SSH Keys/fr: Difference between revisions
No edit summary |
(Updating to match new version of source page) |
||
Line 3: | Line 3: | ||
''Page enfant de [[SSH/fr|SSH]]'' | ''Page enfant de [[SSH/fr|SSH]]'' | ||
== What are SSH keys? == | |||
<div class="mw-translate-fuzzy"> | |||
SSH utilise la cryptographie à clé publique (CP) ou [https://fr.wikipedia.org/wiki/Cryptographie_asym%C3%A9trique cryptographie asymétrique] pour sécuriser les connexions. Dans ce mode de cryptage, la clé qui est privée reste secrète et l'autre clé peut être divulguée à d'autres utilisateurs. Tous peuvent utiliser la clé publique pour encoder un message, mais seul le propriétaire de la clé privée peut utiliser sa clé privée pour le décodage. La clé publique permet aussi de valider l'identité d'un utilisateur. Voyons un exemple : Robert veut communiquer avec Alice qui dit posséder une clé privée, mais il veut s'assurer qu'Alice est bien celle qui le prétend. Robert peut utiliser la clé publique d'Alice pour lui envoyer un message codé et si Alice peut prouver à Robert que son message est compris, nous pouvons au moins en conclure qu'Alice est effectivement propriétaire de la clé privée. | SSH utilise la cryptographie à clé publique (CP) ou [https://fr.wikipedia.org/wiki/Cryptographie_asym%C3%A9trique cryptographie asymétrique] pour sécuriser les connexions. Dans ce mode de cryptage, la clé qui est privée reste secrète et l'autre clé peut être divulguée à d'autres utilisateurs. Tous peuvent utiliser la clé publique pour encoder un message, mais seul le propriétaire de la clé privée peut utiliser sa clé privée pour le décodage. La clé publique permet aussi de valider l'identité d'un utilisateur. Voyons un exemple : Robert veut communiquer avec Alice qui dit posséder une clé privée, mais il veut s'assurer qu'Alice est bien celle qui le prétend. Robert peut utiliser la clé publique d'Alice pour lui envoyer un message codé et si Alice peut prouver à Robert que son message est compris, nous pouvons au moins en conclure qu'Alice est effectivement propriétaire de la clé privée. | ||
</div> | |||
PK is based on a "keypair", which consists of a private part, to be kept secret, and a public part, which can be disseminated freely. | |||
Anyone can use the public key to encode a message, but the message can only be decoded with the private part. This is why PK is sometimes described as "asymmetric encryption". | |||
PK can also be used to verify identities: if someone is claiming to be Alice, then a second party, Bob, can send Alice a message encoded with Alice's public key. If the person claiming to be Alice can tell Bob what is in the message, then that person has access to Alice's private key. In this sense, possession of a private key establishes identity. | |||
Les systèmes à CP sont au cœur des protocoles SSL et TLS qui protègent la plupart de communications sur l'internet, dont les sites https. | Les systèmes à CP sont au cœur des protocoles SSL et TLS qui protègent la plupart de communications sur l'internet, dont les sites https. | ||
<div class="mw-translate-fuzzy"> | |||
CP a plusieurs usages sur nos grappes : | CP a plusieurs usages sur nos grappes : | ||
* Quand vous vous connectez à une grappe, votre client SSH utilise habituellement la clé publique de cette grappe pour vérifier que la connexion se fait au bon serveur. | * Quand vous vous connectez à une grappe, votre client SSH utilise habituellement la clé publique de cette grappe pour vérifier que la connexion se fait au bon serveur. | ||
* Une session cryptée peut être établie pour prévenir l'interception des messages échangés. | * Une session cryptée peut être établie pour prévenir l'interception des messages échangés. | ||
