If you have read my brief posting Intrepid upgrade done I mentioned I would shorlty be implementing SSH keys for my systems. This is a simple HOWTO to cover the steps I used. In my case I’m implementing this only a small home network, please adjust as needed. I will be setting up a key for my primary user account plus an additional phrase-less key used for automation purposes. This second key will act as a service account, restricted to running only a few particular applications and/or scripts.
- Run ssh-keygen -t rsa. I specified a simple passphrase for general-purpose logins. We will be adding the second phrase-less key later.
(adechiaro@desktop:pts/6)-(4/0 @ 17k)-(09:22 PM) ~$ ssh-keygen -t rsa Generating public/private rsa key pair. Enter file in which to save the key (/home/adechiaro/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in id_rsa. Your public key has been saved in id_rsa.pub. The key fingerprint is: 5d:34:f1:de:ad:be:ef:65:34:36:a4:0d:75:d6:3c:47 adechiaro@desktop The key's randomart image is: +--[ RSA 2048]----+ ... +-----------------+ (adechiaro@desktop:pts/6)-(4/0 @ 17k)-(9:22 PM) ~$ cat .ssh/id_rsa.pub ssh-rsa <key> adechiaro@desktop
- Any machine you want to be able to connect to with this key, login and copy the contents of your public key (id_rsa.pub) to the authorized_keys file. These are all in your $HOME/.ssh/ directory. There are various ways to do this: you could copy the file over with scp and cat/append it, you could remote in to the host and cut & paste the data, if you had a large infrastructure you could use ssh-copy-id or similar custom script. It’s up to you, something like what is below should work in the general case. Also the <key> is your public key in base64 encoded format.
desktop:~$ scp .ssh/id_rsa.pub adechiaro@server:~ id_service.pub 100% 399 0.4KB/s 00:00 desktop:~$ ssh adechiaro@server server:~$ cat id_rsa.pub >> ~/.ssh/authorized_keys
- Now for an example of making the key more secure, you can add additional options to the authorized_keys file. These come before the “ssh-rsa <key>” part of the entry (prefix the line with them):
- from=”host1,host2,10.0.0.1″ – This will prevent the key from authenticating except the hosts listed here, canonical name or IP.
- command=”/usr/local/bin/myscript.sh”, no-pty – Executes command upon login. You might want to combine this with no-pty which prevents tty allocation (shell login) so you can securely execute a remote command and without granting direct login access (we will be doing this for our service account)
- There are a lot of more options – read the sshd manpage under the authorized_keys section for more.
- Create the second public key saved with a different name. Leave this with an empty passphrase as will be used for automation.
ssh-keygen -f id_service
- You will need to either write a simple script or use an existing one for linking with this key. This will be run every time the account is logged into, regardless of what command may be passed on the SSH command line (the command line arguments will be read by the script but not necessarily executed). Here is a simple generic one I threw together for general purpose use (download or view in wiki). I do not make any promises this is completely bugfree/secure nor am I liable for any consequences! If you use mine, you will want to configure the COMMANDS variable within the script. These are the specific commands which the service account will be permitted to run. A command specified on the SSH command line which does not match any entry in COMMANDS will not be run. Also, make sure the file is chmod 500 after you are done configuring it, it’s basically a homebrew sudoers file and vital no other users can read the contents.
- Copy your second key to the other machines as in step 2. You will want to to prefix this new entry with ‘command=”/usr/local/bin/service.sh”, no-pty’, adjusting the path and script name as needed. You may also want to specify ‘no-port-forwarding,no-X11-forwarding’ as additional security measures.
- Done!
Now to run, simply connect via ssh. It will default to your id_rsa key:
desktop:~$ ssh adechiaro@server Enter passphrase for key '/home/adechiaro/.ssh/id_rsa': server:~$
If you want to use your service account in a script, call it in the following manner:
desktop:~$ ssh adechiaro@server -i ~/.ssh/id_service /usr/bin/whoami Executing command: "/usr/bin/whoami" adechiaro desktop:~$ ssh adechiaro@server -i ~/.ssh/id_service /bin/hostname Executing command: "/bin/hostname" server desktop:~$
We need to specify the full path to the key in this case. Replace whoami or hostname with whatever script/app you want to run and assuming you pre-configured it the service.sh script correctly, it should run just fine without prompting you for the passphrase. Please feel free to leave any question and/or comments.
References:
http://www.securityfocus.com/infocus/1810
http://standalone-sysadmin.blogspot.com/2008/11/host-to-host-security-with-ssh-keys.html
http://standalone-sysadmin.blogspot.com/2008/11/wacky-ssh-authorized-keys-tricks.html
http://it.toolbox.com/blogs/unix-sysadmin/playing-with-openssh-public-keys-28377
http://blog.funnelfiasco.com/?p=44
If you enjoyed this post, make sure you subscribe to my RSS feed!