Openssh tips and tricks¶
- Author:
Dimitry Dukhovny
Openssh is the way standards-compliant nodes communicate securely. Alternatives exist, but no one cares. This workhorse is well maintained and implements good crypto out of the box.
Note
To donate to the maintenance of these pages, do send BTC to bc1qkw0pp78kv67zrgp8xds7qrqen7mhlz0rs5p8p5
Using keys to pivot around your environment¶
Using keys is safer, smarter, and easier on your life than using passwords. That is only true if you do not mismanage your keys. Use keys in the name of both security and sloth.
Create an RSA key pair if you do not already have one.
1# This will prompt you for a passphrase. Do pick one!
2[ ! -f ~/.ssh/id_rsa ] && ssh-keygen
Fetch the host key from every remote host you are likely to encounter. I raid the /etc/hosts file and the /etc/ansible/hosts.ini files for this.
1egrep -hv '^\s*(#|\[.*\]|$)' /etc/hosts /etc/ansible/hosts | \
2 awk '{print $1}' | sort | uniq | \
3 xargs ssh-keyscan >> ~/.ssh/known_hosts
Load your new key into memory so you never get prompted for an SSH password until you log out. This will prompt you for a passphrase. Once. Then you can log into as many hosts as you want without a prompt.
1# This will prompt you for your passphrase
2eval `ssh-agent`; ssh-add ~/.ssh/id_rsa
Disseminate SSH keys¶
1remotehostlist=`egrep -hv '^\s*(#|\[.*\]|$)' \
2 /etc/hosts /etc/ansible/hosts | \
3 awk '{print $1}' | sort | uniq`
4
5for rh in ${remotehostlist}
6do
7 ssh -o preferredauthentications=password user1@${rh} \
8 "echo `cat ~/.ssh/id_rsa.pub` >> \
9 .ssh/authorized_keys; \
10 chmod 600 ~/.ssh/authorized_keys"
11done
Fetch keys from AWS Secrets¶
Create an RSA key secret called svc.ssh.key from your id_rsa file
Create an RSA key passphrase secret called svc.ssh.key.p
1read -p "Enter passphrase:" -s
2aws secretsmanager create-secret \
3 --name svc.ssh.key.p \
4 --description "encrypted service account SSH key passphrase" \
5 --secret-string "${REPLY}"
6unset REPLY
7
8aws secretsmanager create-secret \
9 --name svc.ssh.key \
10 --description "encrypted service account SSH key" \
11 --secret-string "`cat ${HOME}/.ssh/id_rsa`"
For each scripted execution, you can use…
1datestamp=`date +%s`
2[ ! -d ${HOME}/.ssh ] && mkdir -p ${HOME}/.ssh
3
4aws secretsmanager \
5 get-secret-value \
6 --secret-id "svc.ssh.key.p" \
7 --query SecretString \
8 > ${HOME}/.ssh/service.key
9
10echo 'aws secretsmanager \
11 get-secret-value \
12 --secret-id "svc.ssh.key.p" \
13 --query SecretString' \
14 > ${HOME}/.ssh/.k.sh
15
16chmod 700 ${HOME}/.ssh ${HOME}/.ssh/.k.sh
17chmod 400 ${HOME}/.ssh/service.key
18
19export DISPLAY=1
20export SSH_ASKPASS=${HOME}/.ssh/.k.sh
21eval `ssh-agent`
22ssh-add ${HOME}/.ssh/service.key <<< ${HOME}/.ssh/.k.sh
23# Perform your SSH actions after this, such as Ansible runs
24# unset your key with...
25# ssh-agent -k
Trouble: failed login with no password prompt¶
You probably have an RSA key in ~/.ssh, but your receiving host only allows one login attempt and has no authorized_keys file with your public key in it. You need to tell it to use a password because SSH prefers key logins.
For these examples, you are user1 and you want to log into serverB.
1ssh -o preferredauthentications=password user1@serverB
Let us say you want to just fix the problem once and for all by copying your public key to the remote host. Do this.
1ssh -o preferredauthentications=password user1@serverB \
2 "echo `cat ~/.ssh/id_rsa.pub` >> .ssh/authorized_keys; \
3 chmod 600 ~/.ssh/authorized_keys"
Use the trick from the keyscan example to do this on every remote host. See Disseminate SSH keys.
Trouble: logins are painfully slow¶
The most common two culprits are DNS troubles on the receiving host and GSSAPI login attempts when you are not using the GSS API. I will address the latter here. See Troubleshooting DNS for the former.
Trouble: key file is too open or has wrong permissions¶
SSH wants the private key to be protected from unauthorized users.
Assuming a key called mykey in the .ssh directory …
1chmod 700 ${HOME}/.ssh
2chmod 600 ${HOME}/.ssh/mykey
