en:navody:sshauth:start
Action unknown: indexoauthloginauth

SSH - options for user authentication

The following options for user authentication are applied to services based on SSH i.e. SSH, SCP, SFTP, rsync and SSHFS.

Password authentication

The simplest option. Only account in the data storage is needed. Disadvantage: every time you want to access to data storage a prompt for password will shown

Authentication over Kerberos

For use this option is needed:

  • installed Kerberos support on the client side (návod na instalaci)
  • permit use of Kerberos in SSH configuration: on global level (/etc/ssh/ssh_config) or on user level (/home/USER/.ssh/config):
    GSSAPIAuthentication yes
    GSSAPIDelegateCredentials yes

and get ticket for Kerberos access:

$ kinit user@EINFRA
Password for user@EINFRA:

Access to services is then possible without a password until the ticket is valid.

$ ssh user@ssh.du1.cesnet.cz ls -l
total 12540
-rw-r--r-- 1 user storage 10485760 Jun 22 14:16 MB10.dat
-rw-r--r-- 1 user storage  8388608 May  3 12:51 MB8.dat
drwxr-xr-x 2 user storage       10 Jun 13 15:34 backup
$ 

The ticket can be verified by:

$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: user@EINFRA

Valid starting     Expires            Service principal
07/04/12 13:26:22  07/05/12 13:26:19  krbtgt/EINFRA@EINFRA

You can also remove the ticket by:

$ kdestroy
$ klist 
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_1000)

Authentication with SSH key

To use SSH key you have to add SSH key to the Data Storage using Perun system.

After you installed RSA or DSA public key to the file ~/.ssh/authorized_keys, being done by the Perun system you can access data storage without password.
Private key is recommended keep in secret and protected by strong password. If you want to enter password only once you can use tool called ssh-agent.

Example of procedure to generate a pair of RSA private/public key (if you don't have any):
(instead of xx are hexadecimal numbers)

$ ssh-keygen -t rsa -b 2048
Generating public/private rsa key pair.
Enter file in which to save the key (/home/user/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): secretpassword
Enter same passphrase again: secretpassword
Your identification has been saved in /home/user/.ssh/id_rsa.
Your public key has been saved in /home/user/.ssh/id_rsa.pub.
The key fingerprint is:
xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx user@client-host
Now please add SSH key into the Perun system according to this guide. Changes being done are written to the Data Storage system within 60 minutes, so please be patient.

In this moment you can access to data storage only with password for decrypting SSH key (not with password to data storage).

$ ssh user@ssh.du1.cesnet.cz ls -l
Enter passphrase for key '.ssh/id_rsa': secretpassword
total 12540
-rw-r--r-- 1 user storage 10485760 Jun 22 14:16 MB10.dat
-rw-r--r-- 1 user storage  8388608 May  3 12:51 MB8.dat
drwxr-xr-x 2 user storage       10 Jun 13 15:34 backup
$ 

If we add key to running process ssh-agent:

$ ssh-add ~/.ssh/id_rsa
Enter passphrase for /home/user/.ssh/id_rsa: secretpassword
Identity added: /home/user/.ssh/id_rsa (/home/user/.ssh/id_rsa)

then no password is required:

$ ssh user@ssh.du1.cesnet.cz ls -l
total 12540
-rw-r--r-- 1 user storage 10485760 Jun 22 14:16 MB10.dat
-rw-r--r-- 1 user storage  8388608 May  3 12:51 MB8.dat
drwxr-xr-x 2 user storage       10 Jun 13 15:34 backup
$ 

You can remove the key from process ssh-agent by following command:

$ ssh-add -D
All identities removed.

Process ssh-agent have to be running if you want use it (in Linux is run when you start X-windows). Alternatively you can run it by:

$ eval `ssh-agent`

More about ssh-agent:

Last modified:: 31.03.2023 11:08