SSH Logins

There is easy ways and there is smart ways. Today we take a look at the smart way. Usage of SSH-keygen and the config-file. Instead of typing: ssh [email protected] -p 12345, just type: ssh newwebsite.

SSH Logins
Photo by Gabriel Heinzer / Unsplash
Instead of typing: ssh [email protected] -p 12345,
just type: ssh newwebsite.

Create your keys

One fundamental thing in using SSH is keys. You can login without typing a password and that way making it safer.
A key can also have a password for extended security, see my other post.

It's not safe to use RSA keys anymore – use ED25519

Generate a key

Basic keys

ssh-keygen -t ed25519

Distribute the key to a cluster

Well, it is more secure to use separate keys for each server, but I consider a cluster one unit. We also use one username and one password for the whole cluster. You are free to agree or disagree.

List of Servers

You list all your servers and then we can copy the key to all of them with one script. You can use choose to use any combination of:

  • a resolvable DNS name (node01)
  • a FQDN (node01.example.com)
  • or the IP address of the server (192.0.2.40)
nano cluster_servers
node01.example.com
node02.example.com
node03.example.com
node04.example.com
node05.example.com
node06.example.com
node07.example.com
node08.example.com
node09.example.com

Enter your servers to the file: cluster_servers.

Create the Script

nano copymykey.sh
#!/bin/bash
clear
echo ""
echo "Copy the SSH-key to your Cluster-Servers"
echo "----------------------------------------"
echo "Enter username and password for your servers:"
read -p 'Username: ' uvar
read -sp 'Password: ' pwvar
for server in `cat cluster_servers`; do
    sshpass -p "${pwvar}" ssh-copy-id -i ~/.ssh/id_ed25519.pub -o StrictHostKeyChecking=no "${uvar}@${server}"
done
echo "SSH-Keys copied."

The id_ed25519.pub is exacly what the extension says – a public file. You can share it with any one or post it as you pleas.

Make the copymykey.sh -file Executable
chmod 700 copymykey.sh

Adding Servers

Edit the cluster_servers -file and re-run the script.

Now you do not need to write your password anymore and you are logged in securely by using your Private SSH-key (id_ed25519.pub).

Remember to keep the SSH-key secure and never expose the id_ed25519 -file to any one.

The next level

Create the SSH config file

nano ~/.ssh/config
# My personal SSH config example of syntaxes
Host 192.0.2.* !192.0.2.40 !*docker*
  StrictHostKeyChecking no
  UserKnownHostsFile=/dev/null
  User myname

Host *pvenode*
  StrictHostKeyChecking no
  UserKnownHostsFile=/dev/null
  User root
  IdentityFile ~/.ssh/proxmox

Host *k8s–pod*
  StrictHostKeyChecking no
  UserKnownHostsFile=/dev/null
  User spacecowboy
  IdentityFile ~/.ssh/k3s_key

Host *docker*
  StrictHostKeyChecking no
  UserKnownHostsFile=/dev/null
  User dockeruser
  IdentityFile ~/.ssh/docker

Host 192.0.2.40 
  Hostname mynas
  StrictHostKeyChecking no
  UserKnownHostsFile=/dev/null
  User boss
  
Host 10.10.10.10 controller
  User boss  
  IdentityFile ~/.ssh/ansible

Host alp01
  ForwardAgent no
  HostName 10.10.10.251
  RemoteCommand ssh [email protected]
  User alpboss
  RequestTTY yes

Host newwebsite
  Hostname 37.27.172.245
  User maria
  Port 12345

HostName 192.168.10.20
  User obelix
  LogLevel INFO
  Compression yes
chmod 600 ~/.ssh/config
Explanations
  • 192.0.2.* – all machine found in 192.0.1-255, this is a local net
  • *node* – any node having node in it's name
  • ? - Matches exactly one character. The pattern, Host 10.10.0.? matches all hosts in 10.10.0.[0-9] range.
  • !192.0.2.40 – excluding 192.0.2.40
  • StrictHostKeyChecking no – will not show the ask to save kay in known keys
  • UserKnownHostsFile=/dev/null – don't write it to the known hosts file
  • User – you guessed it the user name for a server or a group of servers
  • IdentityFile ~/.ssh/filename – other SSH-key pair

Usage

Instead of typing ssh [email protected] -p 12345 just type ssh newwebsite



References

SSH security [1]


  1. See my Blog post SSH and Security ↩︎