rsnt_translations
56,430
edits
SSH Keys: Difference between revisions
no edit summary
No edit summary |
No edit summary |
||
| Line 159: | Line 159: | ||
<!--T:48--> | <!--T:48--> | ||
When you generate a key, the default settings are usually sufficient. However, here are a few options which may be of interest. We demonstrate these options here using <code>ssh-keygen</code> as described in [[Using SSH keys in Linux]], but the same options are available if you are using a graphical interface as described in [[Generating SSH keys in Windows]]. | When you generate a key, the default settings are usually sufficient. However, here are a few options which may be of interest. We demonstrate these options here using <code>ssh-keygen</code> as described in [[Using SSH keys in Linux]], but the same options are available if you are using a graphical interface as described in [[Generating SSH keys in Windows]]. | ||
* You can specify a comment for the key, which may be helpful if you have multiple keys | * You can specify a comment for the key, which may be helpful if you have multiple keys. | ||
ssh-keygen -C 'Alliance systems' | ssh-keygen -C 'Alliance systems' | ||
* You can also choose the name of the key file | * You can also choose the name of the key file. | ||
ssh-keygen -f alliance-key | ssh-keygen -f alliance-key | ||
This produces a file <code>alliance-key</code> containing the private part, and <code>alliance-key.pub</code> for the public part. If you do this, though, you may have to use the <code>-i</code> option to specify the name of the key when logging in, like this: <code>ssh -i alliance-key user@host</code> | This produces a file <code>alliance-key</code> containing the private part, and <code>alliance-key.pub</code> for the public part. If you do this, though, you may have to use the <code>-i</code> option to specify the name of the key when logging in, like this: <code>ssh -i alliance-key user@host</code> | ||
* There are sometimes reasons to choose a different key type (rather than the RSA default) | * There are sometimes reasons to choose a different key type (rather than the RSA default). | ||
ssh-keygen -t ed25519 | ssh-keygen -t ed25519 | ||
* You can strengthen certain key types, such as RSA, by setting a longer key length | * You can strengthen certain key types, such as RSA, by setting a longer key length. | ||
ssh-keygen -t rsa -b 4096 | ssh-keygen -t rsa -b 4096 | ||
| Line 172: | Line 172: | ||
The public key syntax permits you to provide a number of very useful constraints that limit what the key is allowed to do. | The public key syntax permits you to provide a number of very useful constraints that limit what the key is allowed to do. | ||
By default, a public key installed without constraints can do anything. | By default, a public key installed without constraints can do anything. | ||
For instance, this public key | For instance, this public key | ||
restrict,command="squeue --me" ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGhczaUoV6SzR2VEf9Rp4/P9xHVU8S72CKHrwKU+Yntx | restrict,command="squeue --me" ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGhczaUoV6SzR2VEf9Rp4/P9xHVU8S72CKHrwKU+Yntx | ||
can only perform one simple operation (showing whether you have any jobs in Slurm). An interesting example is | can only perform one simple operation (showing whether you have any jobs in Slurm). An interesting example is | ||
restrict,command="/usr/libexec/openssh/sftp-server" ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGhczaUoV6SzR2VEf9Rp4/P9xHVU8S72CKHrwKU+Yntx | restrict,command="/usr/libexec/openssh/sftp-server" ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGhczaUoV6SzR2VEf9Rp4/P9xHVU8S72CKHrwKU+Yntx | ||
which allows the key to be used only for SFTP, which is how sshfs works. | which allows the key to be used only for SFTP, which is how sshfs works. | ||
<!--T:28--> | <!--T:28--> | ||
The key constraint can also limit which hosts can connect using the key | The key constraint can also limit which hosts can connect using the key. | ||
restrict,from="d24-141-114-17.home.cgocable.net" ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGhczaUoV6SzR2VEf9Rp4/P9xHVU8S72CKHrwKU+Yntx | restrict,from="d24-141-114-17.home.cgocable.net" ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGhczaUoV6SzR2VEf9Rp4/P9xHVU8S72CKHrwKU+Yntx | ||
Limiting by hosts is a powerful way to minimize the danger posed by a key being compromised. In this case, the | Limiting by hosts is a powerful way to minimize the danger posed by a key being compromised. In this case, the <code>restrict</code> keyword | ||
turns off | turns off <code>pty allocation</code>, which makes an interactive session behave peculiarly. For a source-constrained interactive session. | ||
restrict,from="d24-141-114-17.home.cgocable.net",pty ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGhczaUoV6SzR2VEf9Rp4/P9xHVU8S72CKHrwKU+Yntx | restrict,from="d24-141-114-17.home.cgocable.net",pty ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGhczaUoV6SzR2VEf9Rp4/P9xHVU8S72CKHrwKU+Yntx | ||
allows pty allocation. | allows pty allocation. | ||