| Узбекистан, Бухара, Бухарский институт высоких технологий, 2013 |
Инспектор
Вы можете этот курс.
Опубликован: 06.08.2012 | Уровень: специалист | Доступ: платный
Лекция 24:
Basic network access: clients
Creating and distributing keys
You create keys with the program ssh-keygen. Here's an example of generating all three keys:
$ ssh-keygen -t rsa1 Generating public/private rsa1 key pair. Enter file in which to save the key (/home/grog/.ssh/identity): (ENTER pressed) Enter passphrase (empty for no passphrase): (no echo) Enter same passphrase again: (no echo) Your identification has been saved in /home/grog/.ssh/identity. Your public key has been saved in /home/grog/.ssh/identity.pub. The key fingerprint is: 02:20:1d:50:78:c5:7c:56:7b:1d:e3:54:02:2c:99:76 grog@bumble.example.org $ ssh-keygen -t rsa Generating public/private rsa key pair. Enter file in which to save the key (/home/grog/.ssh/id_rsa): (ENTER pressed) Enter passphrase (empty for no passphrase): (no echo) Enter same passphrase again: (no echo) Your identification has been saved in /home/grog/.ssh/id_rsa. Your public key has been saved in /home/grog/.ssh/id_rsa.pub. The key fingerprint is: 95:d5:01:ca:90:04:7d:84:f6:00:32:7a:ea:a6:57:2d grog@bumble.example.org $ ssh-keygen -t dsa Generating public/private dsa key pair. Enter file in which to save the key (/home/grog/.ssh/id_dsa): (ENTER pressed) Enter passphrase (empty for no passphrase): (no echo) Enter same passphrase again: (no echo) Your identification has been saved in /home/grog/.ssh/id_dsa. Your public key has been saved in /home/grog/.ssh/id_dsa.pub. The key fingerprint is: 53:53:af:22:87:07:10:e4:5a:2c:21:31:ec:29:1c:5f grog@bumble.example.org
Before you can use these keys, you need to get the public keys on the remote site in the file ~/.ssh/authorized_keys. Older versions of ssh used a second file, ~/.ssh/authorized_keys2, for protocol Version 2, but modern versions store all the keys in the one file ~/.ssh/authorized_keys. There are a number of ways to get the keys in these files. If you already have access to the machine (via password-based authentication, for example), you can put them there yourself. Typically, though, you'll have to get somebody else involved. To make it easier, the public keys are in ASCII, so you can send them by mail. The three public keys generated above look like this:
10243511012428427427480334544982386682254123065784505204062211656732932064601995 56751223553035331118710873315456577313425763305854786629592671460454493321979564 51897683927631476817528590966739503979593649232357835172621038275643667609041147 5643317216 92291413130012157442638303275673247163400686283060339457790686649 grog@bumble.example.org ssh-dss AAflAB3NzaC1kc3MaflACEAIltWeRXnqD9HqpLn5kugPSWHicJiu1r0I9dHg8F5m2EpmupyR YSmDzscAcsxifo50+1yXk3Vf4P1+EDsAwkyqFlujuMVeKoTYcOi1yrnLDWIDiAeIzt1BQ6ON^XqxwWKC q1eo1tXxOrTxw84VboHUuq4XFdt+yPJs8QdxLhj+jAAAAFQC1JL+tU19+UR+c45JGom6ae29d7wAAAIA vNgdN6rTitMjDCglN7Rq3/8WgI1kzh20XURbCe1n2yYsFifcImKb0sUYD2qsB5++gogzsse2IxyIECRC uyCOOFXIQ7WqkvjTp/T+fuwGPIlho8eeNDRKKABUhHjkuApnoYLIC1O5uyciJ+dIbGaRtGFJr0da7Klk jOLkiv3sR1gAAAIAwgKfWsRSQJyRZTkKGIHxn3EWTVSicnIRYza+HTaMuMFHMTkNMZBjhei6EoCFpV9B 1QB9MlIZgf6WXM2DlmtdUbpm7KFA669/LZT2LvxbtGP/B++7s0PMs0AgKrKgUxnhVweufMZlPvPPPOz4 QS1ZZ5kYhN+lu0S8yuioXYNlDtA== grog@bumble.example.org ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEA1/W3oa1ZEs58KRWMzsrZWMXzPfwoqQ+Z59p6SJlzhevs XG1PAVWra2wcRz1utKFBjkDpJfEe+09L7h8VAx1aYCHji50tKI8F8YT8PuWGH+UqF/37Wl292SsXsb8g 80yyymSfxgOM/HegvOuHQu46MfaPj9ddfcgY06z3ufcmXts= grog@bumble.example.org
In the original, each key is on a single line.
