SSHKeys - CustodesTechnologia/System GitHub Wiki
Setup for SSH-keys to Acccess Site
Access to the test server hardware requires the use of SSH keys.
There shall not be password login access. A small band of Black Templar are standing by for the off-chance plain text passwords are enabled by mistake.
The Goal
Configure your local PuTTY environment to have awareness of the key-files needed to access the system via SSH. Plus, to configure the server-side account you're using with the data you generate.
Run PuttyGen
On your local PC, run puttygen.exe (this is not PuTTY, but their complementary tool for generating keys) Download puttygen.exe the same place you got PuTTY. I'd recommend going to the source of all PuTTY: https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html
Find puttygen for your platform.
Execute puttygen
Generate Key
Click the button "Generate"
Wiggling the mouse in the blank area will create entropy to aid the generation (faster) of the keys.
Enter Passphrase
After the keys are generated, enter a passphrase. Make the passphrase as easy to remember and difficult to guess as possible. Longer is better.
But frankly, this is optional. If an attacker gets your private key file the would be able to get into your (our) system. The passphrase protects the key to a degree. How likely is it that you will have the private key stolen? If not zero, then put a password on the key.
If you keep your private key in such a way that the risk of the private key being stolen is infinitely small, then don't bother with the pass-phrase on the key.
Having said all of that, in this day and age, more protection is cheaper than wishing you had it after the key is stolen. This is analog to why people buy insurance.
Since the key we're talking about is a key to the Server that many users depend on, you have to realize without the protection of a pass-phrase you're taking the risk that the site we all support and work with is at risk.
/off-soap-box
Save Keys
Copy public key to a file
Select all of the text in the box labeled "Public key for pasting into OpenSSH authorized_keys file" (near the top of the window) by dragging the cursor. Right-click over the selection and choose Copy. Finally, click the "Save private key" button to save the private key to a file (Figure 3). This is the first file you are saving. You can literally just use notepad. Copy from the text-window, Paste into notepad. Save it.
Save the Private key (use the button to save it)
Save the Publuc key (use the button to save it)
STORE THESE KEYS ON YOUR COMPUTER.
Send the Admin the Public Key you copied
Send the admin the Public Key you copied (not the Public Key file you saved via the button. Send the little tiny public key that was in the Window). You can safely email it to the admin. It's the public key. You can tell the whole world about your public-key if you wanted to. It can hurt nothing. It's a public-key.
But, do not ever send anyone the Private Key file.
Keep it private on your local PC.
If you're the Admin, a short detour
If you're not the admin skip over this step.
Note: if you are the admin, then what you need to do is make the user account for them on the server:
# adduser --disabled-password --ingroup GROUP USER
Where GROUP is the group name you want the user USER to be in.
Then, as root do this:
# su USER
$ cd ~USER
$ ssh-keygen
This establishes the .ssh directory for you to add the public key
the user generated and sent to you.
Remember -- don't ask them for the public-key FILE that PuTTYGen makes. You want the small public key that was copied from the window when they ran PuTTYGen. No one should send you ANY key-file saved by the PuTTYGen. They only send you the tiny public key that they copied and pasted off the window of PuTTYGen!!
As the admin (you've already switch-user'd to USER) edit the file ~/.ssh/authorized_keys. Make sure you're in the home directory of USER and you are editing the file as USER
Append to the file the tiny public key the user sent you.
Save the file.
Make sure the permissions of the file and ~/.ssh directory are correct:
Should look like this (for USER of joe and GROUP of janitor)
joe@host:~$ ls -la ~/.ssh
total 20
drwx------ 2 joe janitor 4096 Jun 18 19:47 .
drwxr-xr-x 5 joe janitor 4096 Jun 18 19:49 ..
-rw------- 1 joe janitor 158 Jun 18 19:42 authorized_keys
-rw------- 1 joe janitor 1679 Jun 18 19:47 id_rsa
-rw-r--r-- 1 joe janitor 395 Jun 18 19:47 id_rsa.pub
joe@host:~$
To ensure the permissions are right:
joe@host:~$ chmod -R 700 ~/.ssh
joe@host:~$ chmod 644 ~/.ssh/id_rsa.pub
For the USER, Continue the steps below.
Let the Admin know...
After the admin has copied the data for you into your shell account then the next steps are what you do with PuTTY. You're done with puttygen.
Configure your PuTTY
Start PuTTY. Define a new session as follows:
Under the "Host name (or IP address)" field put the IP address the admin gave you.
Click the radio dial for "SSH" connection.
For the PORT NUMBER, use the port number the admin gave you.
Under the configuration: Connection > Data, for the field "Auto-Login Username" use the username the admin gave you.
Under the configuration: Connection > SSH > Auth Find the field for "Private key file for authentication" Use the Browse button to locate the PRIVATE keyfile you saved before.
IMPORTANT: Select the configuration menu "Session"
You should now see your general session configuration (SSH radio dial, port number set, IP address of remote host set)
Give the session a name in the "Saved Sessions" field.
Type in the name. Then, press "Save".
Do not Connect to the system BEFORE Saving the Session.
(You only have to save it once. If you connect before saving, then close the session, you'll lose the settings you just worked hard to configure. You won't have to re-create key files, but you'll have to reconfigure the session again with PuTTY)
Again: This is important. You must press save only when in the general "Session" menu of the configuration. PuTTY just works this way. Save.
Test
In the future to connect to the server with that Session configuration. Select it from the list, press Load, then Connect.
It should prompt you for the passphrase you created for the key and then upon success log you into the server.