Difference between revisions of "Talk:SSH keys"

From ArchWiki
Jump to: navigation, search
(cache time: new section)
m (/etc/ssh/sshd_config -- quick help for ssh-copy-id: remove closed discussion)
 
(53 intermediate revisions by 15 users not shown)
Line 1: Line 1:
Maybe the default 2048 bit rsa key is better?[[User:Vogt|Vogt]] 01:54, 31 August 2008 (EDT)
+
== kwallet5 ==
  
I have just completed a tidyup, this including removing the section on connection control as I deemed it irrelivant. If needed, it is available in [http://wiki.archlinux.org/index.php?title=Using_SSH_Keys&oldid=66756#SSH_connection_control the history]. [[User:Thelucster|Thelucster]] 13:51, 13 April 2009 (EDT)
+
there should be a note about kwallet5 not supporting PGP, for now
  
I'm hesitant to make the edit myself, as I'm new the the whole 'wiki' thing, but I noticed that the Gnupg instructions here seem incomplete. After following them several times myself, I turned to the man pages and found the solution. Edit: Nevermind. My problem was something different, and the current /etc/profile.d script handles the proper exports. [[User:Ryeguy146|Ryeguy146]] 21:19, 22 March 2011 (PDT)
+
--- [[User:Lesto|Lesto]] ([[User talk:Lesto|talk]]) 23:50, 15 March 2015 (UTC)
  
== sshd_config ==
+
:Are you sure it is the case? Can you provide some source, a bug report or something? For now we have [[SSH keys#Store SSH keys with Kwallet]] linking to [[KDE_Wallet#Using_the_KDE_Wallet_to_store_ssh_keys]] which only has a vague, unsourced "May have a bug" accuracy template. [[User:Neitsab|Neitsab]] ([[User talk:Neitsab|talk]]) 11:21, 21 October 2015 (UTC)
  
Sometimes the 'ssh-add' is not enough to log in without a password. It is possible that ssh is configured in such way that only a limited group of users is allowed to the machine.
+
== pam_tally ==
In this case - you need root-access to the server! - you have to change the configuration-file. Mostly you can find it as /etc/ssh/sshd_config.
 
If the last line(s) of this file read(s): 'AllowUsers  <username>', you will have to add a similar line with your own username. Don't forget to restart the ssh deamon: '/etc/init.d/sshd restart'.
 
  
== Using pam_ssh module ==
+
With two factor authentication ([https://wiki.archlinux.org/index.php/SSH_keys#Two-factor_authentication_and_public_keys crypto keys **and** password]). I achieve that pam_tally increments by 2 the user errors every time I login. So surely there is an error in the suggested configuration--[[User:Xan|Xan]] ([[User talk:Xan|talk]]) 12:00, 30 June 2015 (UTC)
  
I just want to add that one could also use the pam_ss module, available here
+
== SSH public key passphrase ==
http://pam-ssh.sourceforge.net/
 
or in the AUR to decrypt the ssh key on login and automatically start ssh-agent and add the keys.
 
This way one would have a truely password less ssh session and in the same way not compromise security by using a passphrase less key.
 
  
:I have opened a new section on using pam_ssh to descrypt a user's ssh keys upon login. My experience with PAM in general is limited, so the content currently consists of a description of pam_ssh, some basic configuration instructions, and some of the limitations of pam_ssh which I have personally encountered. [[User:Ntwk|Ntwk]] 16:37, 18 December 2011 (EST)
+
I think that we should add `ssh -p -k ~/.ssh/id_ed25519.pub` to page, I saw a nice example from https://blog.0xbadc0de.be/archives/300. [[User:Pickfire|Pickfire]] ([[User talk:Pickfire|talk]]) 10:09, 13 April 2016 (UTC)
  
== ssh-agent ==
+
== Starting ssh-agent as a wrapper  ==
  
The current wiki entries tells to "$ echo 'eval `ssh-agent`' >> ~/.bashrc" which will everytime spawn a new ssh-agent.
+
In this section, there is a note which says that you "can" add eval$(ssh-agent) to your .xinitrc.  
I think a more elegant way is only to add the export commands of ssh-agent to the .bashrc, so one ssh-agent can be used from every shell. This could be put in a small wrapper script:
 
