Site Tools

en:connexion_serveur_admin

Connecting to servers for administration via a public key

This article describes how to connect to a server of which one is an administrator, whatever it may be(it is not specific to the MMORPG, it is the same on a basic web server) and using a public key authentication.

The manipulation here concerns a console connection from a Linux machine.

The advantage of connecting to a server using a public key is that you can forget the basic passwords of the servers, there is only one to remember: yours. This is very useful if you have several servers to administer, or if they have passwords to extend and impossible to remember.

Generating the key

Open a console and generate a pair of keys by typing:

 ssh-keygen -t rsa
 

You should have the following text displayed:

Generating public/private rsa key pair.
Enter file in which to save the key (/home/user/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/user/.ssh/id_rsa.
Your public key has been saved in /home/user/.ssh/id_rsa.pub.

A public/private key is generated, using the RSA algorithm specifically for ssh connections. Do not enter anything for the file(for saving of the key, leave /home/user/.ssh/id_rsa, so just tap for “entry”). For the “passphrase”, find an effective password. It's often simpler if this is the same as your public password.

Copy the key to the remote server account

 ssh-copy-id -i ~ / .ssh / id_rsa.pub yyy@xxxxx.org

Replace yyy@xxxxx.org with the name of your server and it's user, for example root@myserver.org. Enter the server password (NOT your key passphrase, the server must know that it is you!).

And now, it's all good! You can connect to the server via ssh with your key:

 ssh yyy@xxxxx.org

or

 ssh root@myserver.org

On the server, go to the .ssh folder of /home/user and

More authorized_keys

A line must end with your username and the name of your machine, these are the public keys allowed to connect.

And if we want an RSA key per site?

It is possible to automatically indicate to SSH to use this or that key according to the site to which one connects.

Suppose we have generated two RSA keys as described above. Simply specify a different name for the question “/home/user/.ssh/id_rsa:” /home/user/.ssh/cle1 and /home/user/.ssh/cle2. It is therefore decided to use the keys as follows:

  • Cle1 goes to server 1
  • Cle2 goes to server 2

It is necessary to create the file config in it's directory .ssh in the /home directory. It contain(for each server) an identifier, its name(or direct IP address), the file rsa to use and the identifier that is linked to it:

<txt config>
host server1
	HostName server1.en
	IdentityFile ~/.ssh/cle1
	User totor
  
host server2
	HostName 202.127.12.13
	IdentityFile ~/.ssh/cle2
	User roxxor

Then when you connect with SSH, the system will know to go to “server1.fr”, it must use the key ~/.ssh/cle1 and the identifier “totor”. It will remain only to enter the passphrase that is related to it. There is no longer the need to give the necessary key or identifier, just possibly the port number if it's not an standard one.

For example : Access to server1 that has a standard port:

~$ ssh serveur1.fr

Access to server 2 which has its SSH port open at 66666:

~$ ssh -p 66666 202.127.12.13

Log in without password(insecure method)

Logging in without a password potentially opens up a security vulnerability. To be reserved for very special cases!

One of these cases is the possibility for a server(A) to connect to a server(B) for data backup for example. Server(A) itself must then be well protected.

It is enough to create a key on the server(A), as indicated above in: (ssh-keygen -t rsa) but not to enter a password. This key can therefore be used to connect without a password.

Then we add this key to server(B) (ssh-copy-id -i ~/.ssh/id_rsa.pub yyy@xxxxx.org).

As the “id_rsa” and “id_rsa.pub” files can easily be copied from one computer to another, one can secure a little more by making sure that the server(B) only accepts the key of the server(A) if this key is used from the IP address of server(A).

It is necessary to add “from=IP1, IP2” in the file “authorized_keys”(at the beginning of the key in question).

Example:

 from="192.02.300.01" ssh-rsa XXXYYYZZZ(key) user@server

Log in without too often retyping your password(secure method)

Just use an “ssh agent” that will remember your key. In theory, your password should only be requested once per session + the first time you unlock the key.

Evaluate "$(ssh-agent -s)"
ssh-add ~/.ssh/id_rsa

To go further

en/connexion_serveur_admin.txt · Last modified: 2018/08/06 13:52 by zatalyz