www.bonsaiframework.com
Page tree

Versions Compared

Old Version 78

changes.mady.by.user Tin Pham

Saved on

compared with

New Version Current

changes.mady.by.user Tin Pham

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

In the very first attempt, I like to trouble-shoot with a Unix or Linux command line client using the -v verbose option. Here's what a proper connection looks like coming form my mac Mac to the bonsaiframework,

Code Block
languagebash
titleWorking ssh with verbose command.
collapsetrue
ssh -v www.bonsaiframework.com
OpenSSH_7.4p1, LibreSSL 2.5.0
debug1: Reading configuration data /Users/tin.pham/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Connecting to www.bonsaiframework.com [52.184.187.123] port 22.
debug1: Connection established.
debug1: identity file /Users/tin.pham/.ssh/id_rsa type 1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/tin.pham/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/tin.pham/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/tin.pham/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/tin.pham/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/tin.pham/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/tin.pham/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/tin.pham/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.4
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.2p2 Ubuntu-4ubuntu2.1
debug1: match: OpenSSH_7.2p2 Ubuntu-4ubuntu2.1 pat OpenSSH* compat 0x04000000
debug1: Authenticating to www.bonsaiframework.com:22 as 'tin.pham'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256@libssh.org
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:8MQQ0Cd0AG3WEQdOhnOalK0z7XmGW6PE6s+1sa7Gb0Y
debug1: Host 'www.bonsaiframework.com' is known and matches the ECDSA host key.
debug1: Found key in /Users/tin.pham/.ssh/known_hosts:20
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<rsa-sha2-256,rsa-sha2-512>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /Users/tin.pham/.ssh/id_rsa
debug1: Server accepts key: pkalg rsa-sha2-512 blen 277
debug1: Authentication succeeded (publickey).
Authenticated to www.bonsaiframework.com ([52.184.187.123]:22).
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: pledge: network
debug1: client_input_global_request: rtype hostkeys-00@openssh.com want_reply 0

The key values to notice are the loading of the proper key files, that RSA is being used and the "offering" of the key completes successfully. You should not need to type in your account password if your keys are working.

Disable Password Authentication

...

Code Block
languagebash
# Since this is a critical file, back it up first.
sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.2011-02-12.v0.0.tinpham_about_to_disable_password_auth.bck
# Load the file in your favourite editor.
sudo vi /etc/ssh/sshd_config

Adjust We can modify sshd_config quickly using sed,

Code Block
languagebash
sudo sed -i 's/#PasswordAuthentication yes/PasswordAuthentication no/g' /etc/ssh/sshd_config

Changes the following,

Code Block
languagebash
# Change to no to disable tunnelled clear text passwords
#PasswordAuthentication yes

Remove the comment Uncomment and change yes to no. It should look like this,

...

The Permission denied indicates that password authentication is now disabled.

Key Compromise

...

Strategies

Reusing Public Keys Across Machines

You can actually reuse public keys across machines. With this approach, you only need to keep track of one private key per user. Of course, this also means if your private key is compromised all your systems are accessible with the one key.

Key Compromise

  • ... revoking keys
  • ... strategies for centralizing key management and then also pitfalls
  • ... is it possible to force password protected private keys

Resources

http://www.ibm.com/developerworks/library/l-keyc.html - pretty good article, I think I can improve it, shorter, clearly show when running on client or server.

...