Home
Help
Fen Labalme
Fen Labalme 10:53am Jan 30, 2009

HOWTO: Use SSH and public/private keys to log in to vhosts

Tagged:

SSH Overview

  • We use ssh to securely log in to client vhosts and to enable password-free CVS/SVN access for developers
  • SSH is generally pre-installed on Mac OS X and Linux systems
  • Windows users are encouraged to switch to Ubuntu but we realize this may be problematic

    • See the section below on installing PuTTY for some guidelines

Variable Definitions

This page uses these two "variables" to make the examples easier:

  • LOCAL is the name of your personal 'sandbox' server that you are logged in to
  • REMOTE is the user name and server name of the virtual host (vhost) that you want to log in to, usually of the form w_client@client.civicactions.net

Logging in to Your Vhost

  • The best way to access a client's site is to log in directly to the client's vhost: 
    ssh w_client@client.civicactions.net
  • If your client vhost has a custom domain name, you can use that instead: 
    ssh w_shift@shiftinaction.com
  • These logins will not require a separate password once your SSH public identity key (e.g., ~/.ssh/id_rsa.pub) has been added to the client's .ssh/authorized_keys file by a system administrator or the project Tech Lead via the pull_keys script (see below on how to create this key).

Creating Your SSH Public/Private Key Pair

  • Important Security Note: this procedure should only be carried out on secure machines that you own and control, as it could allow anyone with access to your local machine's account full access to our production servers without needing a password for authentication (once you've started ssh-agent).
    • NEVER EVER use a blank or short (insecure) password with this method!
  • This process will give you secure access to from local machine ("LOCAL") to a remote machine ("REMOTE") without needing to type in a password every time.
  • SSH offers this ability using the programs ssh-keygen, ssh-agent (or their equivalent depending upong your operating system) and files in a .ssh directory in the home directory of each machine, VPS and/or vhost. A typical shell login will look like: 
    ssh w_CLIENT@SITENAME.civicactions.net
  • Once you've created your SSH public/private key pair, send your public key to your TL, PM and/or a CivicActions system administrator and ask them to install your key in the global (accman) SSH key database and in the local (.pull_keys) database for the project(s) you are working on. This will enable easy and automatic login to the remote machines that you should have access to.

Linux and Mac OS X

  1. from a terminal window, generate your new local keys
    • run the ssh-keygen command on LOCAL with args for a 2048 bit RSA key 
      LOCAL:~$ ssh-keygen -b 2048 -t rsa
    • Note: just hit ENTER when ssh-keygen asks for a the file to save the key into (use the default)
    • Choose a good passphrase (and don't forget it!).
      • Important: The very minimum is an uncommon combination of three words (maybe misspelled), not something you would find in a piece of text, separated by weird punctuation or digits; 4+ words (also with additional weirdness) is much better.
  2. Set up keychain to cache your password for you
    • Adjust the timeout (minutes) as desired
    • Linux: 
      LOCAL:~$ keychain id_rsa --timeout 60
      • Ubuntu tip: add this command to your startup programs (System -> Preferences -> Sessions -> Startup Programs)
    • Mac OS X 10.4 and earlier:
      • Note! This is no longer needed in OSX 10.5 (Leopard) and newer as SSH keychain integration is now built in. Download and install SSHKeychain which works with the Apple Keychain to provide easy access

Windows

  1. You have three main choices (the following discussion is Putty based, as that's the most "windows-like" of these options)
    • Putty: it's easiest to grab the putty-0.62-installer.exe (or whatever the latest stable version is)
    • Cygwin: which also gived you lots of UNIX-like capabilities (e.g., Bash shell, grep, etc.)
    • OpenSSH for Windows: a minimal OpenSSH server and client utilities in the Cygwin package without needing the full Cygwin installation. The OpenSSH for Windows package provides full SSH/SCP/SFTP support. SSH terminal support provides a familiar Windows Command prompt, while retaining Unix/Cygwin-style paths for SCP and SFTP.
  2. Download and install PuTTY on LOCAL (e.g., your Windows machine)
    1. Go to http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html, and pick the file putty-<version>-installer.exe (where <version> is the current version - at the time of this writing it was 0.58).
    2. Choose to install the PuTTY suite right away, modifying installation paths to your liking.
  3. Create an SSH2 DSA public/private key with 1024 bits
    1. Launch PuTTyGen. Select SSH2 RSA key type and click "Generate".
    2. Copy the displayed public key to your clipboard (select and CTRL-C)
    3. Save your public and private keys somewhere you won't forget
  4. Tell PuTTy that your session uses SSH2 by default
    • This is done in the PuTTY Configuration window
    • Note that this setting is a per session setting, so you'll need to put it on all the sessions you'll use.
  5. Start Pageant so that you don't have to type your private key pass phrase every time
    • Launch Pageant - it will be displayed as a small icon in the tray bar.
    • Right click on this icon and select "Add key". Choose the private key that you saved before

You should now be able to login using PuTTy without entering nor password neither passphrase.

TortoiseSVN

How to Convert OpenSSH to SSH2 and vise versa

(from http://burnz.wordpress.com/2007/12/14/ssh-convert-openssh-to-ssh2-and-vise-versa/)

Convert OpenSSH key to SSH2 key

Run the OpenSSH version of ssh-keygen on your OpenSSH public key to convert it into the format needed by SSH2 on the remote machine. This must be done on the system running OpenSSH.

ssh-keygen -e -f ~/.ssh/id_dsa.pub > ~/.ssh/id_dsa_ssh2.pub

Convert SSH2 key to OpenSSH key

Run the OpenSSH version of ssh-keygen on your ssh2 public key to convert it into the format needed by OpenSSH. This needs to be done on the system running OpenSSH.

ssh-keygen -i -f ~/.ssh/id_dsa_1024_a.pub > ~/.ssh/id_dsa_1024_a_openssh.pub
up

Need help?

Notebook

The notebook section provides a way for you to store and share information with your group members. With the book feature you can:

  • Add book pages and organize them hierarchically into different books.
  • Attach files to pages to share them with others.
  • Track changes that others have made and revert changes as necessary.
  • Archive books that are no longer of interest to the group. Archived books can be reactivated later if needed.