Obviously you don't want anybody messing with your authorized keys files, so ssh requires that the files belong to you and are only writeable by you. These two files typically contain multiple keys; to add a new one, just append it to the end of the file. For example, if you receive a newkey and store it in the file newkey, copy it like this:
$ cat newkey >> ~/.ssh/authorized_keys
Authenticating automatically
Having to supply the passphrase can become a nuisance and even a serious problem. If you want to run ssh from scripts, it may not even be possible to supply the passphrase. ssh has another feature available here: it has an authentication agent that keeps track of the keys.
The authentication agent is called ssh-agent, and you add keys with ssh-add. Due to the manner in which it is started, ssh-agent needs to be the ancestor of the shell you are running, and of the ssh-add command. Otherwise you see error messages like this:
$ ssh-agent SSH_AUTH_SOCK=/tmp/ssh-cwT9aBbV/agent.42902; export SSH_AUTH_SOCK; SSH_AGENT_PID=42903; export SSH_AGENT_PID; echo Agent pid 42903; $ ssh-add Could not open a connection to your authentication agent.
To solve this problem, execute the agent in your current environment with eval, then run ssh-add:
$ eval ‘ssh-agent’ $ ssh-add Enter passphrase for /home/grog/.ssh/id_rsa: (enterthepassphrase) Identity added: /home/grog/.ssh/id_rsa (/home/grog/.ssh/id_rsa) Identity added: /home/grog/.ssh/id_dsa (/home/grog/.ssh/id_dsa) Identity added: /home/grog/.ssh/identity (grog@zaphod.example.org)
You can use ssh-add's -l flag to list which keys the authentication agent currently knows about:
$ ssh-add -l 1024 02:20:1d:50:78:c5:7c:56:7b:1d:e3:54:02:2c:99:76 grog@zaphod.example.org (RSA1) 1024 95:d5:01:ca:90:04:7d:84:f6:00:32:7a:ea:a6:57:2d /home/grog/.ssh/id_rsa (RSA) 1024 53:53:af:22:87:07:10:e4:5a:2c:21:31:ec:29:1c:5f /home/grog/.ssh/id_dsa (DSA)
If you're using a Bourne-style shell such as bash, you can automate a lot of this by putting the following commands in your .bashrc or .profile file:
if tty >/dev/null; then
ssh-add -l > /dev/null
if [ $? -ne 0 ]; then
eval 'ssh-agent’
fi
fi
This first uses the tty command to check if this is an interactive shell, then checks if you already have an authentication agent. If it doesn't, it starts one. Don't start a new authentication agent if you already have one: you'd lose any keys that the agent already knows. This script doesn't add keys, because this requires your intervention and could be annoying if you had to do it every time you start a shell.
Setting up X to use ssh
If you work with X, you have the opportunity to start a large number of concurrent ssh sessions. It would be annoying to have to enter keys for each session, so there's an alternative method: start X with an ssh-agent, and it will pass the information on to any xterms that it starts. Add the following commands to your .xinitrc:
eval 'ssh-agent’ ssh-add < /dev/null
When you run ssh-add in this manner, without an input file, it runs a program to prompt for the passphrase. By default it's /usr/X11R6/bin/ssh-askpass, but you can change it by setting the SSH_ASKPASS environment variable. /usr/X11R6/bin/ssh-askpass opens a window and prompts for a passphrase. From then on, anything started under the X session will automatically inherit the keys.