* Le serveur distant peut utiliser votre clé publique (qui se trouve dans le fichier <tt>.ssh/authorized_keys</tt> de votre répertoire /home) pour vérifier votre identité. Si cette vérification échoue, le serveur distant peut vous demander votre mot de passe. Il s'agit en réalité d'un mécanisme d'identification secondaire qui est plus risqué puisque votre mot de passe est potentiellement rendu vulnérable. | * Le serveur distant peut utiliser votre clé publique (qui se trouve dans le fichier <tt>.ssh/authorized_keys</tt> de votre répertoire /home) pour vérifier votre identité. Si cette vérification échoue, le serveur distant peut vous demander votre mot de passe. Il s'agit en réalité d'un mécanisme d'identification secondaire qui est plus risqué puisque votre mot de passe est potentiellement rendu vulnérable. | ||
</div> | |||
<div class="mw-translate-fuzzy"> | |||
Nous vous recommandons fortement d'utiliser l'authentification par CP. Il vous faudra travailler un peu plus sur la configuration, mais le résultat sera plus sécuritaire et plus pratique. | Nous vous recommandons fortement d'utiliser l'authentification par CP. Il vous faudra travailler un peu plus sur la configuration, mais le résultat sera plus sécuritaire et plus pratique. | ||
</div> | |||
<div class="mw-translate-fuzzy"> | |||
Pour l'authentification à l'aide de ces clés : | Pour l'authentification à l'aide de ces clés : | ||
# Générez la paire de clés (la clé privée et la clé publique). | # Générez la paire de clés (la clé privée et la clé publique). | ||
Line 19: | Line 33: | ||
# Vérifiez les permissions (voir [[Using_SSH_keys_in_Linux/fr|Utiliser des clés SSH sous Linux]]). | # Vérifiez les permissions (voir [[Using_SSH_keys_in_Linux/fr|Utiliser des clés SSH sous Linux]]). | ||
# Testez. | # Testez. | ||
</div> | |||
You should ideally generate a key pair on your own system - a system that you believe to be secure. | |||
The reason for this is that the private part is security-sensitive, so you should always minimize its exposure. | |||
When generating a key, you will be prompted you for a "passphrase". This is a string that is used to encrypt the private key. | |||
You should '''provide a strong passphrase''' that is memorable, and is not a password. This passphrase offers protection | |||
if the private key file is stolen. | |||
The specific process to generate an SSH key pair depends on the operating system you use. For the Windows Putty or MobaXterm clients, | |||
see [[Generating SSH keys in Windows]]. For a Unix-like environment (Linux, Mac, Windows Subsystem for Linux or Cygwin), see [[Using SSH keys in Linux]]. | |||
In addition if you are using the cloud, OpenStack provides a method for creating keypairs: see the [[Cloud_Quick_Start#SSH_key_pair|ssh key pair]] section on the Cloud Quick Start page. | |||
== Installing your key == | |||
To install the key, you must make the target/destination system aware of the public part of your key. | |||
On ComputeCanada, we have recently added a convenient new way to do this. You should visit: | |||
https://ccdb.computecanada.ca/ssh_authorized_keys | |||
This page will allow you to paste in the public key. Since both the public and private keys are plain text, | |||
you can examine them - for instance, | |||
cat .ssh/id_rsa.pub | |||
which should show something like this: | |||
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGhczaUoV6SzR2VEf9Rp4/P9xHVU8S72CKHrwKU+Yntx user@machine | |||
Once your public key is loaded into CCDB this way, you can use it to login to any of our clusters. At present, | |||
OpenStack (cloud systems) do not read your key from CCDB as shown in the link above. | |||
Sometimes, you may encounter a key that is in an alternate format - for instance, as generated by some SSH clients. | |||
for instance, this is a public key in PEM format: | |||
-----BEGIN RSA PUBLIC KEY----- | |||
MIIBCgKCAQEAxFm+Fbs+szeV2Vg2T5ufg8az0jD9DD/A0iNLKef2/0gPULn1ebFQ | |||
SvQwts5ZGcza9t6l7fSKObz8FiAwXn+mdmXrxx3fQIepWa2FeCNbTkiKTTpNmERw | |||
H0v3RR3DpJd8cpg5jdJbINlqDUPdqXxZDPIyZuHbEYUiSrb1v5zscVdgVqhJYi9O | |||
OiEj7dPOLp1ko6s7TSgY8ejGnbmUL/gl+/dfhMNKdhLXMXWByucF1577rfAz3qPn | |||
4JMWrG5TCH7Jj8NpIxFhkV9Qjy40Ml81yDqMlbuE9CUZzVhATe8MdIvcXUQej8yl | |||
ddmNnAXmfTDwUd5cJ/VSMaKeq6Gjd/XDmwIDAQAB | |||
-----END RSA PUBLIC KEY----- | |||
and this is the same key in RFC4716 format: | |||
---- BEGIN SSH2 PUBLIC KEY ---- | |||
