SSH key exchange - security

I have 2 servers with which I work: first one is application server and another one is archival server.
I access both of these servers using F-Secure SSH Client using the same user id and public-private key pair for authentication. It means that private key is stored on the Windows machine and public key is stored on both servers.
Now I need to access archival server from application server. To do that I have to do a key exchange first.
What is a standard aproach in this case? Do I just copy my private key from Windows to the application server? Would it compromise security? Or I need to generate a new key pare?
I appretiate your help!
P.S. I am relatively new to Unix administration, so don't be very hard on me :)

The standard approach is:
Generate on each machine/user a new private/public key pair
Use authorized keys file in .ssh and add every public key
Copy this authorized keys file to every remote host
Sidenote: The authorized key file as well as the key pairs are user#machine related
Sidenote2: Usually ppl block root completely from this process. Root should be neither accessible via pw auth nor with key auth.

#fyr's answer is correct, however you don't need to manually add or copy anything. You can do it with ssh-copy-id.
Assuming that the SSH server on your new machine is already running, from your old machine (which already has an SSH key pair, if not run ssh-keygen), run
ssh-copy-id -i ~/.ssh/mykey user#host
where the -i parameter denotes the location of your public key. The ssh-copy-id tool will add the .pub extension if necessary, so it won't be trying to send your private key.
A real-world example of this, let's say to exchange keys with a Raspberry Pi, would be:
ssh-copy-id -i ~/.ssh/id_rsa pi#192.168.1.11
This will ask for your password, but just once. If the key exchange is successful, you'll be able to ssh into it without needing a password.

Related

SSH : Copy files without password when using public key authentication.

We have 2 Debian servers, one for testing and one for live. I have some scripts which should be executed to transfer data from live to test. For both the servers we use PublicKeyAuthentication where our id_rsa.pub's contents are added to authorized_keys on test server.
Even after doing this, everytime I initiate a transfer from one server to another, I am being asked for password.
I also tried calling ssh-copy-id, but that didn't help and all I got was a duplicate entry in authorized_keys.
Lastly when I try sshpass, I get the following message, and i cannot enter the password as its just a message.
sshpass -v -p 'PASS' ssh root#our_server
SSHPASS searching for password prompt using match "assword"
SSHPASS read: Enter passphrase for key '/root/.ssh/id_rsa':
Any ideas? Thanks.
From the output of sshpass, it seams that it is asking for the password of the key, not the password for the server:
Enter passphrase for key '/root/.ssh/id_rsa'
Protecting your SSH-keys with a password is a good practice, but you can not fully automate things that way, as you discovered. Depending on your situation, you can do either of the following:
Use an SSH-agent. This is a daemon that will ask your password once, and keep the private key cached until you remove it. This still has the benefit that your SSH-key is stored password-protected on disk, but you can use it as a password-less key.
This has the added benefit that you can forward SSH-agent over SSH: if you SSH from your machine to server A, and then further on to server B, this last connection can use the key stored on your machine (instead of having to copy your key to server A).
Remove the password from the key entirely (you can use ssh-keygen to change the password to be blank)
How do you execute data transfer? Is it scp? Check your system usernames, make sure public keys are installed to authorized_keys file for correct user.

hide / compile ssh key so it can't be used outside a public script

Does anybody have an idea how can I use an ssh private key in a script to scp some files from a server using a private key to connect but make sure the key can't be extracted to be used for something else?
The servers are already deployed and new users or new keys can't be generated.
I have the root key. The script/ app should just grab a few files from a folder without exposing the key to the user.
I think you have your ideas about public/private keys backwards.
If I give you my public key, then my private key allows me to access your computer. This effectively solves your problem, as you should never share your private key, and you'll append public keys to ~/.ssh/authorized_keys file on the server you want to access.
It sounds like you already have the private key to access the server, so no need to encrypt, as you use that to access the server not the other way around.
Use it scp -i ...
Hopefully helpful, here's a tutorial on setting up keys:
https://www.digitalocean.com/community/tutorials/how-to-set-up-ssh-keys--2

