Dev Notes

Software Development Resources by David Egan.

SSH Notes


SSH, Security, Sysadmin
David Egan

Paired SSH keys provide a secure way of linking two computers - e.g. a remote server and a local development machine.

Local

You need a locally generated public-private key pair. If you already have this on your local machine, skip this step - you can use the existing public key.

ssh-keygen -t rsa

For normal usage, you should add a passphrase to the SSH key. If the machine is a laptop, consider a strong passphrase, held in an encrypted password manager like keepass.

For automated processes (like backup scripts that need SSH connection), you can’t use a passphrase. You can however restrict the access for this kind of key - for example, you can restrict the commands that can be run on the connection by editing the ~/.ssh/authorized_keys file on the remote machine.

Copy the public key to the server. If using a service like GitHub or Bitbucket, you can paste the contents of the key in the appropriate window.

ssh-copy-id

To copy to a self-managed server, you can use ssh-copy-id:

ssh-copy-id is a script that uses ssh to log into a remote machine (presumably using a login password, so password authentication should be enabled, unless you’ve done some clever use of multiple identities)

It also changes the permissions of the remote user’s home, ~/.ssh, and ~/.ssh/authorized_keys to remove group writability (which would otherwise prevent you from logging in, if the remote sshd has StrictModes set in its configuration).

http://manpages.ubuntu.com/manpages/lucid/man1/ssh-copy-id.1.html

ssh-copy-id daviduser@123.45.56.78

If you’re accessing SSH over a non-standard port:

ssh-copy-id -p 1234 daviduser@123.45.56.78

Locked Down Password Connection

Passing the public key to the remote server requires a one-time password authenticated connection. If you have password authentication turned off, you’ll need to temporarily enable it to allow the key transfer. Once you’ve done this, check the connection works and then disable password authentication again.

Turning off password authentication forces all connections to be made via SSH key pairs. This is very secure, since the SSH key is to all intents and purposes unbreakable - unless someone gets hold of the machine holding your private key.

To temporarily enable password authentication:

# Open the SSH config file for editing
sudo nano /etc/ssh/sshd_config

# Amend password Authentication
PasswordAuthentication yes

Reload SSH:

sudo reload ssh

Change the setting back when you’re finished and don’t forget to reload SSH.

Emergency

If you lose a machine that is connected via SSH key-pair to a server, remove the relevant key in the ~/.ssh/authorized_keys file of the remote server.

Be prepared: keep a note of all servers connected via SSH key-pair, and keep a note of the local machine hostname to allow easy searching in the authorized_keys file in the case of multiple entries. e.g.:

Main Laptop: hostname: David-Gazelle
SSH Keys Connected:

  • Personal Github account
  • Company Bitbucket account
  • Server, plato
  • Server, archimedes
comments powered by Disqus