The (Practically) Ultimate OpenSSH/Keychain Howto

Best of ENP: With OpenSSH you can ensure that the bits flowing over your network are wrapped in strong encryption. With Keychain, you can make managing OpenSSH's public/private key crypto a little less of a hassle. Our practically ultimate howto shows you how.

By Carla Schroder | Posted Sep 18, 2007
Print ArticleEmail Article
  • Share on Facebook
  • Share on Twitter
  • Share on LinkedIn

All right, so maybe this isn't quite the ultimate. But this howto will show you the fundamental ways to use OpenSSH; how to generate public/private key pairs and strong passphrases, and how to use the wonderful Keychain utility to automate your SSH logins. This is exceptionally handy when you log in and out frequently, and don't want to keep entering your passphrase.

Installing OpenSSH

Keychain is a great little utility. Enter your SSH passphrases at boot, then keychain automatically authenticates all of your SSH sessions until the next reboot.

OpenSSH runs on any Linux or Unix variant, and even Windows via Cygwin. Users who don’t want to mess with a complete Cygwin installation can use SSHWindows, which is is a streamlined SSH server for Windows based on OpenSSH and Cygwin. Windows users who need only a client need look no farther than PuTTY.

Fetch OpenSSH from your usual package repositories, or get the sources from OpenSSH.

Starting And Stopping The SSH Daemon

On Red Hat-ish systems:

# /etc/init.d/sshd start
# /etc/init.d/sshd stop

On Debian-ish systems:

# /etc/init.d/ssh start
# /etc/init.d/ssh stop

All systems that you wish to connect to must have the SSH daemon running and port 22 open. First you must connect and download the remote host's host key. You may then connect to any account that you have a password for. This example shows a LAN connection to a different user account:

carla@stinkpad:~$ ssh -l ftp_admin ftpserver
The authenticity of host 'ftpserver (192.168.1.15)' can't be established.
RSA key fingerprint is a7:c6:70:3e:00:77:73:ed:90:b1:9a:bc:e7:d5:ba:32.
Are you sure you want to continue connecting (yes/no)?

Type yes, then:

Warning: Permanently added 'ftpserver 192.168.1.15' (RSA) to the list of known hosts.
ftp_admin@ftpserver's password:
Linux ftpserver 2.4.21 #1 Sun Dec 3 11:03:21 PDT 2004 i686 GNU/Linux
Libranet GNU/Linux
Last login: Sat Dec 2 10:17:45 from :0.0
ftp_admin@ftpserver:~$

Take a good look at your shell prompt. You are now logged into the remote host ftpserver, and can run commands just as though you were physically sitting at the machine. Your copy of ftpserver's public host key is stored in your local ~/.ssh/known_hosts.

Generating A Host Key

Your OpenSSH installation should have generated a set of RSA and DSA host keys. (It does not matter which one you use; both are cryptographically strong.) These are stored in /etc/ssh/. If it didn't, or if you just want to change them, do this:

# ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key

ssh-keygen will generate both a private key and public key, which will have a .pub extension. It is important to invent a strong passphrase. You'll be using this passphrase a lot, so it must be reasonable for you to type. Don't mess yourself up trying to remember it, unless you know you can- write down your logins on paper and keep the paper safe. I use a little notebook that I carry with me, and keep a duplicate in a locked file cabinet. A good passphrase avoids dictionary words- try substituting numbers for letters, like "h3ll0, th1s is mai l33t p4ssphr4se."

The above example used the default key name. You may name your keys anything you like, which can be useful when you're creating administrative accounts for servers, like ftp_server_key. If you do use different names, be sure to list them in /etc/ssh/sshd_config:

# HostKeys for protocol version 2
HostKey /etc/ssh/ftp_server_key

Don't be changing your host keys casually, because when you do all of the established clients that try to connect will get large scary warnings like this:

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!

They can still download the new key. But you should always warn your users when you are going to change a host key.

A "man in the middle" attack means that someone manages to intercept the key exchange and insert their own key. It's a pretty small risk, but cautious persons arrange other methods to transfer keys: sneakernet (define) , or over an established SSH session. You may manually copy host keys, as they are in plain text. But they must be modified slightly. Suppose that /etc/ssh/ftp_server_key.pub looks like this:

ssh-rsa
AAAAB3NzaC1yc2EAAAABIwAAAIEAwo+75MsrsXNANKy6U7J2FM0T
MaQypEVlkNCVVXbX1nc3U3YnQLxmpwqYdVggGqrqS5IMhGJV5HaUt8PQnZ03K
KOU65d3Y/MuX5mrhcI+YtQZN0QudOXOx7RQMAHLluspO6BWARZdHO4FXcn7P3
T6IvURZ3fF5fgymVDwosCr0Pc= root@ftpserver

It needs to be modified to look like this in your ~/.ssh/known_hosts:

ftpserver.domain.net, 192.168.1.15 ssh-rsa
AAAAB3NzaC1yc2EAAAABIwAAAIEAwo+75MsrsXNANKy6U7J2FM
0TMaQypEVlkNCVVXbX1nc3U3YnQLxmpwqYdVggGqrqS5IMhGJV5HaUt8PQnZ03
KKOU65d3Y/MuX5mrhcI+YtQZN0QudOXOx7RQMAHLluspO6BWARZdHO4FXcn
7P3T6IvURZ3fF5fgymVDwosCr0Pc=

Starting at the AAAAB these must be single, unbroken lines.

All users with an account on ftpserver can now do secure remote logins.

Public-Key Authentication

If you are managing a lot of different servers, you'll have a lot of different logins to keep track of. Give yourself a single login for multiple hosts by using public-key authentication. This also has the advantage of protecting your system logins. First generate a new public-private key pair, and store it in your home directory:

$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/ftp_admin/.ssh/id_rsa):
....

Now copy your new public key (id_rsa.pub) to all of the remote user accounts you'll be logging into, into their ~/.ssh/authorized_keys files. When you log in you'll be asked for your SSH passphrase instead of the account login:

carla@stinkpad:~$ ssh -l ftp_admin ftpserver.domain.net
Enter passphrase for key '/home/ftp_admin/.ssh/id_rsa':
...

Use one key for many servers, use many different keys- whatever suits you.

Using Keychain For Automated Logins

Keychain is a great little utility. Enter your SSH passphrases at boot, then keychain automatically authenticates all of your SSH sessions until the next reboot. (Obviously you must pay some attention to the physical security of your workstation.) Keychain also lets you schedule SSH transfers from cron. Don't use null passphrases! That permits anyone who thieves your private keys to easily masquerade as you.

First install ssh-agent. Then install keychain, and edit your local ~/.bash_profile to name your private key or keys:

keychain id_dsa
    . ~/.keychain/$HOSTNAME-sh

If you have more than one private key, list them separated by spaces:

keychain id_dsa fun_key mon_key

Be sure to include the leading dot on the second line; this tells Bash to reference the named file.

And there you have your fundamental SSH operations. SSH can do many more useful tasks, such as secure tunneling of almost any protocol: X11, POP, FTP; secure file copying, and port forwarding. See Resources to learn more.

Resources

Comment and Contribute
(Maximum characters: 1200). You have
characters left.
Get the Latest Scoop with Enterprise Networking Planet Newsletter