{"id":137,"date":"2016-08-15T14:24:39","date_gmt":"2016-08-15T12:24:39","guid":{"rendered":"https:\/\/wp.tntnet.eu\/?p=137"},"modified":"2016-09-13T08:04:13","modified_gmt":"2016-09-13T06:04:13","slug":"ssh-key-exchange-between-two-linux-boxes","status":"publish","type":"post","link":"https:\/\/wp.tntnet.eu\/?p=137","title":{"rendered":"SSH key exchange between two linux systems"},"content":{"rendered":"

If you work with several different *nix hosts, you will often have to jump from one to another and you have to enter your passwords all over again. Well, there is an easy way to avoid this and at the same time to add some more security to the setup. To be honest, there is more than just one way, but right now we are going to look at the public key authentication method<\/a> to make a ssh login without password possible. We will create a pair of rsa keys as a normal user and transfer the public key to one of our boxes. At the end we will look at the difference between a normal and root user and what we need to establish a ssh login without password for root.
\nSuggestion before we start: It is possible to secure the private key with a password. This adds more security but the trade-off is that you need to enter the key password before log-on.<\/p>\n

\n

Example<\/strong>: To demonstrate how to use the above mentioned, we create a pair of keys for the user myuser<\/em> on the host0815<\/em> to establish a ssh login without a password to host host5180<\/em>. The user myuser<\/em> exists on both host systems. The standard ssh port 22<\/em> is used by default, if you want to use another port you can change it with the ‘-p<\/em>‘ switch (e.g. if the ssh daemon listens on port 2222 use: ssh \u2013p 2222 myuser@host5180<\/span>).\u00a0Remember, if you operate on a remote computer which is not easy to reach, I would recommend to always run a second<\/span> ssh connection in another terminal session.<\/p>\n

    \n
  1. In order to create the ssh keys, login to host0815<\/em> and create the ‘~\/.ssh’ directory with the command mkdir -p ~\/.ssh<\/span> and with the command chmod 700 ~\/.ssh<\/span>, we restrict the access to the directory to only your user myuser<\/em>. After this, execute the ssh-keygen<\/em> command ssh-keygen -t rsa -b 2048<\/span>. With the ‘\u2013b’<\/em> switch it is possible to specify the number of bits in the key (e.g. \u2013b 4096<\/em>). You can enter a password to secure your key or just press enter twice to leave the key \u201cunprotected\u201d. ssh can either use “RSA” (Rivest-Shamir-Adleman) or “DSA” (“Digital Signature Algorithm”) keys. RSA is often considered the recommended choice for<\/span> new keys and it is selected by default (OpenSSH 7.0 and greater disable the DSA public key algorithm<\/a>).<\/span><\/span>\n
    myuser@host0815:\/# mkdir -p ~\/.ssh\r\nmyuser@host0815:\/# chmod 700 ~\/.ssh\r\nmyuser@host0815:\/# ssh-keygen -t rsa -b 2048\r\nGenerating public\/private rsa key pair.\r\nEnter file in which to save the key (\/home\/myuser\/.ssh\/id_rsa):\r\nEnter passphrase (empty for no passphrase):\r\nEnter same passphrase again:\r\nYour identification has been saved in \/home\/myuser\/.ssh\/id_rsa.\r\nYour public key has been saved in \/home\/myuser\/.ssh\/id_rsa.pub.\r\nThe key fingerprint is:\r\nSHA256:1VTYUA+D+7s58s4lGj4nss2sSgxTkSIH5oGOiJ1QcGU myuser@host0815\r\nThe key's randomart image is:\r\n+---[RSA 2048]----+\r\n|.oooE.  ..  oB=  |\r\n|...+..o .. oo .+ |\r\n|o= ..o .. . ..  .|\r\n|+ +    . .  .    |\r\n|      o S    .   |\r\n|       +      .  |\r\n|        o   . ...|\r\n|       .  .=++++ |\r\n|        ..o+*B*o |\r\n+----[SHA256]-----+\r\n<\/pre>\n<\/li>\n
  2. Copy the newly created ssh public key to host5180<\/em>:
    \nmyuser@host0815:\/# ssh-copy-id myuser@host5180<\/span>
    \nAfter entering \u00a0the password of myuser@host5180,<\/em> the key is written to
    \n~\/.ssh\/authorized_keys<\/span><\/p>\n
    \/usr\/bin\/ssh-copy-id: INFO: Source of key(s) to be installed: \"\/home\/myuser\/.ssh\/id_rsa.pub\"\r\n\/usr\/bin\/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed\r\n\/usr\/bin\/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys\r\n\r\nNumber of key(s) added: 1<\/pre>\n
    The operation has worked if the following message is displayed: \u201cNumber of key(s) added: 1\u201d<\/em>.<\/li>\n
  3. Finally, test if everything works like expected:\n
      \n
    • Try to login with your key to host5180<\/em>.
