It really pisses me off when I have to type passwords over and over and over again. Even more so when I am trying to do a ton of work or do a deployment and I need to do it.
It’s even more annoying when a customer won’t enable proper access to their systems, or they use root forever with weak passwords.
Enter the SSH KEYs.
If you never worked with them, they are super handy, and can be used on any unix type platform. Basically, they let you ssh to a host, and there is a public (which is put on the server)/private key (which you keep) comparison to verify if you are you.
As admins, you should know about this already. Seriously. Why don’t you?
You go through a few steps. First, on your host you generate a private/public key pair. You then put your public key on the remote device (unix server, san, network switch or router, etc) (If you need to generate keys on windows, use puttygen)
KEY GENERATION ON OSX OR LINUX:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 |
jk-47:~ awesomedude$ssh-keygen -t rsa -b 2048 -f mykey Generating public/private rsa key pair. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in mykey. Your public key has been saved in mykey.pub. The key fingerprint is: b7:82:c0:df:d2:2d:b0:84:95:9d:d1:47:ed:e5:b1:f0 The keys randomart image is: +--[ RSA 2048]----+ | .. ... | | o o. .....| | o o . .ooo| | . o .E.| | + o S . | | + * o . | | = = o | | . o | | | +-----------------+ jk-47:~ awesomedude$ ls my* mykey mykey.pub jk-47:~ awesomedude$more mykey #-- This is your PRIVATE KEY YOU KEEP! -----BEGIN RSA PRIVATE KEY----- MIIEowIBAAKCAQEAxVQe3Uf3RrPh2t+zBQpcP2wnoOMOOiKVe4h/k7R7kDYcukv6 YfsK+KFvdBXLsb027Jp2IpF2XWDNWrhFeOnndVH4Gec0L+Zxs9q8rgo7u/Wr8yrF PEWHA004qDE7Oj9k/Jw3mH2abn37nl0YIAaXTv9MG8NHptPtFogdO/UgQyE5PSNX 1m9wrjNmxsNQmYobPg5vN3DiXvTCADsyzxumtUkp1m8FAmyul0Y6nzuXM+EXlgAK Hj77+oJ4/caGEw+35dwrflf8L8zbN5InVe8ItpqhsGJdhiUitygz0LMz/R5ZNIiN ByZ6hUq6yPvEge0De8jNTJaTnfuETGw/LaEXywIDAQABAoIBAA460Lb4V5abpi/Y bdpxMtHIBNuPRBlhIRJ1d225WCfAHzY4AGhMaDAhxB3E7Jl2oZ1STi6T+sslDen6 29eqVmyZaqDDkXnazlw/69dJGaGmR64TaYG9Kc1NJkbKthCvPaMRyNiQRjCtmRWE dRbqIsMpmd1uqZ4YLkKvshv+w0LT5BexUNAWuKGIAxaU/Jxo1Fs6ppcwy+GJdfWc a7xcgpcE4M7ZQ9MRF7hW517GLPb4m3+WTeLUgYjqNUxK+csalZ8oHJhtEXrHvzjq ACR475Hd9ZejZ1lWpGIlWwLJzws13ZcHvclxrY6eXtq1S4DGybiTcp2JeY94gIEZ 0hieqgECgYEA44LOFy5Dgp154ABHH/2NrWtbBTVeOCkXKAkdYirKVUMp/NKiELrl fbTkZyneWPNJAokNxNkNnUZRtgMtcmeXuo8bnDAlUoaGIoBkNC1BVZDwjtR1nl04 lSJ1XsnWbY96AQRDRDtQfw+9cSJqLaLDEUi9Nbeiqb5LmMkhfU73IYECgYEA3gnG p2R8fls5w4UnZ+TRmC35aNMyPb9FvYzRQZhHaHBPEfIHhyqNbo8JjBT4EhjbjPgM TMrb+xC5XOX/xoeWt8z2Tuyax5IGlgMOsQw8YI0LEH9Z5ZRJTfHGKWnWgCu5UYgP SdC9caN9m36xUhLu4CQ/h36haObVg6OqyYmvx0sCgYEAh//BQoodQQ7xs712xuDC uE/ccRid4eRuOzh3oB8EJEOp7b/bsTSHysU/Y4vbpkCH/EQBPxKg2MsYPT1ZBXJ3 eMXjM1J0fQh9VlJ5k9cZnxStODQ4uxnuoPegQbFVxNhnjgQGUdtDGzFFhUOVRQJu qP5aXKoRSna+qe5RXp69jAECgYB238cCcZMRVyfq3MwHHIN2NQ71pzSbyF6/J7gU pUF90bsTgX+0Rvzndx8GZ2eU0Mgihd6X8nepx/9llCHHGWqAxvQLtzL6q9xozgQ8 l69vhbOpxnTLrAM+/rU4ENjtT/tsgiqlO2NhhsVFzaODrG1FhUKZ+RrTfdpMGwDh 25xHVwKBgEVFqbSYFHEHl0MsQJF5RAZrM6PKhvhpBUdrLK6PG5kqqlqkxxKZI83n E8/nbuSJ4CNCuhT6awB3gAEhHk4eGCmkF6NwLrhKshUQhBafPOuyD4tInTVAETXe jrLeWDSGsP/X3Lhp8dZzzlksKSLOjpxHfVzKyzi+vjm79I9gmjoQ -----END RSA PRIVATE KEY----- jk-47:~ awesomedude$ more mykey.pub #-- This is your public key you add to a hosts authorized_keys file. YOU NEED ALL OF THIS! ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDFVB7dR/dGs+Ha37MFClw/bCeg4w46IpV7iH+TtHuQNhy6S/ph+wr4oW90FcuxvTbsmnYikXZdYM1auEV46ed1UfgZ5zQv5nGz2ryuCju79avzKsU8RYcDTTioMTs6P2T8nDeYfZpuffueXRggBpdO/0wbw0em0+0WiB079SBDITk9I1fWb3CuM2bGw1CZihs+Dm83cOJe9MIAOzLPG6a1SSnWbwUCbK6XRjqfO5cz4ReWAAoePvv6gnj9xoYTD7fl3Ct+V/wvzNs3kidV7wi2mqGwYl2GJSK3KDPQszP9Hlk0iI0HJnqFSrrI+8SB7QN7yM1MlpOd+4RMbD8toRfL |
