310 likes | 732 Views
SSH Key Authentication. Sonny J Zambrana University of Pennsylvania ISC-SEO November 2008. Agenda. Overview of SSH Keys Pros/Cons of using SSH Keys How to Create and Use Keys Authentication Details Security Troubleshooting Online Documentation Open Discussion. Overview.
E N D
SSH Key Authentication Sonny J Zambrana University of Pennsylvania ISC-SEO November 2008
Agenda • Overview of SSH Keys • Pros/Cons of using SSH Keys • How to Create and Use Keys • Authentication Details • Security • Troubleshooting • Online Documentation • Open Discussion
Overview What is SSH key authentication: • SSH is a protocol for secure, remote logins and file copying. • Key authentication lets you prove your identity to a remote host using a cryptographic key instead of a login password. SSH keys are more secure than passwords because keys are never transmitted over the network, whereas passwords are (albeit encrypted). • An SSH key is actually a matched pair of keys stored in two files. The private or secret key remains on the client machine. The public key is copied to the remote (server) machine. When establishing a connection, the SSH client and server perform a complex negotiation based on the private and public key, and if they match (in a cryptographic sense), your identity is proven and the connection succeeds.
Pros/Cons Pros:- Secure password less authentication- Users no longer need to know credentials- Scripts no longer require a password file- Reduces the risk of remote exploits due to weak credentials Cons:- Unwanted access to other remote accounts- Difficult to maintain multiple keys- If compromised, key needs to be replaced in several locations
Creating SSH Keys Definition: • A RSA key pair must be generated on the client system. The public portion of this key pair will reside on the servers being connected to, while the private portion needs to remain on a secure local area of the client system. The key generation can be done with the ssh-keygen utility. Steps: • User must generate a key pair • User (or administrator) must place the public key on the appropriate server
Creating SSH Keys Cont. Create a 2048 bit RSA key on client:
Creating SSH Keys Cont. Create/Modify the public key on server:
Using SSH Keys Test Authentication:
Authentication Details Things to know about key authentication: • Uses a cryptographic key instead of a login password. More secure since the keys are never passed over the network. • Concatenate … Do not overwrite ~/.ssh/authorized_keys on server. • Servers that you are connecting to must be in ~/.ssh/known_hosts on client prior to any batch running. • Use FQDN’s instead of the short host names when connecting from the client. The system considers depot, depot.isc-seo & depot.isc-seo.upenn.edu as three different hosts. • Developers are responsible for creating keys on test systems. SEO is responsible for creating keys on the equivalent production systems.
Security • Always use 2048 bit RSA encryption. This is the strongest, fastest and most reliable encryption method that the industry offers. • DSA encryption can be used for encryption but it is slower than RSA. This method is only required when sending encrypted files out of the country and will only be used for those special cases. • Be responsible, do not share the private key with anyone or any other account, no exceptions! • If the client account is compromised, the client needs to complete the following tasks: • Generate a new key pair. • Remove references to the old key pair on the client and servers that it connects to. • Distribute the public key to every server it connects to.
Troubleshooting Things to know: • If you are still being prompted for a password please verify the steps have been completed successfully. • Verify that the permissions of the ~/.ssh directory are 700 (rwx------) on both the client and server. • Verify that the permissions of the home directory are only writeable by the user and not the group/world. • Verify that the account has not be locked due to too many failed login attempts. • Some cases have shown that the account may have remote login disabled.
Documentation Presentation: • https://www.mr.isc-seo.upenn.edu/Pages/Documentation.aspx FAQ: • https://www.mr.isc-seo.upenn.edu/Pages/Documentation.aspx Help Distribution List • ssh_help@admsystems.upenn.edu Man Pages • Type ‘man ssh-keygen’ on any AIX/Linux server
Q & A OpenDiscussion ssh_help@admsystems.upenn.edu