LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices


Reply
  Search this Thread
Old 06-01-2011, 10:05 PM   #1
sneakyimp
Senior Member
 
Registered: Dec 2004
Posts: 1,056

Rep: Reputation: 78
SSH demands keys - trying to set up git server


I've got an Amazon EC2 compute instance with Ubuntu 11.04 running on it. I've managed to get my root key (the "ubuntu" user actually) set up so that I can SSH in from both my windows machine and my Ubuntu desktop.

The issue I'm having is that I'm trying to set up a git repository on this server to be accessed via SSH by a team of developers. I've created the first user, "jason" but jason cannot log using the password I created for him because SSH on the server is set up to require a key file. I believe that's due to this setting in /etc/ssh/sshd_config:
Code:
# Change to no to disable tunnelled clear text passwords
PasswordAuthentication no
I've got a few questions:
1) Can I allow users to login by setting that to "yes" and restarting ssh? Is this safe? Will passwords be transmitted as cleartext? What about root/ubuntu who (afaik) don't have any password yet -- are those accounts safe?

2) If it's not safe, what steps are required to allow "jason" to login with a certificate? Obviously I need a key file but I tried using the key file that I created for the ubuntu/root user (when I created the compute instance) and it apparently doesn't work for "jason" -- it only works for "ubuntu". What are the steps? Where does the file go? Does it need to be stored on both the client and the server? Or does the server have a public key and the client have a private key?

3) How hard is it to set up my devs (using Windows, OSX, and linux) each with keys so that their various git clients (git-gui, gitk, git, TortoiseGit, eGit, etc) can interact with the repository via ssh? Do the clients need to know where the key file lives or do they just use ssh and ssh needs to know where the key file is?

Any help would be much appreciated.
 
Old 06-01-2011, 10:22 PM   #2
evo2
LQ Guru
 
Registered: Jan 2009
Location: Japan
Distribution: Mostly Debian and CentOS
Posts: 6,726

Rep: Reputation: 1706Reputation: 1706Reputation: 1706Reputation: 1706Reputation: 1706Reputation: 1706Reputation: 1706Reputation: 1706Reputation: 1706Reputation: 1706Reputation: 1706
Quote:
Originally Posted by sneakyimp View Post
1) Can I allow users to login by setting that to "yes" and restarting ssh? Is this safe? Will passwords be transmitted as cleartext? What about root/ubuntu who (afaik) don't have any password yet -- are those accounts safe?
Passwords will not be transmitted in plain text. In general you should disable root logins over ssh with the following entry in your /etc/ssh/sshd_config
Code:
PermitRootLogin no
Quote:
2) If it's not safe, what steps are required to allow "jason" to login with a certificate? Obviously I need a key file but I tried using the key file that I created for the ubuntu/root user (when I created the compute instance) and it apparently doesn't work for "jason" -- it only works for "ubuntu". What are the steps? Where does the file go? Does it need to be stored on both the client and the server? Or does the server have a public key and the client have a private key?
Get "jason" to give you his public key and then put it in his .ssh/authorized_keys file.

Quote:
3) How hard is it to set up my devs (using Windows, OSX, and linux) each with keys so that their various git clients (git-gui, gitk, git, TortoiseGit, eGit, etc) can interact with the repository via ssh? Do the clients need to know where the key file lives or do they just use ssh and ssh needs to know where the key file is?
How hard is it? Depends on how competent they are. The clients shouldn't need to care about what authentication (password/rsa/dsa etc) ssh is using.

Cheers,

Evo2.
 
Old 06-01-2011, 10:37 PM   #3
LMW
Member
 
Registered: Oct 2010
Location: Russia / USA
Distribution: Arch Linux
Posts: 36

Rep: Reputation: 2
Quote:
Originally Posted by sneakyimp View Post
I've got an Amazon EC2 compute instance with Ubuntu 11.04 running on it. I've managed to get my root key (the "ubuntu" user actually) set up so that I can SSH in from both my windows machine and my Ubuntu desktop.

The issue I'm having is that I'm trying to set up a git repository on this server to be accessed via SSH by a team of developers. I've created the first user, "jason" but jason cannot log using the password I created for him because SSH on the server is set up to require a key file. I believe that's due to this setting in /etc/ssh/sshd_config:
Code:
# Change to no to disable tunnelled clear text passwords
PasswordAuthentication no
I've got a few questions:
1) Can I allow users to login by setting that to "yes" and restarting ssh? Is this safe? Will passwords be transmitted as cleartext? What about root/ubuntu who (afaik) don't have any password yet -- are those accounts safe?

