What is Key paring:
Normally we used to login to the respective linux system with their username and credentials.Consider if we have around 50 systems,we can't able to login with username and password every login,this will be somewhat boring.In order to make it simple we go for key paring.How we can do key paring:
- Generate a key in your local machine from the respective user and copy the key to the dest server by using below command
ssh-copy-id user@server _ip_address or hostname
- After the public key is transferred to the server, you can now go and disable password logon via SSH.Next, logon to the server and open the configuration file for SSH. To do that, run the commands below.
- Then make sure these lines are uncomment and value are set as shown below.
PubkeyAuthentication yes
AuthorizedKeyFile .ssh/authorized_keys
PasswordAuthentication no
AuthorizedKeyFile .ssh/authorized_keys
PasswordAuthentication no
- Restart the ssh server once your are done
/etc/init.d/ssh restart
What is Keychain:
keychain is a special bash script designed to make key-based authentication incredibly convenient and flexible. It offers various security benefits over passphrase-free keys.
keychain is a manager for ssh-agent, typically run from your local ~/.bash_profile.By Default,If you run longer scripts like DB snapshot may your ssh login will get broke off.
But with the help of keychain we can allows our shells and cron jobs to share a single ssh-agent process.By default,the ssh-agent started by keychain is long-running and will continue to run, even after you have logged out from the system.
Where Keychain helps us as in security:
If attacker broken into server with passphrase-free keys, all other servers / workstation linked with your keys are also under security risk (they can be easily breached). With keychain or ssh-agent attacker won’t able to touch your remote systems(servers) without breaking your passphrase.
Another example, if your laptop or hard disk stolen, an attacker can simply copy your key and use it anywhere as it is not protected by a passphrase.
How to set up keychain:
Install Keychain on CentOS / RHEL / Fedora Linux
# yum install keychain
Install Keychain on Debian / Ubuntu Linux
# apt-get update && apt-get install keychain
Install Keychain on FreeBSD
# portsnap fetch update
# cd /usr/ports/security/keychain
# make install clean
How Do I Use Keychain:
Once OpenSSH keys are configured with a pass phrase, Do the keyparing to the remote server. Login and verify.Once you are fine.Then update your local $HOME/.bash_profile file which is your personal initialization file, executed for login BASH shells:
# vi $HOME/.bash_profile or $ vi $HOME/.bashrc
Append the following code:
### START-Keychain ###
# Let re-use ssh-agent and/or gpg-agent between logins
/usr/bin/keychain $HOME/.ssh/id_dsa
source $HOME/.keychain/$HOSTNAME-sh
### End-Keychain ###
Now you’ve keychanin configured to call keychain tool every login. Just log out and log back in to server from your desktop to test your setup:
$ ssh root@xxx.yyy.in
Sample output:
* keychain 2.7.1 ~ http://www.funtoo.org
* Found existing ssh-agent: 10017
* Found existing gpg-agent: 20605
* Known ssh key: /home/techops/.ssh/id_rsa
[root@xxx.yyy.in ~]#
Testing the keychain:
Once logged in and verfied.Remove the local id_rsa file in your local system and try to login.Yeah you can able to login into the server without your id_rsa pass phrase file.Now you are protected.
So crackers can't able to penetrate to your remote servers with your passphrase keys.
How to Delete/Clear the ssh-agent's key:
Then how to clear the ssh-key which you generated,here is the command you can execute in your local.
# keychain --clear
No comments:
Post a Comment