Yet Another SSH TutorialAuthor: Lee Azzarello <lee@dropio.com>Date: Mon Dec

1. Yet Another SSH Tutorial
2. Author: Lee Azzarello <lee@dropio.com>
3. Date: Mon Dec 1 18:32:21 UTC 2008
4.  
5. CHAPTER 1
6. Making it work.
7.  
8. SSH uses public key cryptography to authenticate your identity to another host.
9. This means that there are always two sides to the story. Your side, the
10. "private" side and the other side, the "public" one. Since you are vouching for
11. yourself, you must always have a private key from the host your are using to
12. initiate a connection. This is usually your laptop at work but it can be any
13. host attached to the Internet from anywhere in the world.
14.  
15. When you first sit down to a host, you have a clean slate. You cannot connect to
16. any of the other hosts in your domain's network. The first thing you must do is
17. generate a "key pair". This is done via the ssh-keygen(1) utility. This utility
18. is a bit of a swiss army knife. For now sufice to say you only need to know
19. about two specific things. 1) The key algorithm to use and 2) the length of the
20. key in bits. You will type this at your shell:
21.  
22. $ ssh-keygen -t rsa -b 2048
23. Generating public/private rsa key pair.
24. Enter file in which to save the key (/home/lee/.ssh/id_rsa):
25.  
26. Here you choose the location on your computer where your private key will be
27. stored. This is an important point of confusion. This is an arbitrary path on
28. your local disk. The path expressed by the program is merely the default
29. location. This location could easily be /tmp/foobar or
30. /home/lee/my/private/key/supersecret_ssh_private_key. So type in a custom path
31. or use the default. Next up you'll be prompted for a passphrase.
32.  
33. Enter passphrase (empty for no passphrase):
34. Enter same passphrase again:
35.  
36. Entering a passphrase is optional, though is a good idea. Imagine that you lost
37. your house keys and someone found them. If that person knew you and knew where
38. your house was located, they could easily enter your house without you knowing.
39. But imagine an awesome futuristic scenario where your house keys could only be
40. inserted into your lock if you entered a passphrase only known to you.
41. Unauthorized access to your house is now made near impossible, since that
42. someone will have to know who the keys belong to, where the house is located and
43. enter your special passphrase left at the door.
44.  
45. Now that you have a key pair, you'll see two files in the path you specified
46. above. 1) id_rsa and 2) id_rsa.pub. These are your private and public key,
47. respectively. These files are unique to you, not unique to the computer you are
48. working on. These files can be copied, just like an mp3 or text document and
49. placed on another computer. These files can even be placed on drop.io and
50. published to the world via twitter. It's your choice. I'd not recommend the
51. latter and I'd probably get very angry if you chose to do that but who am I to
52. put artificial boundaries up. I'll trust you to use your own judgement.
53.  
54. Another point of confusion is the name of these files. The name of the key pair
55. is 100% arbitrary. If you wanted to be super secret h4x0r you could name your
56. key Madonna-Like_A_Virgin-Extended_Dance_Mix.mp3, just to be confusing. Try it.
57. It'll blow your mind. Just don't try and play your private key in iTunes. That
58. could be weird.
59.  
60. So now you have a key pair that would be very difficult to break in polynomial
61. time with a super secret passphrase only known to you. Big whoop. What do you do
62. with it? First thing you do is talk to your friendly systems team (that's me)
63. about opening up access to hosts. Remember that public key cryptography goes
64. both ways. Right now your end is the only end with keys. You need to safely
65. transmit your public key to a systems admin and request you be given access to a
66. host or group of hosts. Safe transmission is near arbitrary here, since a public
67. key is just that, public. Email is fine. It doesn't really mean much and just
68. looks like a jumble of characters. For example, here's mine:
69.  
70. ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAx+q6hnNsXRFltr94gMk1N5Lm4MtmzuyCkoLs0b035Np8ISykxxmMHXi+GMUdL5utGs6ZFTRIRGwOLnW8ieVBlHpTGlgt48n/vuFx7usJh2yoilL24GjsQpetgtYlBQ8lEW6P7oTHtvugkaLHG2BlvETfM7BmPSUmk1N8JafJs0y/qqQI4IBPCeUavmurM6aUAEw+XSHQ5focN4E18ezyawZrbElVm98x/pjZL1Fnz5G7m7PKv2RP5lid6ya5wYttqQtstAUCKFvPViWb30/xYpWFmehWpepQNLCFiDENx/tCfl/Xl2XQXEftFOWW+AiInNHMqPkAfkUGdumIlhPSIw== lee@dropio-dev-x61-b
71.  
72. Useless.
73.  
74. But when that key gets added to the other end, the magic happens. Now that
75. systems knows who you are and can vouch for your identity (at least we hope this
76. is true) you can open up an interactive session to a remote host! Try it.
77.  
78. $ ssh -i /home/lee/.ssh/id_rsa username@remote.host
79. Enter passphrase for key '.ssh/id_rsa':
80. The authenticity of host 'some.host.name (some ip address)' can't be established
81. RSA key fingerprint is d3:42:64:9b:b9:2c:b9:3b:ce:64:da:05:79:b4:b3:ad.
82. Are you sure you want to continue connecting (yes/no)?
83.  
84. Oh shit, WTF does this mean? I'll bet you thought it was all clear from here.
85. Don't worry, this just means that your system isn't aware of the other system's
86. existance yet, thus it is asking you to verify that the other end is the correct
87. host you intend to connect to. This is an infrequently used feature of SSH but
88. ideally the systems admin will be able to verify the fingerprint of the host in
89. the rare case that you are so untrustworthy of your software you need human
90. verification of a host. Suffice to say you can safely type "yes" here. Remeber,
91. type the letters "y, e, s", not just the letter "y".
