2007 May 26 - Sat
SSH Server to Server Connections
I wrote an earlier article on how to make it easy to connect to
Linux servers with ssh and to copy files.
I need to start doing more version control of my projects. In the past, I used CVS. I'm now converting over to Subversion. I wanted to be able to securely connect to my Subversion
servers for updates. Subversion ties nicely into SSH to provide this capability. In order to streamline this connectivity,
I need to stream line my ssh connectivity. This article records what I learned about SSH to facilitate this. It has a focus
on Linux and Cygwin based operations.
The first step is to run
ssh-keygen -t rsa
This creates a 2048 bit RSA key useful for signing and for encryption. The
public key is placed in ~/.ssh/id_rsa.pub with the private key in a file called ~/.ssh/id_rsa. The private key should be
protected with a suitably complicated pass phrase. A private key can be created without a passphrase, but security
experts frown upon this option, but it does have it's advantages.
It is helpful to rename the public key file to a name that reflects your username and/or current computer. This key can
then be copied to other machines and appended to a corresponding ~/.ssh/authorized_keys file. To append the key, you can use
cat id_rsa.pub >> ~/.ssh/authorized_keys
In the authorized_keys file on the destination host, you can prefix a key with a command in order to prevent actions or to
automate certain actions. Here are some example ssh key
commands.
You can then ssh to the destination host. Upon connection, you'll be asked for your passphrase in order to open the local
private key file.
Instead of having to provide the passphrase each time you open a new ssh connection, you can use the ssh-agent program.
Here is an example way to start it: 'ssh-agent bash'. The application becomes memory resident and starts a new shell with a
couple of needed ssh environment variables. The application 'ssh-add' is used to add your private key to ssh-agent. Use
'ssh-add -l' to check which keys have been added. When you exit the shell, ssh-agent exits also, and closes out the use of
the private keys. A quick one-liner to start the agent and add the key (add an alias for this to your ~/.bashrc file):
ssh-agent sh -c 'ssh-add < /dev/null && bash'
Some authors recommend changing the PermitRootLogin in /etc/ssh/sshd_config to 'no' in order to prevent root logins. To
prevent dictionary attacks, I like to set PasswordAuthentication to 'no'. For X11 sessions, X11Forwarding will need to be
set to 'yes'.
I found an article that was useful for explaining the difference between RSA and
DSA. ssh-keygen typically defaults to RSA, which is a good thing. Security Focus has additional background on SSH Host Key Protection. Secure Shell: Part 1 is more of what
I wrote about, but from a Solaris perspective.
[/OpenSource]
permanent link
|
