DevOps

More SSH

Michael L. Collard, Ph.D.

Department of Computer Science, The University of Akron

Public & Private Keys

  • public key
  • In file: id_ed25519.pub
  • Feel free to share; you can even publicly post
  • private key
  • In file: id_ed25519
  • Do not share
  • Extract public key from private key
  • ssh-keygen -y -f ~/.ssh/id_ed25519

Using SSH Keys Instead of Passwords

  • Allow multiple developers to log in as the same user on the same system without having to share a single password
  • Revoke access to a developer just by removing their SSH key
  • Make it easier for a single developer to log in to many accounts without needing to manage many different passwords

SSH

  • ssh - secure shell
  • scp - secure copy
  • sftp - secure ftp

SSH Usage

  • login
  • ssh <username>@66.228.46.28
  • run a command remotely
  • ssh <username>@66.228.46.28 <command>

man Pages

  • Installed on Unix systems with the command
  • Best source as to what is available on that server
  • Usage:
  • man ssh
  • man -k ssh
  • man ssh_config
  • Uses more or less to view
  • Arrow keys to move, q to quit

SSH Configuration

  • .ssh directory
  • .ssh/config
  • Essential keywords:
  • Host
  • HostName
  • User
  • Share session keywords:
  • ControlMaster
  • ControlPath
  • ControlPersist

SSH Keys and GitHub

  • http URL
  • git clone https://github.com/mlcollard/DemoGitHubSSHKeys.git
  • git URL
  • git clone git@github.com:mlcollard/DemoGitHubSSHKeys.git
  • Must add a public key to GitHub
  • Testing:
  • ssh git@github.com

Problem

  • Local public and private key, very useful for GitHub, local->GitHub
  • On a remote system, e.g., the devops server
  • Want to use Git URLs
  • Path: local->devops->GitHub
  • Does not work
  • Possible solution:
  • Generate a new key on the remote system and set that up with GitHub, e.g., devops->GitHub
  • However, a private key is now on a remote system, which you don't have control over

Solution

  • The SSH config option:
  • ForwardAgent yes
  • Allows you to use your local keys through a remote system
  • local->devops->GitHub
  • Note: Make sure ControlMaster is off and local connections are not saved (temporarily)
  • Note: Before changing anything on a remote system involving SSH, create a separate session and stay logged in in case something goes wrong

Passphrase

  • What if someone stole your private key?
  • Passphrase is the SSH password equivalent
  • Only applies to the private key
  • Can change on a private key without affecting public key
  • ssh-keygen -p -f ~/.ssh/id_ed25519

Problem

  • Have to provide a passphrase when logging in
  • Solution: ssh-agent
  • Startup:
  • eval $(ssh-agent)
  • List keys:
  • ssh-add -L
  • Delete all keys:
  • ssh-add -D
  • Add key:
  • ssh-add ~/.ssh/id_ed25519
  • Note: For forwarding, the local machine has a private key, so the local machine validates the passphrase

Local Key Management

  • Often tie into local key management
  • E.g., Keychain on macOS
  • UseKeyChain yes
  • AddKeysToAgent yes
  • Described in the man page on macOS, but not in the man page on the devops server
  • Since other OSs have multiple key management tools, we have to figure those out individually

Points to Remember

  • Key access is more flexible and safer than password access
  • Leave your private keys in as few places as possible
  • Use a passphrase
  • Setup keys for GitHub