SSHv2 Training - PowerPoint PPT Presentation

1 / 36
About This Presentation
Title:

SSHv2 Training

Description:

Keys created with '-t dsa' in the last couple of years are already SSHv2. If you have older keys, you will need to create a new set ... – PowerPoint PPT presentation

Number of Views:42
Avg rating:3.0/5.0
Slides: 37
Provided by: ccJ4
Category:
Tags: keys | sshv2 | training

less

Transcript and Presenter's Notes

Title: SSHv2 Training


1
SSHv2 Training
  • David J. Bianco
  • UNIX Systems Team
  • ltbianco_at_jlab.orggt

2
Table of Contents
  • Upgrade FAQs
  • What is changing?
  • Why is this happening?
  • How will this affect me?
  • What do I need to do?

3
Table of Contents
  • Working with SSHv2
  • Logging in to Other Systems
  • Copying Files Between Systems
  • Public Key Cryptography
  • Creating a Keypair
  • Changing Your Passphrase
  • Logging in With a Key

4
Table of Contents
  • Using the SSH Agent
  • Using the Agent Interactively
  • Integrating the Agent with the Linux GUI
  • Summary Questions

5
Upgrade FAQs
6
What is Changing?
  • All CC-managed hosts will require clients to
    connect with SSH protocol v2
  • SSH client on CUE machines will be reconfigured
    with Protocol 2 as the default
  • Software version will not change
  • This will happen at 500PM, Monday August 23rd.
  • We've required Internet users to login with SSHv2
    for 2 years now

7
Why is this happening?
  • SSH1 is older, slower protocol with significant
    security problems
  • SSH2 is the newest, most efficient protocol
  • Resolves all known weaknesses in SSH1 security
  • IETF standard
  • SSH1 hardcodes most of its cryptography
  • SSH2 negotiates cryptographic algorithms at
    runtime
  • Makes it easier to use internationally

8
How will this affect me?
  • Day-to-day life probably wont change much
  • Most common tasks will be unaffected
  • ssh hostname
  • ssh hostname ls /some/remote/directory
  • ssh l user hostname
  • ssh user_at_hostname
  • scp /home/user/myfile hostname/local/myfile

9
What do I need to do?
  • Maybe nothing
  • If you are using password-based login, you need
    do nothing
  • Windows users Just upgrade to the latest PuTTY
    in JLAB CUE
  • If you are using key-based login
  • Keys created with -t dsa in the last couple of
    years are already SSHv2
  • If you have older keys, you will need to create a
    new set

10
What do I need to do?
  • You can start using the new settings immediately
    if you like
  • Just add Protocol 2 to your /.ssh/config file

11
Working With SSHv2
12
Logging in to Other Systems
  • Login to host using the same user ID as on the
    local system
  • ssh host
  • Login to host using a different user ID
  • ssh l user host
  • ssh user_at_host

13
Copying Files to Other Systems
  • Copy a file to a remote system
  • scp /home/user/file1.txt host/tmp/file1.txt
  • scp /home/user/file2.txt host/tmp
  • Copy a file from a remote system
  • scp host/tmp/file3.txt /home/user
  • scp host/tmp/file4.txt .
  • Copy a file between two remote systems
  • scp host1/tmp/file5.txt host2/tmp

jlabs2/home/jdoegt scp ks.cfg jlabs1/tmp jdoe_at_jla
bs1s password ltType password heregt ks.cfg
100 12KB 0.0KB/s 0000
14
Public Key Cryptography
  • SSH uses Public Key Cryptography to
  • Prove identity of servers to clients (so you know
    to whom you are connecting)
  • Prove identity of users to servers (logging you
    in)
  • Each host and each user has a private key and a
    public key (a keypair)
  • Public keys are intended to be distributed to
    others
  • CC maintains a list of public keys for central
    hosts
  • Users distribute their public keys to machines
    theyd like to log into

