{"id":1493,"date":"2017-08-17T13:19:36","date_gmt":"2017-08-17T18:19:36","guid":{"rendered":"http:\/\/lisa.rushworth.us\/?p=1493"},"modified":"2018-03-13T15:51:19","modified_gmt":"2018-03-13T20:51:19","slug":"linux-authentication-over-key-exchange","status":"publish","type":"post","link":"https:\/\/www.rushworth.us\/lisa\/?p=1493","title":{"rendered":"Linux Authentication Over Key Exchange"},"content":{"rendered":"

On Linux, you can log in without logging in (essential for non-interactive processes that run commands on remote hosts, but also nice accessing hosts when you get paged at 2AM to look into an issue).\u00a0The first thing you need is a key. You can use the openssh installation on a server to generate the key:<\/p>\n

ssh-keygen -t rsa -b 2048<\/p>\n

You’ll get an id_rsa and id_rsa.pub. Your private key (keep it somewhere safe) is in id_rsa; your public key is in id_rsa.pub.<\/p>\n

Alternately<\/em> <\/strong>you can run puttygen.exe (www.chiark.greenend.org.uk\/~sgtatham\/putty\/download.html<\/a>) for a GUI key generator.\u00a0Click the \u201cGenerate\u201d button & then move the mouse around over the blank area of the PuttyGen window \u2013 your coordinates are used as random data for the key seed.<\/p>\n

\"\"<\/a><\/p>\n

Once the key is generated, click \u201csave public key\u201d and store it somewhere safe. Click \u201csave private key\u201d and store it somewhere safe. Copy the public key at the top of the window. You don\u2019t have<\/em> to \u2013 you can drop the newline characters from the saved public key file, but this saves time.<\/p>\n

\"\"<\/a><\/p>\n

Either way, you’ve got a base 64 encoded public and private key.<\/p>\n

** Key recovery isn\u2019t a big deal \u2013 you can always generate a new public\/private key pair and set it up. Time consuming if your public key is all over the place, but it isn\u2019t a data loss kind if thing.<\/p>\n

*** Anyone who gets your private key can log in as you anywhere you set up this key exchange. You can add a passphrase to your key for additional security.<\/p>\n

 <\/p>\n

Go to whatever box you want to log into using the key exchange. ** I have a key exchange set up from my Windows boxes (laptop, terminal server) to myid@jumphost. I then have a different key used from myid@jumphost to all of our other boxes. This allows me to change my on laptop key (i.e. the one more likely to get lost) out more frequently without having to get a new public key on dozens of hosts.<\/p>\n

Once you are on the box you want as the ID you want (you can do a key exchange to any id for which you know the password \u2013 so you can log into serviceaccount@hostname or otherserviceaccount@otherhostname and do this, or you can be logged in as yourid@hostname). Run \u201ccd ~\/.ssh\u201d \u2013 if it says no such file, run \u201cssh localhost\u201d \u2013 it will ask you if you want to store the server public key \u2013 say yes, that creates the .ssh folder with proper permissions. Ctrl-c and cd ~\/.ssh again. Now determine if there is an authorized_keys, authorized_keys2, or both. Vim the one you find \u2013 if there aren\u2019t any, try \u201cvi authorized_keys\u201d first (authorized_keys2 on RedHat\/Fedora, long story) \u2013 go into edit mode and paste in the public key line we copied earlier. Save the file. If you get an error like \u201cThe server refused our key\u201d, you can \u201cmv authorized_keys authorized_keys2\u201d (or “mv authorized_keys2 authorized_keys” if you started with keys2).<\/p>\n

In putty, load in your configuration for whatever host we just pasted the public key into. Under Connection -> Data, find the \u201cAuto-login username\u201d section. Put in whatever ID you used when you added the public key (my use case is me e0082643 \u2026 but if you were using ldapAdmin@hostname, you would put ldapAdmin in here)<\/p>\n

\"\"<\/a><\/p>\n

Then under Connection ->SSH->Auth, find the \u201cprivate key file for authentication\u201d section and put in your private key location. Go back to the Session section and save the configuration changes.<\/p>\n

\"\"<\/a><\/p>\n

Now connect & you shouldn\u2019t need to supply a password (or you only need to supply your key passphrase).<\/p>\n

** OpenSSH automatically uses the id_dsa or id_rsa (private keys) from ~\/.ssh\/ when you attempt to authenticate to other hosts. If the destination id@host has your public key in its ~\/.ssh\/authorized_keys (or ~\/.ssh\/authorized_keys2), then you’ll get magic key based authentication too. Caveat: on the source Linux host, your private key cannot be group or other readable. Run “chmod go-rw ~\/.ssh\/id_rsa” to ensure it is sufficiently private, otherwise auth will fail due to permissive access.<\/p>\n

** Once you have a key exchange in place, it is fairly easy to update your key. Create a new one but do not yet replace your old one. You can make a shell script that updates\u00a0all<\/em> remote hosts with your new public key – per host, run:<\/p>\n

ssh user@remoteHost “echo \\”`cat ~\/.ssh\/new_id_rsa.pub`\\” >> ~\/.ssh\/authorized_keys”<\/p>\n

Once the new public key info has been pushed out, test it using “ssh -i new_id_rsa user@remoteHost” and verify the key authentication works. Once confirmed,\u00a0rename your old id_rsa and id_rsa.pub files to something else. Then rename your new_id_rsa to id_rsa and new_id_rsa.pub to id_rsa.pub<\/p>\n","protected":false},"excerpt":{"rendered":"

On Linux, you can log in without logging in (essential for non-interactive processes that run commands on remote hosts, but also nice accessing hosts when you get paged at 2AM to look into an issue).\u00a0The first thing you need is a key. You can use the openssh installation on a server to generate the key: …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[30],"tags":[295,296,294],"class_list":["post-1493","post","type-post","status-publish","format-standard","hentry","category-system-administration","tag-authentication","tag-key-exchange","tag-linux"],"_links":{"self":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts\/1493","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1493"}],"version-history":[{"count":4,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts\/1493\/revisions"}],"predecessor-version":[{"id":2974,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts\/1493\/revisions\/2974"}],"wp:attachment":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1493"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1493"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1493"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}