* ADDING SSH KEY FOR ROOT ACCOUNT ONTAP 7-Mode
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 |
priv set advanced useradmin diaguser unlock useradmin diaguser password --- ENTER PASSWORD HERE FOR DIAG USER --- systemshell --- USE DIAG AT LOGIN PROMPT --- login: diag --- paste this crap --- mkdir -p /mroot/etc/sshd/root/.ssh echo "ssh-rsa YOUR_KEY_TEXT_HERE_FROM_YOUR_ID.RSA_orID_DSA==" >> /mroot/etc/sshd/root/.ssh/authorized_keys sudo chown -R root:wheel /mroot/etc/sshd/root sudo chmod -R 0600 /mroot/etc/sshd/root exit --- LOCK THE ACCOUNT useradmin diaguser lock --- LEAVE ELEVATED PRIV MODE --- priv set admin |
* ADDING SSH KEY FOR ROOT ACCOUNT ONTAP: CLUSTER MODE
With cluster mode, you are basically adding this to the admin account. You can either scp a file to /mroot, or you can have it download your file with a URI (HTTP). You can also paste it in.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
#-- First create your security context node::> security login create -username admin -application ssh -authmethod publickey -role admin #--- From a URL: node::> security login publickey load-from-uri -username admin -uri http://www.jk-47.com/id_rsa.pub [-overwrite false] #-- from local file. node::> security login publickey load-from-uri -username admin -uri file://localhost/mroot/id_rsa.pub [-overwrite false] #-- From Copy and paste node::> security login publickey create -username admin -index 1 -publickey "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDFVB7dR/dGs+Ha37MFClw/bCeg4w46IpV7iH+TtHuQNhy6S/ph+wr4oW90FcuxvTbsmnYikXZdYM1auEV46ed1UfgZ5zQv5nGz2ryuCju79avzKsU8RYcDTTioMTs6P2T8nDeYfZpuffueXRggBpdO/0wbw0em0+0WiB079SBDITk9I1fWb3CuM2bGw1CZihs+Dm83cOJe9MIAOzLPG6a1SSnWbwUCbK6XRjqfO5cz4ReWAAoePvv6gnj9xoYTD7fl3Ct+V/wvzNs3kidV7wi2mqGwYl2GJSK3KDPQszP9Hlk0iI0HJnqFSrrI+8SB7QN7yM1MlpOd+4RMbD8toRfL== admin@yourpc.com" #-- verify it worked node::> security login publickey show -username admin |
Either way you pick, you typically will need to ssh to the host once just to get your ssh client to save you host keys of the destination. After that you are able to log in passwordless with ssh key authentication!
p.s. if you still use TELNET anywhere (read this HP ProCurve users), you should be punched in the throat… just sayin’.
Special bonus: Cisco Nexus NX-OS SSH Key addition:
Adding a key to a nexus is super simple!
username foooooo sshkey yourkeyhere
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
S0-nexus01# S0-nexus01# conf t Enter configuration commands, one per line. End with CNTL/Z. S0-nexus01(config)# username jk47 sshkey ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDFVB7dshortenedKJVLnTD6YQaz1DL2iF78= S0-nexus01(config)# end S0-nexus01# copy run start [########################################] 100% Copy complete, now saving to disk (please wait)... S0-nexus01# exit Connection to 192.168.29.2 closed. jk-47:~ jk47$ ssh jk47@192.168.29.2 Nexus 5000 Switch Last login: Thu Jan 16 17:22:41 2014 from 192.168.29.4 Bad terminal type: "xterm-256color". Will assume vt100. Cisco Nexus Operating System (NX-OS) Software .... |
[asa]1449332315[/asa]
[asa]1593273894[/asa]
Comments are closed.