Title: SSHv2 Training
1SSHv2 Training
- David J. Bianco
- UNIX Systems Team
- ltbianco_at_jlab.orggt
2Table of Contents
- Upgrade FAQs
- What is changing?
- Why is this happening?
- How will this affect me?
- What do I need to do?
3Table of Contents
- Working with SSHv2
- Logging in to Other Systems
- Copying Files Between Systems
- Public Key Cryptography
- Creating a Keypair
- Changing Your Passphrase
- Logging in With a Key
4Table of Contents
- Using the SSH Agent
- Using the Agent Interactively
- Integrating the Agent with the Linux GUI
- Summary Questions
5Upgrade FAQs
6What is Changing?
- All CC-managed hosts will require clients to
connect with SSH protocol v2 - SSH client on CUE machines will be reconfigured
with Protocol 2 as the default - Software version will not change
- This will happen at 500PM, Monday August 23rd.
- We've required Internet users to login with SSHv2
for 2 years now
7Why is this happening?
- SSH1 is older, slower protocol with significant
security problems - SSH2 is the newest, most efficient protocol
- Resolves all known weaknesses in SSH1 security
- IETF standard
- SSH1 hardcodes most of its cryptography
- SSH2 negotiates cryptographic algorithms at
runtime - Makes it easier to use internationally
8How will this affect me?
- Day-to-day life probably wont change much
- Most common tasks will be unaffected
- ssh hostname
- ssh hostname ls /some/remote/directory
- ssh l user hostname
- ssh user_at_hostname
- scp /home/user/myfile hostname/local/myfile
9What do I need to do?
- Maybe nothing
- If you are using password-based login, you need
do nothing - Windows users Just upgrade to the latest PuTTY
in JLAB CUE - If you are using key-based login
- Keys created with -t dsa in the last couple of
years are already SSHv2 - If you have older keys, you will need to create a
new set
10What do I need to do?
- You can start using the new settings immediately
if you like - Just add Protocol 2 to your /.ssh/config file
11Working With SSHv2
12Logging in to Other Systems
- Login to host using the same user ID as on the
local system - ssh host
- Login to host using a different user ID
- ssh l user host
- ssh user_at_host
13Copying Files to Other Systems
- Copy a file to a remote system
- scp /home/user/file1.txt host/tmp/file1.txt
- scp /home/user/file2.txt host/tmp
- Copy a file from a remote system
- scp host/tmp/file3.txt /home/user
- scp host/tmp/file4.txt .
- Copy a file between two remote systems
- scp host1/tmp/file5.txt host2/tmp
jlabs2/home/jdoegt scp ks.cfg jlabs1/tmp jdoe_at_jla
bs1s password ltType password heregt ks.cfg
100 12KB 0.0KB/s 0000
14Public Key Cryptography
- SSH uses Public Key Cryptography to
- Prove identity of servers to clients (so you know
to whom you are connecting) - Prove identity of users to servers (logging you
in) - Each host and each user has a private key and a
public key (a keypair) - Public keys are intended to be distributed to
others - CC maintains a list of public keys for central
hosts - Users distribute their public keys to machines
theyd like to log into
15Public Key Cryptography
- Private keys are always secret
- Anyone who can access your private key can log in
as you! - You should set a passphrase on your private key
- This is like a password, but can be longer and
usually isnt just one word - Private key is encrypted with this passphrase
- If no one knows the passphrase, they cant access
your private key
16Creating a Keypair
- Use ssh-keygen t dsa command
- Be sure to give your key a passphrase!
- Good passphrases are multiple words, perhaps a
sentence - Can even use your JLab password, or something
just as strong
jlabl1gt ssh-keygen -t dsa Generating
public/private dsa key pair. Enter file in which
to save the key (/home/jdoe/.ssh/id_dsa) Enter
passphrase (empty for no passphrase)ltYOUR
PASSPHRASE HEREgt Enter same passphrase
againltYOUR PASSPHRASE HEREgt Your identification
has been saved in /home/jdoe/.ssh/id_dsa. Your
public key has been saved in /home/jdoe/.ssh/id_ds
a.pub. The key fingerprint is 3082ab43e911c
b7ed6b18393623eeeda jdoe_at_jlabl1.jlab.org
17Changing Your Passphrase
- Changing your passphrase is easy, though somewhat
clunky - Use ssh-keygen -p -t dsa
jlabl1gt ssh-keygen -p -t dsa Enter file in which
the key is (/home/jdoe/.ssh/id_dsa) Enter old
passphraseltYOUR OLD PASSPHRASEgt Key has comment
'/home/jdoe/.ssh/id_dsa' Enter new passphrase
(empty for no passphrase)ltYOUR NEW
PASSPHRASEgt Enter same passphrase againltYOUR NEW
PASSPHRASEgt Your identification has been saved
with the new passphrase.
18Logging in With a Key
- Two steps necessary
- Tell the client
- Tell the server
- Tell the client
- Lets the client know which private key to try to
log in with
19Logging in With a Key
- Tell the server
- /.ssh/authorized_keys lists the public keys that
go with the private keys the client is allowed to
use to log in to your account - Distribute this file to any non-CUE machine you
need to log into with SSH - Anyone with the right private key can log in as
you - Remember to use a passphrase when you create the
key!
jlabl1gt cd /.ssh jlabl1gt cat id_dsa.pub gtgt
authorized_keys
20Logging in With a Key
- When you log in, you should now be prompted for a
passphrase instead of a password
jlabl1gt ssh jlabs1 Enter passphrase for key
'/home/jdoe/.ssh/id_dsa' ltPASSPHRASEgt login
messages jlabs1gt
21Using the SSH Agent
22SSH Login Annoyances
- SSH is great, but its annoying to have to type
your password/passphrase every time you log in,
run a remote command or copy some files across
the network. - SSH doesnt allow /.rhosts functionality for
security reasons. - Passphrase-less keys are quite insecure and not
recommended practice. - Can users log in securely without typing their
password all the time?
23The SSH Agent
- The agent solves these problems
- Only available for key-based login, however
- You authenticate once to the agent at the
beginning of your session - The agent holds your SSH private keys in memory
and provides them to ssh and scp commands when
necessary - You dont have to unlock them each time
- Agent goes away when you log out so unlocked keys
are never stored on disk
24Preparing To Use The Agent
- First, get key-based login working
- Distribute your public key to all non-CUE hosts
you need to log into - CUE hosts all share your home directory so the
key is already there - scp p /.ssh/authorized_keys remotehost/home/ltus
ernamegt/.ssh - Use normal SSH and make sure youre prompted for
a passphrase and not a password
25Using the Agent Interactively
- Run ssh-agent c to start the agent
- Will print some output that you need to type into
the same shell or cut-n-paste - Save yourself some typing and do it the clever
way - Now other commands in the same window will be
able to use the agent
jlabs2/home/jdoegt ssh-agent -c setenv
SSH2_AUTH_SOCK /tmp/ssh-jdoe/ssh2-8765-agent sete
nv SSH2_AGENT_PID 8766 echo Agent pid 8766
jlabl1/home/jdoegt eval ssh-agent c Agent pid
8766
26Logging In To The Agent
- Use the ssh-add command to authenticate
yourself to the agent - After you do this, you wont need to log in with
SSH or scp!
jlabl1/home/jdoegt ssh-add Enter passphrase for
/home/jdoe/.ssh/id_dsa ltPASSPHRASEgt Identity
added /home/jdoe/.ssh/id_dsa jlabl1/home/jdoegt
ssh-add -l 2048 6eef22a483a198392244572
12ceed333 /home/jdoe/.ssh/id_dsa
(DSA) jlabl1/home/jdoegt ssh jlabs1 login
proceeds normally without a password jlabs1/home
/jdoegt
27Using the Agent in a GUI
- Starting the agent in a single window is OK for
testing, but not useful for real work - Why not integrate with your window environment so
all windows can take advantage of it? - This is supported under Linux
- Also possible under Solaris HP-UX, but not
documented by the Computer Center
28Linux GUI Agent Config
- Run switchdesk to create your /.Xclients and
/.Xclients-default files - Be sure to choose the window environment youre
already using - Probably Gnome unless you know differently
29Linux GUI Agent Config
- Edit your /.Xclients-default file
- Make it look something like the example
- gnome-session may be something else, like
start-kde depending on which windowing
environment you use
Created by Red Hat Desktop Switcher exec
ssh-agent gnome-session
30Linux GUI Agent Config
- Log out and use the login dialog box to tell
Linux to use your new startup files - Change your session type to default
- If you log in at the console of several Linux
machines, you may need to do this at all of them - Get in the habit when not at your own desktop
- Log back in again
31Linux GUI Agent Config
- Check to see if your agent is running
- Make sure your environment variables were set
properly
jlabl1/home/jdoegt ps -auxww grep -i agent jdoe
6888 0.0 0.2 2784 1080 ? S 1008 000
ssh-agent gnome-session
jlabs2/home/jdoegt setenv grep
SSH SSH2_AUTH_SOCK/tmp/ssh-jdoe/ssh2-8770-agent S
SH2_AGENT_PID8771
32Linux GUI Agent Config
- Authenticate to the agent
- Try to log in somewhere
jlabl1/home/jdoegt ssh-add Enter passphrase for
/home/jdoe/.ssh/id_dsa ltPASSPHRASEgt Identity
added /home/jdoe/.ssh/id_dsa jlabl1/home/jdoegt
ssh-add -l 2048 6eef22a483a198392244572
12ceed333 /home/jdoe/.ssh/id_dsa
(DSA) jlabl1/home/jdoegt ssh jlabs1 login
proceeds normally without a password jlabs1/home
/jdoegt
jlabl1/home/jdoegt ssh jlabs1 login proceeds
normally without a password jlabs1/home/jdoegt
33Summary
34Summary
- All CC managed hosts will be converting to SSH v2
at 500PM on August 23rd - Day-to-day operations wont change much
- New client performs most common operations
exactly like the old client - Create SSHv2 keys with ssh-keygen -t dsa
- Change your key passphrase with ssh-kgent -p -t
dsa
35Summary
- You can avoid having to type your
password/passphrase all the time by using the SSH
Agent - Requires key-based logins
- Always use a passphrase for your private key to
protect your account! - Can be run interactively or integrated with your
GUI
36Questions?
- David J. Bianco
- UNIX Systems Team
- ltbianco_at_jlab.orggt