#!/bin/sh
 
# check if ssh-agent is running
 
if [ -n "`ps -e|grep ssh-agent`" ];then
 
        echo "ssh-agent is already running" >&2
 
        exit 1
 
fi
 
# get new sock and pid
 
agent=`ssh-agent |head -2`
 
# delete old sock, pid and comment
 
sed -i -e "/SSH_\(AUTH_SOCK\|AGENT_PID\)/d" ~/.bashrc
 
# insert new sock and pid for new shells
 
echo -e "# auto generated SSH_AUTH_SOCK and SSH_AGENT_PID" >> ~/.bashrc
 
echo $agent >> ~/.bashrc
 
# for evaluation in the current shell
 
echo $agent
 
  
$ eval `./ssh_agent_wrapper.sh` "  
+
When using ssh-agent as a wrapper to startx, I have noticed that if I have both -- the alias as well as the eval statement in .xinitrc, it spawns 2 ssh-agent processes. I believe this is a leftover note from earlier when we didn't have the section titled "ssh-agent".
this would make ssh-agent available on the current and all new shells.
 
  
Be sure you have added the key to your /etc/ssh/ssh_config:
+
Can someone confirm and I will remove that note from the "ssh-agent as a wrapper section", because the way it stands today seems to indicate that you need to do both -- the alias to startx as well as add the eval statement to xinitrc in order for it to work when that is not the case.
IdentityFile path/to/key
 
  
== Alternative to manual key installation ==
+
[[User:Inxsible|Inxsible]] ([[User talk:Inxsible|talk]]) 00:46, 4 January 2017 (UTC)
  
We might want to mention that there's a script called 'ssh-copy-id' which comes with OpenSSH that install your public key in a remote machine's authorized_keys. There's a few caveat with it (it changes permissions of the user home directory, which should be a no-op in most situations; see the man page of ssh-copy-id -- and it also tells the user to make sure the script hasn't added extra keys, which might be a bit confusing for some).
+
:I'm pretty sure the note was intended [https://wiki.archlinux.org/index.php?title=SSH_keys&diff=461444&oldid=460060 like this]. -- [[User:Lahwaacz|Lahwaacz]] ([[User talk:Lahwaacz|talk]]) 20:12, 4 January 2017 (UTC)
 
 
: The article currently gives a description of how to use {{ic|ssh-copy-id}} as well providing instructions on how to manually copy your pivate key to the remote server. I can't find any mention of {{ic|ssh-copy-id}} altering file or directory permissions on the remote server. On the contrary, the {{ic|ssh-copy-id}} man page dated 14 November 1999 currently included in the OpenSSH man page states that it "does not modify the permissions of any pre-existing files of directories." — [[User:Ntwk|Ntwk]] 11:22, 21 December 2011 (EST)
 
 
 
== cache time ==
 
 
 
In the description of gpg-agent.conf, it says that the example would cache the keys for 3 hours. If that's correct, gpg-agent seems to be using a rather odd unit of time. I tried to check in the man page for gpg-agent but couldn't find the options documented. Is the figure really correct? Or should it be 18000? --[[User:Margali|cfr]] ([[User talk:Margali|talk]]) 21:15, 13 September 2012 (UTC)
 

Latest revision as of 16:29, 11 April 2017

kwallet5

there should be a note about kwallet5 not supporting PGP, for now

--- Lesto (talk) 23:50, 15 March 2015 (UTC)

Are you sure it is the case? Can you provide some source, a bug report or something? For now we have SSH keys#Store SSH keys with Kwallet linking to KDE_Wallet#Using_the_KDE_Wallet_to_store_ssh_keys which only has a vague, unsourced "May have a bug" accuracy template. Neitsab (talk) 11:21, 21 October 2015 (UTC)

pam_tally

With two factor authentication (crypto keys **and** password). I achieve that pam_tally increments by 2 the user errors every time I login. So surely there is an error in the suggested configuration--Xan (talk) 12:00, 30 June 2015 (UTC)

SSH public key passphrase

I think that we should add `ssh -p -k ~/.ssh/id_ed25519.pub` to page, I saw a nice example from https://blog.0xbadc0de.be/archives/300. Pickfire (talk) 10:09, 13 April 2016 (UTC)

Starting ssh-agent as a wrapper

In this section, there is a note which says that you "can" add eval$(ssh-agent) to your .xinitrc.

When using ssh-agent as a wrapper to startx, I have noticed that if I have both -- the alias as well as the eval statement in .xinitrc, it spawns 2 ssh-agent processes. I believe this is a leftover note from earlier when we didn't have the section titled "ssh-agent".

Can someone confirm and I will remove that note from the "ssh-agent as a wrapper section", because the way it stands today seems to indicate that you need to do both -- the alias to startx as well as add the eval statement to xinitrc in order for it to work when that is not the case.

Inxsible (talk) 00:46, 4 January 2017 (UTC)

I'm pretty sure the note was intended like this. -- Lahwaacz (talk) 20:12, 4 January 2017 (UTC)