92.  
93. That's it. You're in!
94.  
95. CHAPTER 2
96. Making it easier.
97.  
98. So you have keys, you know how everything fits together and you have a trusted
99. account on a remote host. But there are some annoyances with working this way.
100. First off, pointing ssh to the private key and typing in the passphrase each
101. time you connect to a host is annoying and makes your fingers hurt. Enter
102. ssh-agent(1) and the corresponding ssh-add(1) utility. Most real operating
103. systems have ssh-agent running by default. This includes MacOS X and Linux with
104. a Gnome desktop. For non-real operating systems like Microsoft Windows, you'll
105. have to use a proprietary ssh client or Cygwin. Both of these options are
106. beyond the scope of this tutorial. Let's make sure ssh-agent is running.
107.  
108. $ ssh-add -l
109. The agent has no identities.
110.  
111. Great. The agent is running and it has informed you that it is not aware of any
112. identities. In this case an identity is an ssh private key. Remember, your
113. private key is unique to you, and thus can be considered a unique "identity".
114. Also keep in mind the definition of "you" can change but that's for later. Let's
115. add your identity to your agent.
116.  
117. $ ssh-add ~/.ssh/id_rsa
118. Enter passphrase for .ssh/id_rsa:
119. Identity added: .ssh/id_rsa (.ssh/id_rsa)
120.  
121. Now you can ask the agent about it's friends (identities) again.
122.  
123. $ ssh-add -l
124. 2048 29:71:1f:9b:e1:e5:5a:73:0f:79:00:cc:93:43:53:58 .ssh/id_rsa (RSA)
125.  
126. Excellent. Our little agent robot is working nicely on our behalf. No more
127. typing in stupid passwords or pointing to private keys every time. The agent
128. remembered what you whispered in it's ear and it has a much more direct route to
129. the other end than you do. You can trust it to do it's job. Now let's connect to
130. our remote host:
131.  
132. $ ssh username@remote.host
133. remote_shell$
134.  
135. Yea! Connected safely and simply.
136.  
137. But what happens if you have multiple hosts and different keys to access each
138. one? Systems dudes commonly group different levels of access to different keys.
139. For example, one key can be allowed to commit to the source code repository and
140. another allowed to deploy that code to the staging environment. Each is mutually
141. exclusive. One does not allow the actions of the other. No problem. Our robot
142. agent has a good memory. You just have to tell it about the other keys. Let's
143. add the staging deployment key to the agent.
144.  
145. $ ssh-add ~/deploy/stage_deploy_key
146. Identity added: /home/lee/deploy/stage_deploy_key (/home/lee/deploy/stage_deploy_key)
147. $ ssh-add -l
148. 2048 29:71:1f:9b:e1:e5:3a:73:1f:79:00:cc:93:43:53:58 .ssh/id_rsa (RSA)
149. 4068 7d:bf:e8:6c:d1:db:ea:a6:c3:61:4a:22:25:81:93:f4 /home/lee/deploy/stage_deploy_key (RSA)
150.  
151. Awesome. Now the agent knows about both identities and you can perform both
152. actions. Go ahead and commit some code to the repository and deploy to staging
153. (don't actually do this unless the other developers are aware of your actions).
154.  
155. Finally, how do you keep track of what keys can allow access to what actions?
156. Remember that the private key file names are arbitrary. What if you change the
157. name of stage_deploy_key to bananas_and_wooly_mamoths? The latter is far less
158. descriptive of what actions the key is allowed to perform. How do you know it's
159. even the same key? The answer is that long number that the agent tells you about
160. when you ask it to show you identities. That's the "key fingerprint" and is
161. unique to a key pair. We can come back to ssh-keygen(1) to get some information
162. out of our keys. Try this.
163.  
164. $ ssh-keygen -l -f /home/lee/deploy/bananas_and_wooly_mamoths.pub
165. 4068 7d:bf:e8:6c:d1:db:ea:a6:c3:61:4a:22:25:81:93:f4 /home/lee/deploy/bananas_and_wooly_mamoths.pub (RSA)
166.  
167. Notice you're pointing to the public key file in this case. This is why it's a
168. good idea to keep both public and private keys in the same place, though our
169. final little trick is to regenerate a public key from a private one. Just in
170. case you lost it. Cause that happens.
171.  
172. $ ssh-keygen -y -f bananas_and_wooly_mamoths
173. ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAx+q6hnNsXRFltr94bMk1N7Lm4MtmzuyCkoLs0b035Np8ISykxxmMHXi+GMUdL5utGs6ZFTRIRGwOLnW8ieVBlHpTGlgt48n+vuFx7usJh2yoilL24GjsQpetgtYlBQ8lEW6P7oTHtvugkaLHG2BlvETfM7BmPSUmk1N8JafJs0y/qqQI4IBPCeUavmurM6aUAEw+XSHQ5focN4E18ezyawZrbElVm98x/pjZL1Fnz5G7m7PKv2RP5lid6ya5wYttqQtstAUCKFvPViWb30/xYpWFmehWpepQNLCFiDENx/tCfl/Xl2XQXEftFOWW+AiInNHMqPkAfkUGdumIlhPSIw==
174.  
175. Notice the hostname at the end of the jumble of characters is absent this time.
176. That's because that part of the public key is also arbitrary. It's just a
177. textual identifier to help you remember what host generated the key, though it
178. cannot be trusted to be accurate.
179.  
180. So in conclusion, we now know how to generate a key pair, how to request access
181. to a remote host, how to connect to that host, how to use the agent to hold
182. identities and how to get information about our keys using ssh-keygen. I hope
183. this clears up the client side of doing fun stuff with ssh. I'll have a third
184. chapter on the server side sometime soon.