Linux - Server This forum is for the discussion of Linux Software used in a server related context. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
06-01-2011, 10:05 PM
|
#1
|
Senior Member
Registered: Dec 2004
Posts: 1,056
Rep:
|
SSH demands keys - trying to set up git server
I've got an Amazon EC2 compute instance with Ubuntu 11.04 running on it. I've managed to get my root key (the "ubuntu" user actually) set up so that I can SSH in from both my windows machine and my Ubuntu desktop.
The issue I'm having is that I'm trying to set up a git repository on this server to be accessed via SSH by a team of developers. I've created the first user, "jason" but jason cannot log using the password I created for him because SSH on the server is set up to require a key file. I believe that's due to this setting in /etc/ssh/sshd_config:
Code:
# Change to no to disable tunnelled clear text passwords
PasswordAuthentication no
I've got a few questions:
1) Can I allow users to login by setting that to "yes" and restarting ssh? Is this safe? Will passwords be transmitted as cleartext? What about root/ubuntu who (afaik) don't have any password yet -- are those accounts safe?
2) If it's not safe, what steps are required to allow "jason" to login with a certificate? Obviously I need a key file but I tried using the key file that I created for the ubuntu/root user (when I created the compute instance) and it apparently doesn't work for "jason" -- it only works for "ubuntu". What are the steps? Where does the file go? Does it need to be stored on both the client and the server? Or does the server have a public key and the client have a private key?
3) How hard is it to set up my devs (using Windows, OSX, and linux) each with keys so that their various git clients (git-gui, gitk, git, TortoiseGit, eGit, etc) can interact with the repository via ssh? Do the clients need to know where the key file lives or do they just use ssh and ssh needs to know where the key file is?
Any help would be much appreciated.
|
|
|
06-01-2011, 10:22 PM
|
#2
|
LQ Guru
Registered: Jan 2009
Location: Japan
Distribution: Mostly Debian and CentOS
Posts: 6,726
|
Quote:
Originally Posted by sneakyimp
1) Can I allow users to login by setting that to "yes" and restarting ssh? Is this safe? Will passwords be transmitted as cleartext? What about root/ubuntu who (afaik) don't have any password yet -- are those accounts safe?
|
Passwords will not be transmitted in plain text. In general you should disable root logins over ssh with the following entry in your /etc/ssh/sshd_config
Quote:
2) If it's not safe, what steps are required to allow "jason" to login with a certificate? Obviously I need a key file but I tried using the key file that I created for the ubuntu/root user (when I created the compute instance) and it apparently doesn't work for "jason" -- it only works for "ubuntu". What are the steps? Where does the file go? Does it need to be stored on both the client and the server? Or does the server have a public key and the client have a private key?
|
Get "jason" to give you his public key and then put it in his .ssh/authorized_keys file.
Quote:
3) How hard is it to set up my devs (using Windows, OSX, and linux) each with keys so that their various git clients (git-gui, gitk, git, TortoiseGit, eGit, etc) can interact with the repository via ssh? Do the clients need to know where the key file lives or do they just use ssh and ssh needs to know where the key file is?
|
How hard is it? Depends on how competent they are. The clients shouldn't need to care about what authentication (password/rsa/dsa etc) ssh is using.
Cheers,
Evo2.
|
|
|
06-01-2011, 10:37 PM
|
#3
|
Member
Registered: Oct 2010
Location: Russia / USA
Distribution: Arch Linux
Posts: 36
Rep:
|
Quote:
Originally Posted by sneakyimp
I've got an Amazon EC2 compute instance with Ubuntu 11.04 running on it. I've managed to get my root key (the "ubuntu" user actually) set up so that I can SSH in from both my windows machine and my Ubuntu desktop.
The issue I'm having is that I'm trying to set up a git repository on this server to be accessed via SSH by a team of developers. I've created the first user, "jason" but jason cannot log using the password I created for him because SSH on the server is set up to require a key file. I believe that's due to this setting in /etc/ssh/sshd_config:
Code:
# Change to no to disable tunnelled clear text passwords
PasswordAuthentication no
I've got a few questions:
1) Can I allow users to login by setting that to "yes" and restarting ssh? Is this safe? Will passwords be transmitted as cleartext? What about root/ubuntu who (afaik) don't have any password yet -- are those accounts safe?
