Now that you've deployed OpenStack from my previous post, it's time to configure OpenStack so that we can use it. This will be a short post showing you the commands necessary to create a functional external network for VM's to reach, along with users, local networking, updating security groups, creating flavors and images. It sounds like a lot, but it's easy to do with the CLI.
There are a lot of things that you might not know how to do with SSH that can be helpful. Here are a few tricks that I've learned over time....
Accidently deleted your public key? This command will regenerate the public key for you. ssh-keygen -y -f ~/.ssh/id_rsa > ~/.ssh/id_rsa.pub Need to convert that RSA key to a PEM key for a windows box? Here you go openssl req -x509 -new -key ~/.ssh/id_rsa -out id_rsa.pem Forgot how many bits that private key was? openssl rsa -text -noout -in ~/.ssh/id_rsa | grep Private-Key: Private-Key: (8192 bit) Have a few SSH keys and can't keep track of which goes to what server? Want an easier way to log into your servers?
vi ~/.ssh/config
#Insert these lines:
Host server1 192.168.1.100
HostName 192.168.1.100
IdentityFile ~/.ssh/id_rsa
User ubuntu
Host server2 192.168.1.150
HostName 192.168.1.150
IdentityFile ~/.ssh/id_rsa-2
User centos
Host server3 192.168.1.200
HostName 192.168.1.200
IdentityFile ~/.ssh/id_rsa-3
User dev
Once this is done, you can do things like: # To SSH into server1: ssh server1 # To copy a local file to server1: scp myfile server1:~ #sftp with options: sftp -oPort=24 server1 Need to forward local ports to a remote machine: ssh -L 3306:localhost:3306 username@hostname Some Helpful Commands: To determine how many bits your private key is: openssl rsa -text -noout -in id_rsa | grep Private-Key: Output: Private-Key: (8192 bit) To reproduce your public key in case you lost it: ssh-keygen -y -f ~/.ssh/id_rsa > ~/.ssh/id_rsa.pub To copy your public key to allow for passwordless SSH: ssh-copy-id -i ~/.ssh/id_rsa.pub username@remotehost To create a PEM file from id_rsa (Note: an existing private key is needed): openssl req -x509 -new -key id_rsa -out PEM_ID_RSA_FILE.pem Output: PEM_ID_RSA_FILE.pem To send a command over SSH: ssh user@ipaddress 'ls -lrt' To send a command over SSH that requires user interaction: ssh -t user@ipaddress 'top' References: https://linux.die.net/man/5/ssh_config https://stackoverflow.com/questions/2419566/best-way-to-use-multiple-ssh-private-keys-on-one-client https://serversforhackers.com/ssh-tricks
I know most of us just blindly type in ssh-keygen, go through the prompts and have our key. However, there is much more to it than that if you dig into it a little.
There are a few different types of cryptographic options available, RSA (default), DSA, ECDSA, ED25519, and RSA1. Some of these are stronger, cryptographically than RSA, others have known weaknesses. Then you can generate the number of bytes in some cases, use a passphrase, etc. So what do we use? How do we generate a suitable SSH key? And how do we know what is compatible with what we use? I've included a great graphic down below detailing what OS uses what OpenSSH version and which types of encryption is used. Lets start by issuing the command with options (both in bold with comments on the side): ssh-keygen #(choose one '-t' below) -t ed25519 # for greatest security (bits are a fixed size and -b flag will be ignored) -t rsa # for greatest portability (key needs to be greater than 4096 bits) -t ecdsa # faster than RSA or DSA (bits can only be 256, 284, or 521) -t dsa # DEEMED INSECURE - DSA limited to 1024 bit key as specified by FIPS 186-2, No longer allowed by default in OpenSSH 7.0+ -t rsa1 # DEEMED INSECURE - has weaknesses and shouldn't be used (used in protocol 1) -b 4096 # bit size -a 500 # rounds (should be no smaller than 64, result in slower passphrase verification and increased resistance to brute-force password cracking) -C "[email protected]" # comment.. -o # Saves key in new ED25519 format rather than more compatible PEM Format. New format increases resistance to brute-force password cracking but not support by OpenSSH prior to 6.5 Both ED25519 and ECDSA are signature algorithm based on elliptic curves, which means that they are capable of having an equivalent level of encryption using less bits. I will note that there are some hesitations around ECDSA due to a Sony hack and some improper used of the key generation. If you open up a key that was generated using one of these two, and compare it to an RSA, you'll see that the bits are significantly more with RSA. I used 500 rounds to help increase the brute-force time. A typical login will notice minimal delay when using 500 rounds, so it could be reduced if necessary or an older machine. However, be sure to keep it above 64 at a minimum. Example usage (in order of preference - security): ssh-keygen -o -a 500 -C "[email protected]" ssh-keygen -t rsa -a 500 -b 4096 -C "[email protected]" ssh-keygen -t ecdsa -a 500 -b 521 -C "[email protected]" Example usage (in order of preference - usability): ssh-keygen -t rsa -a 500 -b 4096 -C "[email protected]" ssh-keygen -t ecdsa -a 500 -b 521 -C "[email protected]" ssh-keygen -o -a 500 -C "[email protected]"
To verify: ssh-keygen -l -f ssh/id_ed25519 256 SHA256:2..............w [email protected] (ED25519) ^^^ ^^^^^^^^^^^^^^^^^ ^^^^^^^^^^ ^^^ |__ Size |__ Fingerprint |__ Comment |__ Type To copy public key: Using ssh-copy-id: ssh-copy-id username@remote_host
Manually, one-line:
cat ~/.ssh/id_rsa.pub | ssh username@remote_host "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"
Manually, copying (appending) public string into auth keys:
echo public_key_string >> ~/.ssh/authorized_keys
Notes: NSA has requirements for what can be used on the different classifications. Their requirements are: RSA @ 3072 bits for all classifications. RSA1 is prohibited (it uses SSHv1 protocol which is deemed insecure) My two cents are for security, use the ED25519, but for compatibility, stick with the RSA. Resources: https://blog.cloudflare.com/ecdsa-the-digital-signature-algorithm-of-a-better-internet/ https://chealion.ca/2016/06/20/ssh-key-types-and-cryptography-the-short-notes/ https://www.digitalocean.com/community/tutorials/understanding-the-ssh-encryption-and-connection-process |
AuthorJames Benson is an IT professional. Archives
August 2022
Categories
All
|