Ssh: Difference between revisions

From LWP-Wiki
Jump to navigation Jump to search
 
(3 intermediate revisions by the same user not shown)
Line 2: Line 2:


There are two requirements for remote access via ssh.
There are two requirements for remote access via ssh.
# the file /etc/security/access.conf contains a line for your username<br><tt>+ : p123456 : ALL</tt>
# the public part of your ssh key is stored in <tt>~/.ssh/authorized_keys</tt>
# the public part of your ssh key is stored in <tt>~/.ssh/authorized_keys</tt>
# the file /etc/security/access.conf contains a line for your username
#: <tt>+ : p123456 : ALL</tt>


== Howto add yourself to <tt>/etc/security/access.conf</tt> ==
== Howto add yourself to <tt>/etc/security/access.conf</tt> ==
Line 9: Line 10:
If the command <tt>id</tt> tells you that you are a member of the '''localadmin''' group then you can edit the file with your favorite text editor. Otherwise you need to contact us at mailto:lwp@rug.nl.
If the command <tt>id</tt> tells you that you are a member of the '''localadmin''' group then you can edit the file with your favorite text editor. Otherwise you need to contact us at mailto:lwp@rug.nl.


== Howto get and manage your ssh keys ==
== How to get and manage your ssh keys ==


You can generate an ssh keypair with the command:
You can generate an ssh key pair with the command:
  $ ssh-keygen
  $ ssh-keygen
See the manual for more options. Make sure to passphrase protect your private key. The command will tell you where it created the keys. Now copy the public part of the key into your <tt>~/.ssh/authorized_keys</tt> file.
See the manual for more options. Make sure to passphrase protect your private key. The command will tell you where it created the keys. Now copy the public part of the key into your <tt>~/.ssh/authorized_keys</tt> file.
Line 18: Line 19:
  $ chmod 600 ~/.ssh/authorized_keys
  $ chmod 600 ~/.ssh/authorized_keys


Now all that is left todo is to use a thumbdrive or encrypted email or some other method to get the private key (<tt>~/.ssh/id_dsa</tt>) into your other computer. If the other computer uses Linux or OSX then store the file in <tt>~/.ssh/</tt> and it will be picked up automatically when you use the <tt>ssh</tt> command to connect.  If you use Windows and '''PUTTY''' command for ssh you can import the key through the '''PUTTYGen''' key manager. Note you can also generate the keypair on your other computer and import the public part of the key into your LWP. It is then safe to use unencrypted e-mail.
Now all that is left to do is to use a thumbdrive or encrypted email or some other method to get the private key (<tt>~/.ssh/id_dsa</tt>) into your other computer. If the other computer uses Linux or OSX then store the file in <tt>~/.ssh/</tt> and it will be picked up automatically when you use the <tt>ssh</tt> command to connect.  If you use Windows and '''PUTTY''' command for ssh you can import the key through the '''PUTTYGen''' key manager. Note you can also generate the key pair on your other computer and import the public part of the key into your LWP. It is then safe to use unencrypted e-mail.




Line 30: Line 31:


* Can I get access from anywhere?
* Can I get access from anywhere?
*: yes with your p-number you can get access from anywhere.
*: Yes, but you yourself can restrict access further by changing the value <tt>ALL</tt> in <tt>/etc/security/access.conf</tt> eg. to the ip-address of your home computer.

Latest revision as of 13:59, 15 April 2015

Summary

There are two requirements for remote access via ssh.

  1. the public part of your ssh key is stored in ~/.ssh/authorized_keys
  2. the file /etc/security/access.conf contains a line for your username
    + : p123456 : ALL

Howto add yourself to /etc/security/access.conf

If the command id tells you that you are a member of the localadmin group then you can edit the file with your favorite text editor. Otherwise you need to contact us at mailto:lwp@rug.nl.

How to get and manage your ssh keys

You can generate an ssh key pair with the command:

$ ssh-keygen

See the manual for more options. Make sure to passphrase protect your private key. The command will tell you where it created the keys. Now copy the public part of the key into your ~/.ssh/authorized_keys file. Assuming you choose to use the ssh-keygen -t dsa command and used the defaults do:

$ cat ~/.ssh/id_dsa.pub >> ~/.ssh/authorized_keys
$ chmod 600 ~/.ssh/authorized_keys

Now all that is left to do is to use a thumbdrive or encrypted email or some other method to get the private key (~/.ssh/id_dsa) into your other computer. If the other computer uses Linux or OSX then store the file in ~/.ssh/ and it will be picked up automatically when you use the ssh command to connect. If you use Windows and PUTTY command for ssh you can import the key through the PUTTYGen key manager. Note you can also generate the key pair on your other computer and import the public part of the key into your LWP. It is then safe to use unencrypted e-mail.


FAQ

  • I still get asked for a password?
    Yes this happens after a reboot of your LWP and you have not logged in at least once. It can also happen if you have not used your computer for a week. Just try again and you will see that this time it will let you in using your ssh key only.
  • So how does this work?
    When you login you get a Kerberos ticket which gives you access to a number of services (like reading your home directory) without prompting you for a password every time. The Kerberos ticket is valid for one day initially, but will be extended automatically for up to one week. It will also reinitialize when you type your password (eg. to unlock your screen). If you reboot your computer or purposefully destroy your Kerberos ticket, you do not have access to your home directory anymore and so the ssh command cannot find your public key in the authorized_keys file. It will ask for a password, but unfortunately it will not try to look again for the public key. So access will be denied. However if you try again (anytime in the next week) things will work.
  • Can I get access from anywhere?
    Yes, but you yourself can restrict access further by changing the value ALL in /etc/security/access.conf eg. to the ip-address of your home computer.