Better SSH key management.

-

SSH is good, but too many KEYS!

Once the number of servers you have to manage reaches 5 or more, SSH keys will become a mess. Do I need to generate a new key pair for every machine? I don't want to upload keypairs to every server, and rotating them takes ages. This also imposes security threats. 

Overhaul, here are some ideas.

We need a big change. Here are goals I wish to achieve.

  • Only ONE key and that's enough! 

  • No key pairs on each server due to security concerns.

  • Able to ssh back and forth between servers, no password required.

  • Able to access GitHub/GitLab repositories with the same SSH key.

  • WinSCP can access servers without a password.

  • I will also cover the setup for Synology DSM, OpenWRT (dropbear).

What do we need?


Windows

Linux

Key Generation

ssh-keygen, puttygen

ssh-keygen

PPK format

puttygen


Agent

ssh-agent, pageant

ssh-agent

Client

Putty, WinSCP

ssh, scp


For Linux, these usually come with distribution.

For Windows clients, please install Git for Windows and download puttygen and pageant here. Please uninstall OpenSSH client (win10) since it is not compatible with git and causes confusion.

What's a ssh agent?

An agent? As scary as it sounds, a ssh-agent acts like a single point of key authentication center. Every time an ssh server needs a key to authenticate a client, the server will speak with the center. (I may be wrong, but never mind.)
This saves me from bringing keys with me all the time, e.g. store dozens of keys on a server. 

THREE steps left

1. Generate a new keypair, and protect it with a password.

id_ed25519        is the private key.

id_ed25519.ppk is the private key used by Putty/WinSCP (if you use win)

id_ed25519.pub is the public key.

Generate using ssh-keygen

This will generate id_ed25519 and id_ed25519.pub.

Linux

$ ssh-keygen -t ed25519

Windows

Open a command line and run 'ssh-keygen -t ed25519'.

Use puttygen to convert the private key for Putty/WinSCP: id_ed25519.ppk.

Generate using puttygen

You may use puttygen too. Follow instructions here, here and here

2. Distribute the public key.

Add the content of the public key to ~/.ssh/authorized_keys on each server.

3. Run an agent on the client machine

  • Windows

    • Putty/WinSCP

Run pageant.exe and you may find it in tray icon area.

Add the .ppk private key to it. 

https://kerneltalks.com/howto/how-to-forward-ssh-key-in-putty/

    • Git (Git Bash)

Open Git Bash

$ eval $(ssh-agent -s) 

https://killtheradio.net/how-tos/ssh-agent-on-cygwin/

  • Linux

Add the following command to ~/.profile or ~/.bash_profile.

eval $(ssh-agent -s)

This will start a ssh-agent in an interactive login shell.

Try ssh to a server, then to another one, then to another one...I know, you get it.

Multi-hop

You may use ssh like before and it will handle the authentication for you.


client$ ssh -A srv1.domain.org

srv1$ ssh -A srv2.domain.org

srv2$ 


The ‘-A' enables forwarding of the authentication agent connection. 




Reference

ssh/sshd man pages

https://blog.aaronlenoir.com/2018/05/06/ssh-into-synology-nas-with-ssh-key/

https://openwrt.org/docs/guide-user/security/dropbear.public-key.auth

https://www.ct-networks.io/community/tutorials/setting-up-dropbear-public-key-authentication.html

https://unix.stackexchange.com/questions/120949/ssh-agent-forwarding-multiple-hop

https://superuser.com/questions/878943/how-to-use-putty-for-forwarding-keys

https://kerneltalks.com/howto/how-to-forward-ssh-key-in-putty/

https://www.ssh.com/ssh/keygen/





Comments

Post a Comment

Popular posts from this blog

DELL U4320Q ddccontrol in Linux switch input

-
Device i2c number $ sudo ddccontrol -p | grep /dev/  - Device: dev:/dev/i2c-8 this is the device i2c number. switch input source $ sudo ddccontrol -r 0x60 -w 4883 dev:/dev/i2c-8 -r 0x60: this is the input source switch. 4883: target port. DP1  15 or 4879 DP2  16 or 4883 HDMI1  17 or 4881 HDMI2  18 or 4882 USB-C 4891 read current value $ sudo ddccontrol -r 0x60 dev:dev/i2c-8 you can get the current value this way, if you have a different monitor model. Reference https://github.com/ddccontrol/ddccontrol-db/blob/master/doc/how-to-add-a-monitor.md https://askubuntu.com/questions/860761/ubuntu-command-line-to-change-input-source-on-a-display-monitor
Read more

UEFI boot.

-
GPT: GUID分区表。 ESP: EFI System Partition. It is the place where UEFI will look for a boot loader. 一个专用分区,UEFI 会从这类分区搜索boot loader。 NVRAM: 是BIOS ROM中的一段区域,一般定义为64k byte, 现在EFI把所有的变量都存在这里。 boot loader: 启动引导器。让机器知道真正的要启动的系统所在。GRUB (grubx64.efi),Windows (bootmgfw.efi),SYSLINUX (syslinux.efi),都属于boot loader。 /EFI/Boot/bootx64.efi: UEFI fallback boot loader path,默认引导器路径。完整路径是\EFI\BOOT\BOOT{machine type short-name}.efi。当计算机没有引导条目或已存条目均无效时,尝试加载此文件。LiveCD和安装盘等就会用到这个文件。本文件其实就是grubx64.efi或者bootmgfw.efi,区别就是默认和指定的。 efibootmgr/Bcdedit: manipulate the UEFI Boot Manager。 创建和修改引导条目,保存在NVRAM。一般用于永久安装的系统,如安装好的Windows 10,而非安装盘或者LiveCD系统等。 常用路径 \EFI\boot\bootx64.efi \EFI\Miscosoft\Boot\bootmgfw.efi \EFI\Ubuntu\grubx64.efi \EFI\Ubuntu\shimx64.efi (secure boot) 查看NVRAM引导设置的命令: Linux: sudo efibootmgr -v Win10: bcdedit /enum firmware 参考: https://www.jianshu.com/p/a35d42daf010 https://www.happyassassin.net/posts/2014/01/25/uefi-boot-how-does-that-actually-work-then/ https://wiki.syslinux.org/wiki/index.php?...
Read more