AAAAB3NzaC1yc2EAAAADAQABAAABAQDEWb4Vuz6zN5XZWDZPm5+DxrPSMP0MP8DSI0sp5/ | |||
b/SA9QufV5sVBK9DC2zlkZzNr23qXt9Io5vPwWIDBef6Z2ZevHHd9Ah6lZrYV4I1tOSIpN | |||
Ok2YRHAfS/dFHcOkl3xymDmN0lsg2WoNQ92pfFkM8jJm4dsRhSJKtvW/nOxxV2BWqEliL0 | |||
46ISPt084unWSjqztNKBjx6MaduZQv+CX791+Ew0p2EtcxdYHK5wXXnvut8DPeo+fgkxas | |||
blMIfsmPw2kjEWGRX1CPLjQyXzXIOoyVu4T0JRnNWEBN7wx0i9xdRB6PzKV12Y2cBeZ9MP | |||
BR3lwn9VIxop6roaN39cOb | |||
---- END SSH2 PUBLIC KEY ---- | |||
and finally in PKCS8 | |||
-----BEGIN PUBLIC KEY----- | |||
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxFm+Fbs+szeV2Vg2T5uf | |||
g8az0jD9DD/A0iNLKef2/0gPULn1ebFQSvQwts5ZGcza9t6l7fSKObz8FiAwXn+m | |||
dmXrxx3fQIepWa2FeCNbTkiKTTpNmERwH0v3RR3DpJd8cpg5jdJbINlqDUPdqXxZ | |||
DPIyZuHbEYUiSrb1v5zscVdgVqhJYi9OOiEj7dPOLp1ko6s7TSgY8ejGnbmUL/gl | |||
+/dfhMNKdhLXMXWByucF1577rfAz3qPn4JMWrG5TCH7Jj8NpIxFhkV9Qjy40Ml81 | |||
yDqMlbuE9CUZzVhATe8MdIvcXUQej8ylddmNnAXmfTDwUd5cJ/VSMaKeq6Gjd/XD | |||
mwIDAQAB | |||
-----END PUBLIC KEY----- | |||
This method of installing an ssh key makes the key available to all systems. This is convenient, and is often desired. | |||
There may be circumstances in which you want to install a key on a specific system. You can do this by making the key | |||
appear in a file in your home directory on that system. For instance, to install a key that only works on Cedar, | |||
you can install your public key in the .ssh/authorized_keys file on Cedar. Since your home directory is shared by | |||
all nodes on a particular system, this will permit login to any of Cedar's login nodes (but not automatically to any | |||
of the other clusters). On systems with OpenSSH, the "ssh-copy-id" command is a convenient way to properly install | |||
keys into your authorized_keys file: | |||
ssh-copy-id -i computecanada-key username@cedar.computecanada.ca | |||
The authorized_keys mechanism is standard, and almost universally used on the internet. It is however somewhat fragile: | |||
specifically, SSH is quite picky about the permissions on the authorized_keys file, as well as your home directory and the .ssh subdirectory. | |||
this is described further in [[Using_SSH_keys_in_Linux|using SSH keys in Linux]]. | |||
== Advanced Key Usage == | |||
=== SSH Key Agent === | |||
Although it's important to secure your private key by encrypting it with the passphrase, it is inconvenient to have to enter your | |||
passphrase every time you use the key. Rather than leaving the private key unencrypted, we strongly suggest using an SSH key agent. | |||
This allows you to type the passphrase when starting up the agent, after which the agent supplies the private key for new connections. | |||
This really just avoids storing the unencrypted private key permanently on storage, where it might be stolen or copied. | |||
== Advanced Key Generation == | |||
ssh-keygen shown above is using defaults, which are OK, but may not be ideal. | |||
for instance: | |||
* many people prefer a different key type (rather than the RSA default): | |||
ssh-keygen -t ed25519 | |||
* you can specify a comment for the key, which may be convenient for distinguishing among multiple keys: | |||
ssh-keygen -C 'computecanada systems' | |||
* you can choose the name of the key file: | |||
ssh-keygen -F computecanada-key | |||
(this produces a file "computecanada-key" containing the private part, and "computecanada-key.pub" for the public part. | |||
* you can choose longer keys for some key types such as RSA: | |||
ssh-keygen -t rsa -b 4096 | |||
== SSH Key constraints === | |||
The public key syntax permits you to provide a number of very useful constraints that limit what the key is allowed to do. | |||
By default, a public key installed without constraints can do anything. | |||
For instance, this public key: | |||
restrict,command="squeue --me" ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGhczaUoV6SzR2VEf9Rp4/P9xHVU8S72CKHrwKU+Yntx | |||
can only perform one simple operation (showing whether you have any jobs in Slurm). An interesting example is: | |||