Confused regarding ssh keys on linux

I have few doubts regarding using private/public key on linux.
Suppose i have two linux boxes A and B.
I want to use password less logins to B from any computer.
so on A i did this
ssh-gen -t rsa and it made two files
id_rsa and id_rsa.pub
Then i copied id_rsa.pub to B ~/.ssh/A_id_rsa.pub and then
cat A_id_rsa.pub >> authorized_keys
Now i have these questions
Suppose i have another computer C where i also want to have passwordless login but i want to use key phrase to protect the private key. so can i generate another key using ssh-gen -t rsa with different name and use that or i have to delete the previous key
The other thing is for password less logins do need to do anything with keys from B to A or its always from A to B
So the private key will always stay on host computer only? i have seen that AWS gives the private key for login. then why is that. Beuase for putting A public key to B someone needs to access B. which is not possible for first time. so does it mean we can login with either public key or private key
Yes, you can generate a key pair on C and do the same that you did for A:
cat C_id_rsa.pub >> authorized_keys
The keys will only allow logins from A to B.
Yes the private key will stay on the host computer. I believe AWS automatically puts the public key on computer B while it creates the virtual box.
In a quick line or two:
The keys somewhat work like (very roughly): you need the public key to decrypt what is encrypted by private key and vice-versa. To be more precise, http://en.wikipedia.org/wiki/Public-key_cryptography has way better information to start with.
So to answer the questions: The private key is not normally tied to a computer. You could copy the private key from, say A to C and could login by using it from C.
You could generate multiple keys on a single host, one key-pair for each set of hosts. Similarly, you could generate keys from multiple hosts, each host publishing it's key to the target computer's (B in this example) 'authorized_keys' file.
Ideally, the private key should be as secret as possible. While the SSH or key-management would not force having the key on one computer, it should be limited to a single system as a best practice. Having said that, as far I know there is really nothing that prevents copying the private key around, say for backup or migration to a new system. In other words, the private key file is like the password, it could be literally used from any system to login.

ssh with keys and without passphrase

I want to copy directories with scp from server A to a remote server B. As i want to do this with a script I generated a private and a public key for the server, which work fine with winScp.
but when i try to copy with shell/skript
scp -i <DIR>/key.ppk $tmpDirA/*.war $username#$server:$TmpDirB
Im getting asked for the passphrase
Enter passphrase for key '<DIR>/key.ppk'
even the passphrase was left empty when generating the keys.
both server(openSuse) have openSsh, protocol 2. and the keys are rsa-keys
This keys are not generated with the server A. Does it matter?
I cant see what point im missing. So thanks for any help.
Are you trying to use a PUTTY private key? Openssh does not support putty private key files, but PUTTYgen can export to a format openssh understands.
Are you sure ssh chooses the right key when copying?
Create a config file in ~/.ssh and define different hosts there, this ensures that ssh chooses the correct key.
Linux man page

Passwords and svn

Hi I am accessing a repository through a URL of type svn+ssh://
Reading the following quote from SVN and SSH from Adobe I am a little confused
"Before you configure Subversion or Dreamweaver for SVN+SSH, create an RSA key pair and configure the public key on the server. This public/private key pair is used to authenticate with the server, instead of storing and passing your password in plain text."
So if I just acces a repository by svn+ssh:// pe. from command line, my password is send in clear text ? I thought part of ssh was to encrypt the password, no ?
Maybe I was unclear, I have not generated any keypairs so use my password every time, does that change anything or is the quote written in confusing way ? Thank you.
Part of ssh is to encrypt everything, not just your password. So, your password would not be going over the wire in plain text.
SSH never sends passwords in plain text. However, non-SSH protocols such as svn:// may send the password in plain text. Adobe is recommending that users use SSH. Adobe also recommends that if SSH is used, then RSA key pairs are also used. Key pairs are easier because you don't have to keep typing your password for every operation (when used with an SSH agent).
There is no password at all in this case. All authentication happens based on key pair. One key is on your client machine, another one lies on the server. All traffic is also encrypted.

Resources