15
Public Key Cryptography
  • Private keys are always secret
  • Anyone who can access your private key can log in
    as you!
  • You should set a passphrase on your private key
  • This is like a password, but can be longer and
    usually isnt just one word
  • Private key is encrypted with this passphrase
  • If no one knows the passphrase, they cant access
    your private key

16
Creating a Keypair
  • Use ssh-keygen t dsa command
  • Be sure to give your key a passphrase!
  • Good passphrases are multiple words, perhaps a
    sentence
  • Can even use your JLab password, or something
    just as strong

jlabl1gt ssh-keygen -t dsa Generating
public/private dsa key pair. Enter file in which
to save the key (/home/jdoe/.ssh/id_dsa) Enter
passphrase (empty for no passphrase)ltYOUR
PASSPHRASE HEREgt Enter same passphrase
againltYOUR PASSPHRASE HEREgt Your identification
has been saved in /home/jdoe/.ssh/id_dsa. Your
public key has been saved in /home/jdoe/.ssh/id_ds
a.pub. The key fingerprint is 3082ab43e911c
b7ed6b18393623eeeda jdoe_at_jlabl1.jlab.org
17
Changing Your Passphrase
  • Changing your passphrase is easy, though somewhat
    clunky
  • Use ssh-keygen -p -t dsa

jlabl1gt ssh-keygen -p -t dsa Enter file in which
the key is (/home/jdoe/.ssh/id_dsa) Enter old
passphraseltYOUR OLD PASSPHRASEgt Key has comment
'/home/jdoe/.ssh/id_dsa' Enter new passphrase
(empty for no passphrase)ltYOUR NEW
PASSPHRASEgt Enter same passphrase againltYOUR NEW
PASSPHRASEgt Your identification has been saved
with the new passphrase.
18
Logging in With a Key
  • Two steps necessary
  • Tell the client
  • Tell the server
  • Tell the client
  • Lets the client know which private key to try to
    log in with

19
Logging in With a Key
  • Tell the server
  • /.ssh/authorized_keys lists the public keys that
    go with the private keys the client is allowed to
    use to log in to your account
  • Distribute this file to any non-CUE machine you
    need to log into with SSH
  • Anyone with the right private key can log in as
    you
  • Remember to use a passphrase when you create the
    key!

jlabl1gt cd /.ssh jlabl1gt cat id_dsa.pub gtgt
authorized_keys
20
Logging in With a Key
  • When you log in, you should now be prompted for a
    passphrase instead of a password

jlabl1gt ssh jlabs1 Enter passphrase for key
'/home/jdoe/.ssh/id_dsa' ltPASSPHRASEgt login
messages jlabs1gt
21
Using the SSH Agent
22
SSH Login Annoyances
  • SSH is great, but its annoying to have to type
    your password/passphrase every time you log in,
    run a remote command or copy some files across
    the network.
  • SSH doesnt allow /.rhosts functionality for
    security reasons.
  • Passphrase-less keys are quite insecure and not
    recommended practice.
  • Can users log in securely without typing their
    password all the time?

23
The SSH Agent
  • The agent solves these problems
  • Only available for key-based login, however
  • You authenticate once to the agent at the
    beginning of your session
  • The agent holds your SSH private keys in memory
    and provides them to ssh and scp commands when
    necessary
  • You dont have to unlock them each time
  • Agent goes away when you log out so unlocked keys
    are never stored on disk

24
Preparing To Use The Agent
  • First, get key-based login working
  • Distribute your public key to all non-CUE hosts
    you need to log into
  • CUE hosts all share your home directory so the
    key is already there
  • scp p /.ssh/authorized_keys remotehost/home/ltus
    ernamegt/.ssh
  • Use normal SSH and make sure youre prompted for
    a passphrase and not a password