      \nmyuser@host0815:\/# ssh myuser@host5180<\/span><\/li>\n
    • If you are prompted for a password (and you didn’t protect the key with a password) then the key exchange didn’t work out and you need to check the previous steps (1-3). If you find yourself on the command prompt of host5180<\/em> you managed to established a public key based connection.<\/li>\n<\/ul>\n<\/li>\n<\/ol>\n
      Additional hint<\/strong>: If you want to be able to login from host5180<\/em> to host0815<\/em> in the same way, you have to repeat the steps 1-3 with the two hosts exchanged of course.<\/p>\n
      Now that everything is set up, we can consider disabling the “normal” password-based authentication. This has some advantages and disadvantages.<\/span><\/span><\/p>\n
      Options:<\/p>\n
        \n
      1. Leave the normal login just like it is.\n
          \n
        • Advantage:\n
            \n
          • You can log in with both the private key and your normal password. This is especially helpful if you work on a computer without your private key e.g. from your friends PC.<\/li>\n<\/ul>\n<\/li>\n
          • Disadvantage:\n
              \n
            • From a security point of view, this adds one more possibility for the bad guys to break into your computer, if they gets hold of your private key.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n
            • Disable the password enabled login!\n
                \n
              • Advantage:\n
                  \n
                • This closes the door for brute force attacks against your users passwords.<\/li>\n<\/ul>\n<\/li>\n
                • Disadvantage:\n
                    \n
                  • You can only login from remote if you have your private key with you.<\/li>\n
                  • This obviously doesn\u2019t remove the possibility that your key gets stolen and the thief can break into your computer.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ol>\n
                    At the end<\/span> there is a trade-off between comfort and safety. For maximum safety, we turn off the<\/span> password based login and secure our private key with a strong password. Keys<\/span> without<\/span> a password are for the utmost comfort<\/span> since they<\/span> offer the possibility<\/span> to jump from<\/span> one computer<\/span> to<\/span> another <\/span>without<\/span> entering a password<\/span>.<\/span>
                    \nBut the decision<\/span> on safety or comfort has the administrator to take for the system he is responsible of.<\/span><\/p>\n
                    \n
                    SSH key exchange between two linux boxes for the root user.<\/h3>\n
                    For the root user, you will need a few more steps especially on a stock Ubuntu system, because the root user is disabled and root is not allowed to log in via ssh. Again we use the two hosts host0815<\/em> and host5180<\/em> for the example.<\/p>\n
                    Important<\/strong>: Open a second<\/span> ssh connection and keep it open until you know everything works!<\/p>\n
                      \n
                    1. Login with your normal user to host0815<\/em> and become root with the following command:
                      \nmyuser@host0815:\/# sudo su \u2013<\/span><\/li>\n
                    2. Create the ssh key pair:\n
                      root@host0815:\/# mkdir ~\/.ssh\r\nroot@host0815:\/# chmod 700 ~\/.ssh\r\nroot@host0815:\/# ssh-keygen -t rsa -b 4096<\/pre>\n<\/li>\n
                    3. Now we<\/span> copy the newly generated ssh key to host5180. <\/em>As already mentioned, there is a specialty<\/span><\/span> <\/span>for the<\/span> root user: the<\/span> password based ssh login on many linux systems<\/span> is disabled by default for root.
