SSH Logins
There is easy ways and there is smart ways. Today we take a look at the smart way. Usage of SSH-keygen and the config-file. Instead of typing: ssh [email protected] -p 12345, just type: ssh newwebsite.
Instead of typing: ssh [email protected] -p 12345,
just type: ssh newwebsite.
Create your keys
One fundamental thing in using SSH is keys. You can login without typing a password and that way making it safer.
A key can also have a password for extended security, see my other post.
It's not safe to use RSA keys anymore – use ED25519
Generate a key
Basic keys
ssh-keygen -t ed25519
Distribute the key to a cluster
Well, it is more secure to use separate keys for each server, but I consider a cluster one unit. We also use one username and one password for the whole cluster. You are free to agree or disagree.
List of Servers
You list all your servers and then we can copy the key to all of them with one script. You can use choose to use any combination of:
- a resolvable DNS name (node01)
- a FQDN (node01.example.com)
- or the IP address of the server (192.0.2.40)
nano cluster_servers
node01.example.com
node02.example.com
node03.example.com
node04.example.com
node05.example.com
node06.example.com
node07.example.com
node08.example.com
node09.example.com
Enter your servers to the file: cluster_servers.
Create the Script
nano copymykey.sh
#!/bin/bash
clear
echo ""
echo "Copy the SSH-key to your Cluster-Servers"
echo "----------------------------------------"
echo "Enter username and password for your servers:"
read -p 'Username: ' uvar
read -sp 'Password: ' pwvar
for server in `cat cluster_servers`; do
sshpass -p "${pwvar}" ssh-copy-id -i ~/.ssh/id_ed25519.pub -o StrictHostKeyChecking=no "${uvar}@${server}"
done
echo "SSH-Keys copied."
The id_ed25519.pub is exacly what the extension says – a public file. You can share it with any one or post it as you pleas.
Make the copymykey.sh
-file Executable
chmod 700 copymykey.sh
Adding Servers
Edit the cluster_servers
-file and re-run the script.
Now you do not need to write your password anymore and you are logged in securely by using your Private SSH-key (id_ed25519.pub
).
Remember to keep the SSH-key secure and never expose the id_ed25519
-file to any one.
The next level
Create the SSH config file
nano ~/.ssh/config
# My personal SSH config example of syntaxes
Host 192.0.2.* !192.0.2.40 !*docker*
StrictHostKeyChecking no
UserKnownHostsFile=/dev/null
User myname
Host *pvenode*
StrictHostKeyChecking no
UserKnownHostsFile=/dev/null
User root
IdentityFile ~/.ssh/proxmox
Host *k8s–pod*
StrictHostKeyChecking no
UserKnownHostsFile=/dev/null
User spacecowboy
IdentityFile ~/.ssh/k3s_key
Host *docker*
StrictHostKeyChecking no
UserKnownHostsFile=/dev/null
User dockeruser
IdentityFile ~/.ssh/docker
Host 192.0.2.40
Hostname mynas
StrictHostKeyChecking no
UserKnownHostsFile=/dev/null
User boss
Host 10.10.10.10 controller
User boss
IdentityFile ~/.ssh/ansible
Host alp01
ForwardAgent no
HostName 10.10.10.251
RemoteCommand ssh [email protected]
User alpboss
RequestTTY yes
Host newwebsite
Hostname 37.27.172.245
User maria
Port 12345
HostName 192.168.10.20
User obelix
LogLevel INFO
Compression yes
chmod 600 ~/.ssh/config
Explanations
192.0.2.*
– all machine found in 192.0.1-255, this is a local net*node*
– any node having node in it's name?
- Matches exactly one character. The pattern,Host 10.10.0.?
matches all hosts in10.10.0.[0-9]
range.!192.0.2.40
– excluding 192.0.2.40StrictHostKeyChecking no
– will not show the ask to save kay in known keysUserKnownHostsFile=/dev/null
– don't write it to the known hosts fileUser
– you guessed it the user name for a server or a group of serversIdentityFile ~/.ssh/filename
– other SSH-key pair
Usage
Instead of typing ssh [email protected] -p 12345
just type ssh newwebsite
References
SSH security [1]
See my Blog post SSH and Security ↩︎