moelinux.net

When using SSH, especially with CVS from the command line, if you have not exchanged certificates between the client and server, you have to keep entering your password each time you do a cvs operation over SSH. This can get annoying quickly. This is also the case if you use ssh or scp from linux console a lot. One way around this is to use generate your own DSA or RSA key and add the public key to the remote server’s authorized_keys list. This sucessfully eliminates the need to type in a password each time you engage in an SSH session… however, the problem I find myself running into is that I keep misplacing previously generated keys. When I want to access a resource over SSH from a new client, I either have to (1) find and use a previously generated key, (2) generate yet another key, or (3) suffer through entering the password on each access for a while till I breakdown and either act on #1 or #2.

I have decided to try to use a single key pair for all my ssh clients/servers, this means I have to be able to reuse the keys and not loose them as readily as in the past. There are many ways to accomplish this, the obvious one being storing the keys in a secure yet accessible location and pulling them from here whenever I am setting up a new client or server, another is using a certificate issued by a signing authority so that I can go to the signing authority wheneve I loost my cert to retrieve another copy of it, now, these usually cost $$ but there it at least one free provider: cacert.org. They generate free SSL certs for client, server, and domain use. I generated a client cert and exported it to a linux box, extracted the key, and added it to the cvs server’s authorized_keys list, and it all works the same as if I had generated the key from scratch on the linux box, with one advantage:  If i ever loose the private key again, I can get it again from my account on cacert.org.

Here are the steps on how to do this (these assume you want a password free ssh session between two systems: a linux client, and a linux server):

1. Become a member of cacert.org.
2. Generate a client certificate on cacert.org.
3. Install the certificate using an IE 5.x+ browser (anyone know how to do this with firefox?)
4. Export the certificate from IE to a .pfx file (pkcs12 format).
5. Upload the certificate to the Linux client.
6. On Linux client, convert the pkcs12 to a pem file, run: openssl pkcs12 -in somefile.pfx -out ~/.ssh/id_rsa
7. Enter the password you assigned during export from IE, and then enter a password to protect the pem file.
8. Run: chmod 600 ~/.ssh/id_rsa
9. You can choose to strip the password from the pem file, else you have to type it in everytime you use this certificate (which kind of defeats the purpose of this whole exercise).
10. To strip the password, run: openssl rsa -in ~/.ssh/id_rsa -out id_rsa.new; mv id_rsa.new ~/.ssh/id_rsa
11. You can now generate the public key from the cert: ssh-keygen -y
12. Cut and paste the key into a new line in the ~/.ssh/authorized_keys file on the linux server that you want to log into w/o having to enter a password.
13. If you evere loose your id_rsa file, repeat steps 2-9 to generate it again… you dont have to install the keys in remote servers again.
14. If you ssh / scp from windows clients, you can also add the cert to them. Putty comes w/ pagent which can do this.

Filed under:
General, Linux by mkhan