2) If it's not safe, what steps are required to allow "jason" to login with a certificate? Obviously I need a key file but I tried using the key file that I created for the ubuntu/root user (when I created the compute instance) and it apparently doesn't work for "jason" -- it only works for "ubuntu". What are the steps? Where does the file go? Does it need to be stored on both the client and the server? Or does the server have a public key and the client have a private key?
3) How hard is it to set up my devs (using Windows, OSX, and linux) each with keys so that their various git clients (git-gui, gitk, git, TortoiseGit, eGit, etc) can interact with the repository via ssh? Do the clients need to know where the key file lives or do they just use ssh and ssh needs to know where the key file is?
Any help would be much appreciated.
|
Greetings,
Yes, you can do all that without a problem. SSH creates a secure channel, through which it sends all packets. That's why you don't have to worry about security much. However, if I were you, I would check twiсe your hosts for root-kits and viruses - keyboard loggers can still intercept data from keyboard.
Next, you can set your SSH port to something not standard (it could be 22981 or any other port that is not reserved for existent software). You can also set your SSH server to listen from certain IP addresses / subnets. Check "ListenAddress" directive and look through ssh manual.
Then you can turn "root" login off. That means that only unprivileged users can log in and attempt to log in with root credentials will result in error. After you log in with your standard account, you can use "sudo" (you can assign permissions for every person / group / host in "/etc/sudoers" in a way you like your users to behave) to differentiate every person or you can log in with "root" credentials using the same "sudo" program.
You can also set your SSH server to accept SSH certificates. Doing that way will free you (and your fellow devs) from retyping your password every time they logging in. However, that could be a possible security hole as anyone with ill intentions can access your server without a password asked. That's up to you.
Summarizing that short ssh security review, I would advice to check ssh manual and Google articles.
More reading here:
http://www.linuxproblem.org/art_9.html
http://ubuntuforums.org/showthread.php?t=1132821
Best regards,
Konstantin
|
|
|
06-01-2011, 10:56 PM
|
#4
|
Senior Member
Registered: Dec 2004
Posts: 1,056
Original Poster
Rep:
|
thank you for your responses. it's a relief to know that passwords are not transmitted as clear text. thanks for the good advice.
I have managed to get my Ubuntu desktop to connect to the remote server using keys. This page worked perfectly. However, I must repeat those steps for each developer on my team -- and, more importantly, they have to be able to use their various git clients (TortoiseGIT, git-gui, eGit, etc.) to use ssh to interact with my central git repository. I'm wondering how tough it will be to generate a cert file for each dev, distribute them all, and configure all those clients.
|
|
|
06-01-2011, 10:59 PM
|
#5
|
Member
Registered: Oct 2010
Location: Russia / USA
Distribution: Arch Linux
Posts: 36
Rep:
|
Quote:
Originally Posted by sneakyimp
thank you for your responses. it's a relief to know that passwords are not transmitted as clear text. thanks for the good advice.
I have managed to get my Ubuntu desktop to connect to the remote server using keys. This page worked perfectly. However, I must repeat those steps for each developer on my team -- and, more importantly, they have to be able to use their various git clients (TortoiseGIT, git-gui, eGit, etc.) to use ssh to interact with my central git repository. I'm wondering how tough it will be to generate a cert file for each dev, distribute them all, and configure all those clients.
|
Please check the first link in my previous post.
Best regards,
Konstantin
|
|
|
06-01-2011, 11:10 PM
|
#6
|
LQ Guru
Registered: Jan 2009
Location: Japan
Distribution: Mostly Debian and CentOS
Posts: 6,726
|
Quote:
Originally Posted by sneakyimp
However, I must repeat those steps for each developer on my team -- and, more importantly, they have to be able to use their various git clients (TortoiseGIT, git-gui, eGit, etc.) to use ssh to interact with my central git repository. I'm wondering how tough it will be to generate a cert file for each dev, distribute them all, and configure all those clients.
|
You don't generate keys for your devs: they do it then they send you the their public keys and you put them in the corresponding ~/.ssh/authorized_keys file for each user. You do not need their private keys and should not know their passphrases.
