intrusion and how to use SSH Keys and SSH-Agent

Great excuse to write about how to use ssh keys securely by password protecting the keyfile: On Sunday 11th of November 2012 has suffered an intrusion on two machines that contained third party software (packages, ports) within the cluster. adidas en ligne For details about this read this Incident Report. avis bottes ugg As far as i can guess from the report and the news, it appears the intruder gained access to the affected systems by means of a developers ssh key that was not protected by a passphrase.


SSH keys + passphrase are a great way to enhance the security of remotely logging into your machines via ssh by utilizing two factor authentication (something you have + something you know). nike air pegasus

Requirements and assumptions

  • 2 SSH capable machines (FreeBSD in this case)
  • full admin privileges (to keep it simple)

Preparing the target server Run cat /etc/ssh/sshd_config and make sure your targets sshd_config contains the following settings. On my system, these where commented out defaults so i did not have to do anything.

 RSAAuthentication yes PubkeyAuthentication yes AuthorizedKeysFile .ssh/authorized_keys 

Now on your source machine (say your laptop):

Generate your SSH Keys by issuing the command ssh-keygen. A simple ssh-key will generate a rsa key with 2048 bits, which is believed to me more than sufficient. I use the “-b 4096” option to have my keys created with 4096 bit, just because i can. timberland femme Make sure you pick a nice and long (as long as you can) passphrase, as that is the point of this whole excercise.

 devbox# ssh-keygen -b 4096 Generating public/private rsa key pair. louboutin chaussures Enter file in which to save the key (/root/.ssh/id_rsa): Enter passphrase (empty for no passphrase): ******************* Enter same passphrase again: ******************* Your identification has been saved in /root/.ssh/id_rsa. Your public key has been saved in /root/.ssh/ timberland roll top pas cher ugg men new balance france The key fingerprint is: 7c:e6:e1:26:05:77:95:6e:d6:d7:3f:4a:f5:b2:d7:f9 root@devbox The key's randomart image is: +--[ RSA 4096]----+ | .. | | .. nike air tn | | . . nike air max 1 pas cher ugg homme .. nike air max 90 homme nike air max 2012 ..| | . nike kwazi soldes o .  chaussures running nike +.+| | S = o. ugg homme adidas stan smith pas cher bottes ugg pas cher +| | * . soldes timberland ...o| | . timberland roll top pas cher + . louboutin paris chaussure nike pas cher .o+| | o ...o| | .E| +-----------------+ devbox# 

After the above your keys have been created and placed into whatever directory you picked, the default being ~/.ssh

 devbox# ls -l .ssh total 8 -rw------- 1 root wheel 3326 Nov 19 14:06 id_rsa -rw-r--r-- 1 root wheel 745 Nov 19 14:06 devbox# 

Notice you have id_rsa denoting your private key, and denoting your public key. bottes ugg pas cher The private key is what you have to keep secret, while the public key is what you can send to your friends, use as your e-mail signature, or more commonly place onto your server so you can use it to authenticate yourself for login.

Now we need to copy our public key to our target server, and since we are not using Linux we cannot use ssh-copy-id:

 # This command appends the contents of your public key to the targets authorized_keys file # If the above command fails, it could be that you have to login to your target server first and create the ~/.ssh directory. nike homme solde # Make sure that the targets .ssh directory is chmod 700 and owned by the target user cat ~/.ssh/ | ssh -v user@targetserver 'cat - >> ~/.ssh/authorized_keys' 

Now that you have copied your public key, try this command from the source machine and enter your passphrase when prompted:

 # ssh should try your key by default ssh -v user@targetserver # in case it does not ssh -vi ~/.ssh/ user@targetserver 

If you are greeted by your servers shell prompt, congratulations. You have just logged in using a keyfile protected by a passphrase. chaussures timberland If you need to do this many times a day, then entering in the long passphrase will get rather boring. nike air max thea nike dunk nike roshe run Of course you could setup the keys without entering a passphrase, but i hope its obvious by now that that would not be a good idea – if you ever loose control of your private key, the finder can use it to login without password. nike air max 2016 soldes Pretty much what i think happened in the referenced incident, and pretty much what i think happens in a lot of incidents involving unauthorized ssh access.

Setting up SSH-Agent

If you still want to login without entering the passphrase each time, ssh-agent to the rescue. asics gel nimbus chaussures ugg femme It asks your for your passphrase once at the beginning of each session (say you rebooted your laptop), and not again after that. asics gel pas cher adidas zx flux homme Start ssh-agent from your console on your source machine

 devbox# ssh-agent setenv SSH_AUTH_SOCK /tmp/ssh-wGCWm0EqgEWx/agent.1003; setenv SSH_AGENT_PID 1004; echo Agent pid 1004; devbox# 

Now that the agent is started, use ssh-add to add your private key.

 devbox# ssh-add .ssh/id_rsa Enter passphrase for .ssh/id_rsa: Identity added: .ssh/id_rsa (.ssh/id_rsa) devbox# 

Now try and login to your target machine, and if everything went right, you will not be prompted for your password! Now the one thing you will want to take care of is not to leave your shell unattended.

Speak Your Mind