25
Using the Agent Interactively
  • Run ssh-agent c to start the agent
  • Will print some output that you need to type into
    the same shell or cut-n-paste
  • Save yourself some typing and do it the clever
    way
  • Now other commands in the same window will be
    able to use the agent

jlabs2/home/jdoegt ssh-agent -c setenv
SSH2_AUTH_SOCK /tmp/ssh-jdoe/ssh2-8765-agent sete
nv SSH2_AGENT_PID 8766 echo Agent pid 8766
jlabl1/home/jdoegt eval ssh-agent c Agent pid
8766
26
Logging In To The Agent
  • Use the ssh-add command to authenticate
    yourself to the agent
  • After you do this, you wont need to log in with
    SSH or scp!

jlabl1/home/jdoegt ssh-add Enter passphrase for
/home/jdoe/.ssh/id_dsa ltPASSPHRASEgt Identity
added /home/jdoe/.ssh/id_dsa jlabl1/home/jdoegt
ssh-add -l 2048 6eef22a483a198392244572
12ceed333 /home/jdoe/.ssh/id_dsa
(DSA) jlabl1/home/jdoegt ssh jlabs1 login
proceeds normally without a password jlabs1/home
/jdoegt
27
Using the Agent in a GUI
  • Starting the agent in a single window is OK for
    testing, but not useful for real work
  • Why not integrate with your window environment so
    all windows can take advantage of it?
  • This is supported under Linux
  • Also possible under Solaris HP-UX, but not
    documented by the Computer Center

28
Linux GUI Agent Config
  • Run switchdesk to create your /.Xclients and
    /.Xclients-default files
  • Be sure to choose the window environment youre
    already using
  • Probably Gnome unless you know differently

29
Linux GUI Agent Config
  • Edit your /.Xclients-default file
  • Make it look something like the example
  • gnome-session may be something else, like
    start-kde depending on which windowing
    environment you use

Created by Red Hat Desktop Switcher exec
ssh-agent gnome-session
30
Linux GUI Agent Config
  • Log out and use the login dialog box to tell
    Linux to use your new startup files
  • Change your session type to default
  • If you log in at the console of several Linux
    machines, you may need to do this at all of them
  • Get in the habit when not at your own desktop
  • Log back in again

31
Linux GUI Agent Config
  • Check to see if your agent is running
  • Make sure your environment variables were set
    properly

jlabl1/home/jdoegt ps -auxww grep -i agent jdoe
6888 0.0 0.2 2784 1080 ? S 1008 000
ssh-agent gnome-session
jlabs2/home/jdoegt setenv grep
SSH SSH2_AUTH_SOCK/tmp/ssh-jdoe/ssh2-8770-agent S
SH2_AGENT_PID8771
32
Linux GUI Agent Config
  • Authenticate to the agent
  • Try to log in somewhere

jlabl1/home/jdoegt ssh-add Enter passphrase for
/home/jdoe/.ssh/id_dsa ltPASSPHRASEgt Identity
added /home/jdoe/.ssh/id_dsa jlabl1/home/jdoegt
ssh-add -l 2048 6eef22a483a198392244572
12ceed333 /home/jdoe/.ssh/id_dsa
(DSA) jlabl1/home/jdoegt ssh jlabs1 login
proceeds normally without a password jlabs1/home
/jdoegt
jlabl1/home/jdoegt ssh jlabs1 login proceeds
normally without a password jlabs1/home/jdoegt
33
Summary
34
Summary
  • All CC managed hosts will be converting to SSH v2
    at 500PM on August 23rd
  • Day-to-day operations wont change much
  • New client performs most common operations
    exactly like the old client
  • Create SSHv2 keys with ssh-keygen -t dsa
  • Change your key passphrase with ssh-kgent -p -t
    dsa

35
Summary
  • You can avoid having to type your
    password/passphrase all the time by using the SSH
    Agent
  • Requires key-based logins
  • Always use a passphrase for your private key to
    protect your account!
  • Can be run interactively or integrated with your
    GUI

36
Questions?
  • David J. Bianco
  • UNIX Systems Team
  • ltbianco_at_jlab.orggt
Write a Comment
User Comments (0)
About PowerShow.com