2) If it's not safe, what steps are required to allow "jason" to login with a certificate? Obviously I need a key file but I tried using the key file that I created for the ubuntu/root user (when I created the compute instance) and it apparently doesn't work for "jason" -- it only works for "ubuntu". What are the steps? Where does the file go? Does it need to be stored on both the client and the server? Or does the server have a public key and the client have a private key?

3) How hard is it to set up my devs (using Windows, OSX, and linux) each with keys so that their various git clients (git-gui, gitk, git, TortoiseGit, eGit, etc) can interact with the repository via ssh? Do the clients need to know where the key file lives or do they just use ssh and ssh needs to know where the key file is?

Any help would be much appreciated.
Greetings,

Yes, you can do all that without a problem. SSH creates a secure channel, through which it sends all packets. That's why you don't have to worry about security much. However, if I were you, I would check twiсe your hosts for root-kits and viruses - keyboard loggers can still intercept data from keyboard.

Next, you can set your SSH port to something not standard (it could be 22981 or any other port that is not reserved for existent software). You can also set your SSH server to listen from certain IP addresses / subnets. Check "ListenAddress" directive and look through ssh manual.

Then you can turn "root" login off. That means that only unprivileged users can log in and attempt to log in with root credentials will result in error. After you log in with your standard account, you can use "sudo" (you can assign permissions for every person / group / host in "/etc/sudoers" in a way you like your users to behave) to differentiate every person or you can log in with "root" credentials using the same "sudo" program.

You can also set your SSH server to accept SSH certificates. Doing that way will free you (and your fellow devs) from retyping your password every time they logging in. However, that could be a possible security hole as anyone with ill intentions can access your server without a password asked. That's up to you.

Summarizing that short ssh security review, I would advice to check ssh manual and Google articles.

More reading here:
http://www.linuxproblem.org/art_9.html
http://ubuntuforums.org/showthread.php?t=1132821

Best regards,
Konstantin
 
Old 06-01-2011, 10:56 PM   #4
sneakyimp
Senior Member
 
Registered: Dec 2004
Posts: 1,056

Original Poster
Rep: Reputation: 78
thank you for your responses. it's a relief to know that passwords are not transmitted as clear text. thanks for the good advice.

I have managed to get my Ubuntu desktop to connect to the remote server using keys. This page worked perfectly. However, I must repeat those steps for each developer on my team -- and, more importantly, they have to be able to use their various git clients (TortoiseGIT, git-gui, eGit, etc.) to use ssh to interact with my central git repository. I'm wondering how tough it will be to generate a cert file for each dev, distribute them all, and configure all those clients.
 
Old 06-01-2011, 10:59 PM   #5
LMW
Member
 
Registered: Oct 2010
Location: Russia / USA
Distribution: Arch Linux
Posts: 36

Rep: Reputation: 2
Quote:
Originally Posted by sneakyimp View Post
thank you for your responses. it's a relief to know that passwords are not transmitted as clear text. thanks for the good advice.

I have managed to get my Ubuntu desktop to connect to the remote server using keys. This page worked perfectly. However, I must repeat those steps for each developer on my team -- and, more importantly, they have to be able to use their various git clients (TortoiseGIT, git-gui, eGit, etc.) to use ssh to interact with my central git repository. I'm wondering how tough it will be to generate a cert file for each dev, distribute them all, and configure all those clients.
Please check the first link in my previous post.

Best regards,
Konstantin
 
Old 06-01-2011, 11:10 PM   #6
evo2
LQ Guru
 
Registered: Jan 2009
Location: Japan
Distribution: Mostly Debian and CentOS
Posts: 6,726

Rep: Reputation: 1706Reputation: 1706Reputation: 1706Reputation: 1706Reputation: 1706Reputation: 1706Reputation: 1706Reputation: 1706Reputation: 1706Reputation: 1706Reputation: 1706
Quote:
Originally Posted by sneakyimp View Post
However, I must repeat those steps for each developer on my team -- and, more importantly, they have to be able to use their various git clients (TortoiseGIT, git-gui, eGit, etc.) to use ssh to interact with my central git repository. I'm wondering how tough it will be to generate a cert file for each dev, distribute them all, and configure all those clients.
You don't generate keys for your devs: they do it then they send you the their public keys and you put them in the corresponding ~/.ssh/authorized_keys file for each user. You do not need their private keys and should not know their passphrases.

Also, the link you posted seems to advocate using dsa however it is current wisdom (please google if you want more info) that rsa is the better option.

