Difference between revisions of "Comp:ssh"

From Theochem
Jump to navigationJump to search
(Using ssh)
 
Line 30: Line 30:
  
 
== Using a passphrase and an ssh-agent for security and ease ==
 
== Using a passphrase and an ssh-agent for security and ease ==
 +
Your keys are kept in the .ssh directory in the files, e.g,
 +
 +
  % ls -l ~/.ssh
 +
  -rw------- 1 gerritg gerritg  1766 May 19  2020 id_rsa
 +
  -rw-r----- 1 gerritg gerritg  395 May 19  2020 id_rsa.pub
 +
 +
The public key <tt>id_rsa.pub</tt> is added to the <tt>authorized_keys</tt> file in the <tt>.ssh</tt> directory on the remote server. Above we used the <tt>ssh-copy-id</tt> command to do that. Before we protect the keys, first remove the keys we just made. On the local computer:
 +
 +
  cd ~/.ssh
 +
  rm id_rsa id_rsa.pub
 +
 +
and on the remote server (e.g. <tt>lilo7</tt>):
 +
 +
  cd ~/.ssh
 +
  rm authorized_keys
 +
 +
If you have more than one key in <tt>authorized_keys</tt> use an editor to remove keys.
 +
 +
Now, on your local computer re-generate the keys
 +
 +
  ssh-keygen
 +
 +
Accept the default file <tt>.ssh/id_rsa</tt> with <tt>Enter</tt>, and then enter a passphrase.
 +
 +
Now copy your public key again to <tt>lilo7</tt> with the <tt>ssh-copy-id</tt> command, and try <tt>ssh</tt> to <tt>lilo7</tt>.
 +
Instead of your password, you will now have to enter your passphrase. Even if you passphrase is the same as your password, this is more secure, because your passphrase will never leave you computer. However, you will now have to re-enter your passphrase every time you logon.
 +
 +
The next step is to use an <tt>ssh-agent</tt> to remember your passphrase until you logout, so you don't have to enter it too often.
 +
 +
== Using and ssh-agent ==

Revision as of 09:32, 27 January 2021

With the Linux ssh command you can logon to another server. You can configure ssh such that you do not have to enter your password every time again.

First make sure ssh is working

From you local linux computer login to the remote server, e.g., lilo7.science.ru.nl

 ssh username@lilo7.science.ru.nl

where you will have to replace username with your own username. If your username on the remote server is the same as on you local computer you can drop it:

 ssh lilo7.science.ru.nl

You will be asked to enter your password. The first time you give this command you will be asked to trust that you are connecting to right server. Later you will get a warning if lilo7.science.ru.nl is not the same server anymore - e.g., when your connection is being hacked or, more likely, when a mistake was made during a software upgrade on lilo7.

Login without password

First generate keys on your local computer:

 ssh-keygen

Accept all the defaults by giving enter (up to three times).

Now copy the local key to the remote server, e.g., to lilo7.science.ru.nl

 ssh-copy-id username@lilo7.science.ru.nl

You will have to enter your password, but the next time you logon with ssh you will not be asked for your password again.

Warning: if someone can break into your local computer, they will now also have access to lilo7.science.ru.nl

A more secure solution is to protect you private key with a passphrase:

Using a passphrase and an ssh-agent for security and ease

Your keys are kept in the .ssh directory in the files, e.g,

 % ls -l ~/.ssh
 -rw------- 1 gerritg gerritg  1766 May 19  2020 id_rsa
 -rw-r----- 1 gerritg gerritg   395 May 19  2020 id_rsa.pub

The public key id_rsa.pub is added to the authorized_keys file in the .ssh directory on the remote server. Above we used the ssh-copy-id command to do that. Before we protect the keys, first remove the keys we just made. On the local computer:

 cd ~/.ssh
 rm id_rsa id_rsa.pub

and on the remote server (e.g. lilo7):

 cd ~/.ssh
 rm authorized_keys

If you have more than one key in authorized_keys use an editor to remove keys.

Now, on your local computer re-generate the keys

 ssh-keygen

Accept the default file .ssh/id_rsa with Enter, and then enter a passphrase.

Now copy your public key again to lilo7 with the ssh-copy-id command, and try ssh to lilo7. Instead of your password, you will now have to enter your passphrase. Even if you passphrase is the same as your password, this is more secure, because your passphrase will never leave you computer. However, you will now have to re-enter your passphrase every time you logon.

The next step is to use an ssh-agent to remember your passphrase until you logout, so you don't have to enter it too often.

Using and ssh-agent