restrict,command="/usr/libexec/openssh/sftp-server" ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGhczaUoV6SzR2VEf9Rp4/P9xHVU8S72CKHrwKU+Yntx | |||
which allows the key to be used only for SFTP, which is how sshfs works. | |||
The key constraint can also limit which hosts can connect using the key: | |||
restrict,from="d24-141-114-17.home.cgocable.net" ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGhczaUoV6SzR2VEf9Rp4/P9xHVU8S72CKHrwKU+Yntx | |||
Limiting by hosts is a powerful way to minimize the danger posed by a key being compromised. In this case, the "restrict" keyword | |||
turns off "pty allocation", which makes an interactive session behave peculiarly. For a source-constrained interactive session: | |||
restrict,from="d24-141-114-17.home.cgocable.net",pty ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGhczaUoV6SzR2VEf9Rp4/P9xHVU8S72CKHrwKU+Yntx | |||
allows pty allocation. | |||
There are a large number of these key constraints, which are documented in the sshd man page ("man sshd" on a linux system). | |||
== PK Best Practices == | |||
- DO encrypt your private key. | |||
- DO avoid copying your private key. In particular, it should NOT appear on our clusters. | |||
- DO use ssh-agent to make encrypted keys convenient. | |||
- DO NOT use agent-forwarding if you can avoid it. With agent-forwarding, any intermediate system(s) become trusted. | |||
- DO apply constraints to your public key to make it less powerful (dangerous). | |||
Voyez aussi [https://www.youtube.com/watch?v=mRdqM1dgf3Q&feature=youtu.be ces courtes vidéos] sur comment configurer les clés SSH. | Voyez aussi [https://www.youtube.com/watch?v=mRdqM1dgf3Q&feature=youtu.be ces courtes vidéos] sur comment configurer les clés SSH. |
Revision as of 17:08, 18 March 2021
Page enfant de SSH
What are SSH keys?
SSH utilise la cryptographie à clé publique (CP) ou cryptographie asymétrique pour sécuriser les connexions. Dans ce mode de cryptage, la clé qui est privée reste secrète et l'autre clé peut être divulguée à d'autres utilisateurs. Tous peuvent utiliser la clé publique pour encoder un message, mais seul le propriétaire de la clé privée peut utiliser sa clé privée pour le décodage. La clé publique permet aussi de valider l'identité d'un utilisateur. Voyons un exemple : Robert veut communiquer avec Alice qui dit posséder une clé privée, mais il veut s'assurer qu'Alice est bien celle qui le prétend. Robert peut utiliser la clé publique d'Alice pour lui envoyer un message codé et si Alice peut prouver à Robert que son message est compris, nous pouvons au moins en conclure qu'Alice est effectivement propriétaire de la clé privée.
PK is based on a "keypair", which consists of a private part, to be kept secret, and a public part, which can be disseminated freely. Anyone can use the public key to encode a message, but the message can only be decoded with the private part. This is why PK is sometimes described as "asymmetric encryption".
PK can also be used to verify identities: if someone is claiming to be Alice, then a second party, Bob, can send Alice a message encoded with Alice's public key. If the person claiming to be Alice can tell Bob what is in the message, then that person has access to Alice's private key. In this sense, possession of a private key establishes identity.
Les systèmes à CP sont au cœur des protocoles SSL et TLS qui protègent la plupart de communications sur l'internet, dont les sites https.
CP a plusieurs usages sur nos grappes :
- Quand vous vous connectez à une grappe, votre client SSH utilise habituellement la clé publique de cette grappe pour vérifier que la connexion se fait au bon serveur.
- Une session cryptée peut être établie pour prévenir l'interception des messages échangés.
- Le serveur distant peut utiliser votre clé publique (qui se trouve dans le fichier .ssh/authorized_keys de votre répertoire /home) pour vérifier votre identité. Si cette vérification échoue, le serveur distant peut vous demander votre mot de passe. Il s'agit en réalité d'un mécanisme d'identification secondaire qui est plus risqué puisque votre mot de passe est potentiellement rendu vulnérable.