Regarding the different git front ends, I can't say anything specific since I only use the standard command line git, but if a front end does not support using ssh, then IMNSHO it probably shouldn't be used.

Cheers,

Evo2.
 
Old 06-01-2011, 11:19 PM   #7
sneakyimp
Senior Member
 
Registered: Dec 2004
Posts: 1,056

Original Poster
Rep: Reputation: 78
Konstantin, the link you had in your post -- as far as I can tell -- is specific to a *nix machine. At least 2 of my devs will be running windows systems which will not support those commands. Additionally, windows doesn't natively support SSH afaik ... one must download puTTY for an SSH session and I'm not really sure how the various git clients on windows will implement their ssh connection. I'm still trying to figure out how to access my repository from gitGui on a windows machine. It apparently does let me generate key files.

evo2, thanks for the clarification. as i just mentioned, i'm trying to sort out configuration issues in a windows machine. I'd also like to know how to set up eGit in Eclipse.
 
Old 06-01-2011, 11:35 PM   #8
LMW
Member
 
Registered: Oct 2010
Location: Russia / USA
Distribution: Arch Linux
Posts: 36

Rep: Reputation: 2
Quote:
Originally Posted by sneakyimp View Post
Konstantin, the link you had in your post -- as far as I can tell -- is specific to a *nix machine. At least 2 of my devs will be running windows systems which will not support those commands. Additionally, windows doesn't natively support SSH afaik ... one must download puTTY for an SSH session and I'm not really sure how the various git clients on windows will implement their ssh connection. I'm still trying to figure out how to access my repository from gitGui on a windows machine. It apparently does let me generate key files.
I'm not a pro with GIT and Windows setups, but you can check that link. It seems there are lots of HOWTO's over the Internet, so you won't have a problem finding the one appropriate for you

Best regards,
Konstantin
 
Old 06-02-2011, 01:01 AM   #9
sneakyimp
Senior Member
 
Registered: Dec 2004
Posts: 1,056

Original Poster
Rep: Reputation: 78
Making slow progress. Just have to sort out key generation details on linux/mac/windows. thanks for the response.
 
Old 06-02-2011, 06:03 PM   #10
sneakyimp
Senior Member
 
Registered: Dec 2004
Posts: 1,056

Original Poster
Rep: Reputation: 78
evo2: i tried keygen with -t rsa and -b 4096 and the server login failed.

i tried again with -b 2048 and it failed again.

i tried one more time with dsa and it worked just fine. weird.

interestingly, the key i generated using Git Gui on a windows machine appears to be rsa (the public key starts with ssh-rsa) and that key seems to work. not sure why the keygen fails on my Ubuntu 10.10 desktop for an ubuntu 11.04 server. weird.
 
Old 06-02-2011, 08:34 PM   #11
evo2
LQ Guru
 
Registered: Jan 2009
Location: Japan
Distribution: Mostly Debian and CentOS
Posts: 6,726

Rep: Reputation: 1706Reputation: 1706Reputation: 1706Reputation: 1706Reputation: 1706Reputation: 1706Reputation: 1706Reputation: 1706Reputation: 1706Reputation: 1706Reputation: 1706
You should check the logs (/var/log/auth.log) to find out why those RSA logins are failing. If you can't get enough information from that, you can run an instance of sshd in debug mode. It is probably best to run it on a different port, in parallel to the default sshd so that you don't accidentally lock yourself out of your server.

Eg.
Code:
server> /usr/sbin/sshd -p 22222 -d
And then try to connect
Code:
client> ssh -p 22222 server
Cheers,

Evo2.
 
Old 06-03-2011, 12:10 PM   #12
Reuti
Senior Member
 
Registered: Dec 2004
Location: Marburg, Germany
Distribution: openSUSE 15.2
Posts: 1,339

Rep: Reputation: 260Reputation: 260Reputation: 260
Or use -vvv to ssh to get a verbose output whether the client accesses the keys at all.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
How to set SSH keys on SSH server mansour Linux - Newbie 27 01-16-2011 12:44 PM
how to create two ssk keys to work with git hub nthillaiarasu General 0 12-15-2009 05:13 AM
ssh to remote server using keys charan314 Linux - Enterprise 3 10-09-2009 02:44 AM
Logging in to SSH server with Keys SuperDude123 Linux - Server 6 05-05-2009 11:30 PM
ssh connection refused - trying to set up ssh server at home openSauce Linux - Server 10 10-18-2007 05:38 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Server

All times are GMT -5. The time now is 06:23 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration