them several times myself, I turned to the man pages and found the solution. See below: [[User:Ryeguy146|Ryeguy146]] 21:19, 22 March 2011 (PDT)
+
::Closing.
 +
::-- [[User:Jstjohn|Jstjohn]] ([[User talk:Jstjohn|talk]]) 22:15, 7 April 2013 (UTC)
  
 
== sshd_config ==
 
== sshd_config ==
  
 
Sometimes the 'ssh-add' is not enough to log in without a password. It is possible that ssh is configured in such way that only a limited group of users is allowed to the machine.
 
Sometimes the 'ssh-add' is not enough to log in without a password. It is possible that ssh is configured in such way that only a limited group of users is allowed to the machine.
In this case - you need root-access to the server! - you have to change the configuration-file. Mostly you can find it as /etc/ssh/sshd_config.
+
In this case - you need root-access to the server! - you have to change the configuration-file. Mostly you can find it as {{ic|/etc/ssh/sshd_config}}.
If the last line(s) of this file read(s): 'AllowUsers  <username>', you will have to add a similar line with your own username. Don't forget to restart the ssh deamon: '/etc/init.d/sshd restart'.
+
If the last line(s) of this file read(s): {{ic|AllowUsers  <username>}}, you will have to add a similar line with your own username. Don't forget to restart the ssh deamon: {{ic|/etc/init.d/sshd restart}}.<br>
 +
-- [[User:Kobussie|Kobussie]], 10 February 2009
  
 
== Using pam_ssh module ==
 
== Using pam_ssh module ==
Line 16: Line 21:
 
http://pam-ssh.sourceforge.net/
 
http://pam-ssh.sourceforge.net/
 
or in the AUR to decrypt the ssh key on login and automatically start ssh-agent and add the keys.
 
or in the AUR to decrypt the ssh key on login and automatically start ssh-agent and add the keys.
This way one would have a truely password less ssh session and in the same way not compromise security by using a passphrase less key.
+
This way one would have a truely password less ssh session and in the same way not compromise security by using a passphrase less key.<br>
 +
-- [[User:Pladen|Pladen]], 27 March 2009
 +
 
 +
:I have opened a new section on using pam_ssh to decrypt a user's ssh keys upon login.  My experience with PAM in general is limited, so the content currently consists of a description of pam_ssh, some basic configuration instructions, and some of the limitations of pam_ssh which I have personally encountered.
 +
:-- [[User:Ntwk|Ntwk]] 16:37, 18 December 2011 (EST)
  
 
== ssh-agent ==
 
== ssh-agent ==
  
The current wiki entries tells to "$ echo 'eval `ssh-agent`' >> ~/.bashrc" which will everytime spawn a new ssh-agent.
+
The current wiki entries tells to {{ic|$ echo 'eval `ssh-agent`' >> ~/.bashrc}} which will everytime spawn a new ssh-agent.
I think a more elegant way is only to add the export commands of ssh-agent to the .bashrc, so one ssh-agent can be used from every shell. This could be put in a small wrapper script:
+
I think a more elegant way is only to add the export commands of ssh-agent to the {{ic|~/.bashrc}}, so one ssh-agent can be used from every shell. This could be put in a small wrapper script:
 
  #!/bin/sh
 
  #!/bin/sh
 
  # check if ssh-agent is running
 
  # check if ssh-agent is running
Line 41: Line 50:
 
this would make ssh-agent available on the current and all new shells.
 
this would make ssh-agent available on the current and all new shells.
  
Be sure you have added the key to your /etc/ssh/ssh_config:
+
Be sure you have added the key to your {{ic|/etc/ssh/ssh_config}}:
 
  IdentityFile path/to/key
 
  IdentityFile path/to/key
 +
 +
-- [[User:Cameris|Cameris]], 14 July 2009
  
 
== Alternative to manual key installation ==
 
== Alternative to manual key installation ==
  
We might want to mention that there's a script called 'ssh-copy-id' which comes with OpenSSH that install your public key in a remote machine's authorized_keys. There's a few caveat with it (it changes permissions of the user home directory, which should be a no-op in most situations; see the man page of ssh-copy-id -- and it also tells the user to make sure the script hasn't added extra keys, which might be a bit confusing for some).
+
We might want to mention that there's a script called 'ssh-copy-id' which comes with OpenSSH that install your public key in a remote machine's authorized_keys. There's a few caveat with it (it changes permissions of the user home directory, which should be a no-op in most situations; see the man page of ssh-copy-id -- and it also tells the user to make sure the script hasn't added extra keys, which might be a bit confusing for some).<br>
 +
-- [[User:Hexanol|Hexanol]], 14 June 2010
 +
 
 +
: The article currently gives a description of how to use {{ic|ssh-copy-id}} as well providing instructions on how to manually copy your pivate key to the remote server. I can't find any mention of {{ic|ssh-copy-id}} altering file or directory permissions on the remote server.  On the contrary, the {{ic|ssh-copy-id}} man page dated 14 November 1999 currently included in the OpenSSH man page states that it "does not modify the permissions of any pre-existing files of directories."
 +
:-- [[User:Ntwk|Ntwk]] 11:22, 21 December 2011 (EST)
 +
 
 +
== cache time ==
  
== GnuPG ==
+
In the description of gpg-agent.conf, it says that the example would cache the keys for 3 hours. If that's correct, gpg-agent seems to be using a rather odd unit of time. I tried to check in the man page for gpg-agent but couldn't find the options documented. Is the figure really correct? Or should it be 18000?<br>
 +
-- [[User:Margali|cfr]] ([[User talk:Margali|talk]]) 21:15, 13 September 2012 (UTC)
  
In addition to the /etc/profile.d script described, the man pages for gnupg2 call for the following to be called for each session (edited in accordance with existing instructions):
+
==PuTTY==
  
if [ -f "${HOME}/.gnupg/gpg-agent.info" ]; then
+
Those who connect from Windows often use PuTTY to hook up over ssh; as of April 2013, PuTTY does not support ECDSA. I forget that periodically and waste time creating such a key, assuming I'm not alone there, I added it under the encryption method.<br>
    . "${HOME}/.gnupg/gpg-agent.info"
+
-- [[User:Nitmd|Nitmd]] April 7, 2013‎
    export GPG_AGENT_INFO
+
    export SSH_AUTH_SOCK
+
fi
+
  
Prior to adding this to my .zshrc file, caching of the ssh key did not function without exporting the variables manually. Of course, there may be better ways to implement this, and I leave this merely as a suggestion.
+
:That's a good note to add. I revised the wording of it and made it stand out more by using a template. Also, please remember to sign your posts by typing four tildes (<nowiki>~~~~</nowiki>).
 +
:-- [[User:Jstjohn|Jstjohn]] ([[User talk:Jstjohn|talk]]) 22:09, 7 April 2013 (UTC)

Revision as of 07:16, 28 April 2013

Default RSA key size

Maybe the default 2048 bit RSA key is better?
--Vogt 01:54, 31 August 2008 (EDT)

I have just completed a tidyup, this including removing the section on connection control as I deemed it irrelevant. If needed, it is available in the history.
-- Thelucster 13:51, 13 April 2009 (EDT)
Closing.
-- Jstjohn (talk) 22:15, 7 April 2013 (UTC)

sshd_config

Sometimes the 'ssh-add' is not enough to log in without a password. It is possible that ssh is configured in such way that only a limited group of users is allowed to the machine. In this case - you need root-access to the server! - you have to change the configuration-file. Mostly you can find it as /etc/ssh/sshd_config. If the last line(s) of this file read(s): AllowUsers <username>, you will have to add a similar line with your own username. Don't forget to restart the ssh deamon: /etc/init.d/sshd restart.
-- Kobussie, 10 February 2009

Using pam_ssh module

I just want to add that one could also use the pam_ss module, available here http://pam-ssh.sourceforge.net/ or in the AUR to decrypt the ssh key on login and automatically start ssh-agent and add the keys. This way one would have a truely password less ssh session and in the same way not compromise security by using a passphrase less key.
-- Pladen, 27 March 2009

I have opened a new section on using pam_ssh to decrypt a user's ssh keys upon login. My experience with PAM in general is limited, so the content currently consists of a description of pam_ssh, some basic configuration instructions, and some of the limitations of pam_ssh which I have personally encountered.
-- Ntwk 16:37, 18 December 2011 (EST)

ssh-agent

The current wiki entries tells to $ echo 'eval `ssh-agent`' >> ~/.bashrc which will everytime spawn a new ssh-agent. I think a more elegant way is only to add the export commands of ssh-agent to the ~/.bashrc, so one ssh-agent can be used from every shell. This could be put in a small wrapper script:

#!/bin/sh
# check if ssh-agent is running
if [ -n "`ps -e|grep ssh-agent`" ];then
        echo "ssh-agent is already running" >&2
        exit 1
fi
# get new sock and pid
agent=`ssh-agent |head -2`
# delete old sock, pid and comment
sed -i -e "/SSH_\(AUTH_SOCK\|AGENT_PID\)/d" ~/.bashrc
# insert new sock and pid for new shells
echo -e "# auto generated SSH_AUTH_SOCK and SSH_AGENT_PID" >> ~/.bashrc
echo $agent >> ~/.bashrc
# for evaluation in the current shell
echo $agent
$ eval `./ssh_agent_wrapper.sh` " 

this would make ssh-agent available on the current and all new shells.

Be sure you have added the key to your /etc/ssh/ssh_config:

IdentityFile path/to/key

-- Cameris, 14 July 2009

Alternative to manual key installation

We might want to mention that there's a script called 'ssh-copy-id' which comes with OpenSSH that install your public key in a remote machine's authorized_keys. There's a few caveat with it (it changes permissions of the user home directory, which should be a no-op in most situations; see the man page of ssh-copy-id -- and it also tells the user to make sure the script hasn't added extra keys, which might be a bit confusing for some).
-- Hexanol, 14 June 2010

The article currently gives a description of how to use ssh-copy-id as well providing instructions on how to manually copy your pivate key to the remote server. I can't find any mention of ssh-copy-id altering file or directory permissions on the remote server. On the contrary, the ssh-copy-id man page dated 14 November 1999 currently included in the OpenSSH man page states that it "does not modify the permissions of any pre-existing files of directories."
-- Ntwk 11:22, 21 December 2011 (EST)

cache time

In the description of gpg-agent.conf, it says that the example would cache the keys for 3 hours. If that's correct, gpg-agent seems to be using a rather odd unit of time. I tried to check in the man page for gpg-agent but couldn't find the options documented. Is the figure really correct? Or should it be 18000?
-- cfr (talk) 21:15, 13 September 2012 (UTC)

PuTTY

Those who connect from Windows often use PuTTY to hook up over ssh; as of April 2013, PuTTY does not support ECDSA. I forget that periodically and waste time creating such a key, assuming I'm not alone there, I added it under the encryption method.
-- Nitmd April 7, 2013‎

That's a good note to add. I revised the wording of it and made it stand out more by using a template. Also, please remember to sign your posts by typing four tildes (~~~~).
-- Jstjohn (talk) 22:09, 7 April 2013 (UTC)