Nous vous recommandons fortement d'utiliser l'authentification par CP. Il vous faudra travailler un peu plus sur la configuration, mais le résultat sera plus sécuritaire et plus pratique.
Pour l'authentification à l'aide de ces clés :
- Générez la paire de clés (la clé privée et la clé publique).
- Copiez la clé publique de cette paire sur les serveurs auxquels vous voulez vous connecter et ajoutez la clé publique à votre fichier
authorized_keys
(voir Utiliser des clés SSH sous Linux). - Vérifiez les permissions (voir Utiliser des clés SSH sous Linux).
- Testez.
You should ideally generate a key pair on your own system - a system that you believe to be secure. The reason for this is that the private part is security-sensitive, so you should always minimize its exposure.
When generating a key, you will be prompted you for a "passphrase". This is a string that is used to encrypt the private key. You should provide a strong passphrase that is memorable, and is not a password. This passphrase offers protection if the private key file is stolen.
The specific process to generate an SSH key pair depends on the operating system you use. For the Windows Putty or MobaXterm clients, see Generating SSH keys in Windows. For a Unix-like environment (Linux, Mac, Windows Subsystem for Linux or Cygwin), see Using SSH keys in Linux. In addition if you are using the cloud, OpenStack provides a method for creating keypairs: see the ssh key pair section on the Cloud Quick Start page.
Installing your key
To install the key, you must make the target/destination system aware of the public part of your key. On ComputeCanada, we have recently added a convenient new way to do this. You should visit:
https://ccdb.computecanada.ca/ssh_authorized_keys
This page will allow you to paste in the public key. Since both the public and private keys are plain text, you can examine them - for instance,
cat .ssh/id_rsa.pub
which should show something like this:
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGhczaUoV6SzR2VEf9Rp4/P9xHVU8S72CKHrwKU+Yntx user@machine
Once your public key is loaded into CCDB this way, you can use it to login to any of our clusters. At present, OpenStack (cloud systems) do not read your key from CCDB as shown in the link above.
Sometimes, you may encounter a key that is in an alternate format - for instance, as generated by some SSH clients. for instance, this is a public key in PEM format:
-----BEGIN RSA PUBLIC KEY----- MIIBCgKCAQEAxFm+Fbs+szeV2Vg2T5ufg8az0jD9DD/A0iNLKef2/0gPULn1ebFQ SvQwts5ZGcza9t6l7fSKObz8FiAwXn+mdmXrxx3fQIepWa2FeCNbTkiKTTpNmERw H0v3RR3DpJd8cpg5jdJbINlqDUPdqXxZDPIyZuHbEYUiSrb1v5zscVdgVqhJYi9O OiEj7dPOLp1ko6s7TSgY8ejGnbmUL/gl+/dfhMNKdhLXMXWByucF1577rfAz3qPn 4JMWrG5TCH7Jj8NpIxFhkV9Qjy40Ml81yDqMlbuE9CUZzVhATe8MdIvcXUQej8yl ddmNnAXmfTDwUd5cJ/VSMaKeq6Gjd/XDmwIDAQAB -----END RSA PUBLIC KEY-----
and this is the same key in RFC4716 format:
---- BEGIN SSH2 PUBLIC KEY ---- AAAAB3NzaC1yc2EAAAADAQABAAABAQDEWb4Vuz6zN5XZWDZPm5+DxrPSMP0MP8DSI0sp5/ b/SA9QufV5sVBK9DC2zlkZzNr23qXt9Io5vPwWIDBef6Z2ZevHHd9Ah6lZrYV4I1tOSIpN Ok2YRHAfS/dFHcOkl3xymDmN0lsg2WoNQ92pfFkM8jJm4dsRhSJKtvW/nOxxV2BWqEliL0 46ISPt084unWSjqztNKBjx6MaduZQv+CX791+Ew0p2EtcxdYHK5wXXnvut8DPeo+fgkxas blMIfsmPw2kjEWGRX1CPLjQyXzXIOoyVu4T0JRnNWEBN7wx0i9xdRB6PzKV12Y2cBeZ9MP BR3lwn9VIxop6roaN39cOb ---- END SSH2 PUBLIC KEY ----
and finally in PKCS8
-----BEGIN PUBLIC KEY----- MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxFm+Fbs+szeV2Vg2T5uf g8az0jD9DD/A0iNLKef2/0gPULn1ebFQSvQwts5ZGcza9t6l7fSKObz8FiAwXn+m dmXrxx3fQIepWa2FeCNbTkiKTTpNmERwH0v3RR3DpJd8cpg5jdJbINlqDUPdqXxZ DPIyZuHbEYUiSrb1v5zscVdgVqhJYi9OOiEj7dPOLp1ko6s7TSgY8ejGnbmUL/gl +/dfhMNKdhLXMXWByucF1577rfAz3qPn4JMWrG5TCH7Jj8NpIxFhkV9Qjy40Ml81 yDqMlbuE9CUZzVhATe8MdIvcXUQej8ylddmNnAXmfTDwUd5cJ/VSMaKeq6Gjd/XD mwIDAQAB -----END PUBLIC KEY-----
This method of installing an ssh key makes the key available to all systems. This is convenient, and is often desired. There may be circumstances in which you want to install a key on a specific system. You can do this by making the key appear in a file in your home directory on that system. For instance, to install a key that only works on Cedar, you can install your public key in the .ssh/authorized_keys file on Cedar. Since your home directory is shared by all nodes on a particular system, this will permit login to any of Cedar's login nodes (but not automatically to any of the other clusters). On systems with OpenSSH, the "ssh-copy-id" command is a convenient way to properly install keys into your authorized_keys file:
ssh-copy-id -i computecanada-key username@cedar.computecanada.ca
The authorized_keys mechanism is standard, and almost universally used on the internet. It is however somewhat fragile: specifically, SSH is quite picky about the permissions on the authorized_keys file, as well as your home directory and the .ssh subdirectory. this is described further in using SSH keys in Linux.
Advanced Key Usage
SSH Key Agent
Although it's important to secure your private key by encrypting it with the passphrase, it is inconvenient to have to enter your passphrase every time you use the key. Rather than leaving the private key unencrypted, we strongly suggest using an SSH key agent. This allows you to type the passphrase when starting up the agent, after which the agent supplies the private key for new connections. This really just avoids storing the unencrypted private key permanently on storage, where it might be stolen or copied.
Advanced Key Generation
ssh-keygen shown above is using defaults, which are OK, but may not be ideal. for instance:
- many people prefer a different key type (rather than the RSA default):
ssh-keygen -t ed25519
- you can specify a comment for the key, which may be convenient for distinguishing among multiple keys:
ssh-keygen -C 'computecanada systems'
- you can choose the name of the key file:
ssh-keygen -F computecanada-key
(this produces a file "computecanada-key" containing the private part, and "computecanada-key.pub" for the public part.
- you can choose longer keys for some key types such as RSA:
ssh-keygen -t rsa -b 4096
SSH Key constraints =
The public key syntax permits you to provide a number of very useful constraints that limit what the key is allowed to do. By default, a public key installed without constraints can do anything. For instance, this public key:
restrict,command="squeue --me" ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGhczaUoV6SzR2VEf9Rp4/P9xHVU8S72CKHrwKU+Yntx
can only perform one simple operation (showing whether you have any jobs in Slurm). An interesting example is:
restrict,command="/usr/libexec/openssh/sftp-server" ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGhczaUoV6SzR2VEf9Rp4/P9xHVU8S72CKHrwKU+Yntx
which allows the key to be used only for SFTP, which is how sshfs works.
The key constraint can also limit which hosts can connect using the key:
restrict,from="d24-141-114-17.home.cgocable.net" ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGhczaUoV6SzR2VEf9Rp4/P9xHVU8S72CKHrwKU+Yntx
Limiting by hosts is a powerful way to minimize the danger posed by a key being compromised. In this case, the "restrict" keyword turns off "pty allocation", which makes an interactive session behave peculiarly. For a source-constrained interactive session:
restrict,from="d24-141-114-17.home.cgocable.net",pty ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGhczaUoV6SzR2VEf9Rp4/P9xHVU8S72CKHrwKU+Yntx
allows pty allocation.
There are a large number of these key constraints, which are documented in the sshd man page ("man sshd" on a linux system).
PK Best Practices
- DO encrypt your private key. - DO avoid copying your private key. In particular, it should NOT appear on our clusters. - DO use ssh-agent to make encrypted keys convenient. - DO NOT use agent-forwarding if you can avoid it. With agent-forwarding, any intermediate system(s) become trusted. - DO apply constraints to your public key to make it less powerful (dangerous).
Voyez aussi ces courtes vidéos sur comment configurer les clés SSH.