We use ssh and public keys to provide access to course accounts.
This is background information on using SSH public keys to authenticate as a course account. Looking at that document first is recommended.
CSCF has deployed an automated tool to propagate ssh keys to course accounts from home directories in the student region (i.e. one of the linux.student.cs.uwaterloo.ca systems). Authorized users of a course account will be able to ssh and scp from their preferred workstation into the course account, after a one-time key copy to their own student-environment account. An automated check for new keys happens once an hour.
For answers to questions about this process, contact DanielAllen.
.rhosts
file updated.
ssh course-name@linux.student.cs.uwaterloo.ca
Q: I've generated a key. Can I get more detail about copying the key to linux.student.cs.uwaterloo.ca?
From Unix/Linux, try ssh-copy-id yourlogin@linux.student.cs.uwaterloo.ca
and it should be copied over correctly.
From any OS: use copy and paste:
~/.ssh/id-dsa.pub
ssh-dss AAAAB3NzaC1kc3MAAACBAKAtgLEWHkwKJOjVUVvBEjpYE172mcoJkMyuX6kHSY7ZayF760+0 v22LSI6ATyZ5EcY0IZzG+A0er4Ns0puH5eWdQ6nBxnvnwkZRiUfbDCIOauyUdDZNdCTRk7+dhr3Cdpwp [5 lines deleted] Yjm0P02TeCMO7KTezbVKSFrEeg== daniel@zot.local
yourlogin@linux.student.cs.uwaterloo.ca
via your preferred means (ssh or rlogin)
mkdir ~/.ssh
cat >> ~/.ssh/id-dsa.pub
[carriage-return] [paste the key] [ctrl-C]
Q: What if I use more than one home workstation/machine to access course accounts? Which part of this do I repeat?
You have two choices:
id_dsa
and id_dsa.pub
) to the other machines' ~/.ssh
directory (creating the directory if necessary). Ssh from both machines will now identify to other machines with the same identity. This is the simpler approach, and is acceptable if each machine you work from has equivalent levels of security / risk of someone stealing the private key.
$HOME/.ssh/authorized_keys
authorized_keys
will look something like this:
% cat ~/.ssh/authorized_keys ssh-dss AAAAB3NzaC1kc3MAAACBAKAtgLEWHkwKJOjVUVvBEjpYE172mcoJkMyuX6kHSY7ZayF760+0 v22LSI6ATyZ5EcY0IZzG+A0er4Ns0puH5eWdQ6nBxnvnwkZRiUfbDCIOauyUdDZNdCTRk7+dhr3Cdpwp [5 lines deleted] Yjm0P02TeCMO7KTezbVKSFrEeg== daniel@zot.local ssh-dss AAAAB3NzaC1kc3MAAACBAM/a0SBDrtC5iDXRKTrkFK57+h6QyH3WeTGKLhBSF0mkxwuVE6L2 [5 lines deleted] 5h/IxIId5eOphnNSOHH+oVpjs1k= drallen@scsmac21.cs.uwaterloo.ca
Note that each key is copied as one line, which you can check by running word-count on the file:
% wc -l ~/.ssh/authorized_keys 2 /u1/yourusername/.ssh/authorized_keys
The number in the response ("2" above) must match the number of keys you copied; otherwise, the key was copied with embedded carriage-returns which must be edited out.
Also note that all core-region servers (cpu1XX.cs) count as "one machine" and separately all of student-region counts as "one machine", because your home directory is shared among regional machines. If you work on cpu102.cs and cpu104.cs, you only have one key to copy to linux.student.cs.uwaterloo.ca.
Q: If I generate a key on my home machine, is this an additional security risk? If someone steals my private key, can they access my home machine?
No, the relationship with keys is not symmetric: unless you run ssh daemon on your home machine, and add the key to your home machine's $HOME/.ssh/authorized_keys
file, there is no additional risk to your home machine.
If your private key is stolen, the public key must be removed from authorized_keys
on any host it is used on, because it does allow access to those hosts.
If you use a passphrase with your ssh key you have additional assurance that if your private key is stolen, you can replace it before your accounts are broken into.
Q: Is there a way around re-typing your passphrase every time you use the public key?
Yes. See this bit about caching your passphrase.
Q: Specifically which locations for keys are checked by the automated system?
Keys copied from the following standard key locations in the user's .ssh
directory: identity.pub
, id_rsa.pub
, id_dsa.pub
, authorized_keys
, and authorized_keys2
. If you happen to be working with a "course testing account" (ending in -t
or t
), only identity.pub
, id_rsa.pub
, and id_dsa.pub
are checked, and only for the course-account corresponding to the testing-account's course-name.
Q: What does the automated key copier do?
.rhosts
and .shosts
files for each course-account and identifies all users. It then checks for the existence of updated keys in the home directory of each user. If the user's key information is more recent than the last automated update, it will copy the current set of keys to the course account.
.ssh/.authorized_keys
file, which has two sections; a manually-edited section and an auto-updated section. The manually-edited section is more authoritative and is not touched by the automated system. The sections are separated by an comment which warns that changes below that point in the file will be overwritten.
Yes; for detailed information, see manpages on the student-region hosts: man ssh
for logging in, and man scp
for copying files (or PuTTY and WinSCP on Windows).
See CourseAccountSshKeyAccessAdministration
-- DanielAllen - 07 Jan 2009