Also, the link you posted seems to advocate using dsa however it is current wisdom (please google if you want more info) that rsa is the better option.
Regarding the different git front ends, I can't say anything specific since I only use the standard command line git, but if a front end does not support using ssh, then IMNSHO it probably shouldn't be used.
Cheers,
Evo2.
|
|
|
06-01-2011, 11:19 PM
|
#7
|
Senior Member
Registered: Dec 2004
Posts: 1,056
Original Poster
Rep:
|
Konstantin, the link you had in your post -- as far as I can tell -- is specific to a *nix machine. At least 2 of my devs will be running windows systems which will not support those commands. Additionally, windows doesn't natively support SSH afaik ... one must download puTTY for an SSH session and I'm not really sure how the various git clients on windows will implement their ssh connection. I'm still trying to figure out how to access my repository from gitGui on a windows machine. It apparently does let me generate key files.
evo2, thanks for the clarification. as i just mentioned, i'm trying to sort out configuration issues in a windows machine. I'd also like to know how to set up eGit in Eclipse.
|
|
|
06-01-2011, 11:35 PM
|
#8
|
Member
Registered: Oct 2010
Location: Russia / USA
Distribution: Arch Linux
Posts: 36
Rep:
|
Quote:
Originally Posted by sneakyimp
Konstantin, the link you had in your post -- as far as I can tell -- is specific to a *nix machine. At least 2 of my devs will be running windows systems which will not support those commands. Additionally, windows doesn't natively support SSH afaik ... one must download puTTY for an SSH session and I'm not really sure how the various git clients on windows will implement their ssh connection. I'm still trying to figure out how to access my repository from gitGui on a windows machine. It apparently does let me generate key files.
|
I'm not a pro with GIT and Windows setups, but you can check that link. It seems there are lots of HOWTO's over the Internet, so you won't have a problem finding the one appropriate for you
Best regards,
Konstantin
|
|
|
06-02-2011, 01:01 AM
|
#9
|
Senior Member
Registered: Dec 2004
Posts: 1,056
Original Poster
Rep:
|
Making slow progress. Just have to sort out key generation details on linux/mac/windows. thanks for the response.
|
|
|
06-02-2011, 06:03 PM
|
#10
|
Senior Member
Registered: Dec 2004
Posts: 1,056
Original Poster
Rep:
|
evo2: i tried keygen with -t rsa and -b 4096 and the server login failed.
i tried again with -b 2048 and it failed again.
i tried one more time with dsa and it worked just fine. weird.
interestingly, the key i generated using Git Gui on a windows machine appears to be rsa (the public key starts with ssh-rsa) and that key seems to work. not sure why the keygen fails on my Ubuntu 10.10 desktop for an ubuntu 11.04 server. weird.
|
|
|
06-02-2011, 08:34 PM
|
#11
|
LQ Guru
Registered: Jan 2009
Location: Japan
Distribution: Mostly Debian and CentOS
Posts: 6,726
|
You should check the logs (/var/log/auth.log) to find out why those RSA logins are failing. If you can't get enough information from that, you can run an instance of sshd in debug mode. It is probably best to run it on a different port, in parallel to the default sshd so that you don't accidentally lock yourself out of your server.
Eg.
Code:
server> /usr/sbin/sshd -p 22222 -d
And then try to connect
Code:
client> ssh -p 22222 server
Cheers,
Evo2.
|
|
|
06-03-2011, 12:10 PM
|
#12
|
Senior Member
Registered: Dec 2004
Location: Marburg, Germany
Distribution: openSUSE 15.2
Posts: 1,339
|
Or use -vvv to ssh to get a verbose output whether the client accesses the keys at all.
|
|
|
All times are GMT -5. The time now is 06:23 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|