                      \nSo we will look at how to activate it temporarily to be able to copy our public key to host5180<\/em>.<\/span>
                      \n<\/span><\/span><\/p>\n
                        \n
                      1. Login with your normal user to host5180<\/em> and use sudo<\/em> to become root with the following command:
                        \nmyuser@host5180:\/# sudo su \u2013<\/span><\/li>\n
                      2. Activate the root user by setting a password with the command passwd<\/em>:\n
                        root@host5180:~# passwd\r\nNew password:\r\nRetype new password:\r\npasswd: password updated successfully<\/pre>\n<\/li>\n
                      3. Open the config file “\/etc\/ssh\/sshd_config” with your editor of choice and search for \u201cPermitRootLogin without-password<\/em>\u201d, comment the line out by adding ‘#’ in front of it and add “PermitRootLogin yes”<\/em> in the line below:\n
                        # PermitRootLogin prohibit-password\r\nPermitRootLogin yes<\/pre>\n
                        This will enable the root ssh login with the password we have just set up.<\/li>\n
                      4. Save the file and restart the ssh daemon. Check that your second ssh connection is still open<\/span>!<\/span>
                        \nroot@host5180:\/# systemctl restart sshd.service<\/span>
                        \nor
                        \nroot@host5180:\/# service sshd restart<\/span><\/li>\n
                      5. Now go back to host0815<\/em> and test if root can login to host5180<\/em>:
                        \n<\/em>root@host0815:\/# ssh root@host5180 date<\/span>
                        \nAfter entering the root password date and time should be displayed as a result. If this didn’t work out check the the previous steps (3.1-3.5).<\/li>\n<\/ol>\n
                        After this little excursion we can now copy the public key to host5180<\/em>:
                        \n<\/em><\/span><\/span>root@host0815:\/# ssh-copy-id root@host5180<\/span>
                        \nIn my opinion, this is the easiest\/best way to copy the public key to a host but of course there are other ways to do this, for example use a USB stick, scp, etc.<\/span><\/li>\n
                      6. Test if everything works:
                        \n<\/span><\/span><\/p>\n
                          \n
                        1. Try to login with your shiny new key to host5180<\/em>:
                          \nroot@host0815:\/# ssh root@host5180<\/span><\/li>\n
                        2. If you are prompted for a password the key exchange didn\u2019t work out and you have to re-check the previous steps (1-4).<\/li>\n<\/ol>\n<\/li>\n
                        3. Finally change the \u201cPermitRootLogin yes<\/em>\u201d back to \u201cPermitRootLogin without-password<\/em>\u201d in the config file ‘\/etc\/ssh\/sshd_config’ and restart the ssh daemon (see 3.4).<\/li>\n
                        4. Disable the root user again if you like:\n
                          myuser@host5180:\/# sudo passwd -l root<\/pre>\n<\/li>\n<\/ol>\n
                          Step 5 and 6 are not necessary but recommended.<\/em><\/p>\n
                          \n
                          Additional hint<\/strong>:<\/p>\n
                          It is possible to change single settings only for individual users, e.g.:<\/p>\n
                          DenyUsers user0815\r\nMatch User myuser\r\n    PasswordAuthentication no<\/pre>\n
                            \n
                          • Prohibits<\/span> ssh access<\/span> for the user<\/span> user<\/span>0815<\/span><\/em><\/span><\/li>\n
                          • Disables<\/span> password authentication for user myuser<\/span><\/em><\/span><\/li>\n
                          •  For all other<\/span> users<\/span>, the<\/span> password authentication<\/span> is maintained.<\/span><\/li>\n<\/ul>\n
                            \n
                             <\/p>\n","protected":false},"excerpt":{"rendered":"
                            If you work with several different *nix hosts, you will often have to jump from one to another and you have to enter your passwords all over again. Well, there is an easy way to avoid this and at the same time to add some more security to the setup. To be honest, there is […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[19],"tags":[21,24,20,22,23],"class_list":["post-137","post","type-post","status-publish","format-standard","hentry","category-ssh","tag-permitrootlogin","tag-public-key-authentication","tag-ssh","tag-ssh-copy-id","tag-ssh-keygen"],"aioseo_notices":[],"aioseo_head":"\n\t\t\n\t\n\t\n\t\n\t\n\t\n\t\t