Friday, September 6, 2013

How to setup SSH Keys

This is a guide on setting up SSH Keys for a UNIX based account. What are SSH keys you ask? They are means of identifying yourself to an SSH server using public-key cryptography and challenge-response authentication. SSH Keys are considered more secure than using passwords to access systems, because user accounts are authenticated by the server without ever having to send your password over the network. If the passwords are not transmitted then they can't be intercepted.
This guide is not for installing or setting up a SSH server. You must have SSH running on your servers in order to get your SSH keys to work. All the examples are take from a Solaris 10 (SPARC) server. This guide should as work on any UNIX based operating system like Linux, BSD and the Mac.

Create you key pair
The ssh-keygen command will generate a public and private keypair. The keys will be stored at ~/.ssh.The basic command looks like this: ssh-keygen -t [dsa|rsa]  The -t sets the type of keys used. In the example below I create a rsa key pair.
man@earth> ssh-keygen -t rsa
Enter file in which to save the key (/home/man/.ssh/id_rsa): Press [Enter] key
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/man/.ssh/id_rsa.
Your public key has been saved in /home/man/.ssh/id_rsa.pub.
The key fingerprint is:dfhjodfnk
04:be:15:ca:1d:0a:1e:e2:a7:e5:de:98:4f:b1:a6:01

Make sure you don't use a blank passphrase. Doing this is very insecure. Having a blank passphrase defeats the purpose of having having the extra security of a key exchange setup. It is also import to never give out your private key, which also compromises security of your account.

Copy public key
Copy you public key to the authorized_keys file on the remote server.
man@earth> scp ~/.ssh/id_rsa.pub moon:~/.ssh/authorized_keys

If your home directory automounts across a lot of servers. You can copy it over with the cat command.
man@earth> cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys

Setup Agent
At this point, when you login you get prompted for a passphase. To stop this from happening you need to setup a SSH agent. Run the command below and type in your passphare when prompted.
man@earth> eval `ssh-agent`
man@earth> ssh-add
Enter passphrase for /home/man/.ssh/id_rsa:
Identity added: /home/vivek/.ssh/id_dsa (/home/man/.ssh/id_rsa)

There are other ways to set up the agent such as using the gnome GUI for example. Unfortunately that only works if your running a gnome desktop. If your a VNC user, you should start your VNC server session after starting your agent in the same terminal. This way all your terminals launched in your VNC session, will use the same agent.

One issue with agents is that sometimes you end up running a lot of agents. Run the command below and kill any agents that you are not using, as a good practice.
man@earth> ps -ef | grep agent

References
g-loaded.eu
Symantec: SSH and ssh-agent

If you have any questions or comments please post below.

Thursday, September 5, 2013

Faster Solaris 10 Zone Creation

These are my notes on a faster way creating Solaris 10 zones. If you're not familiar with Solaris 10 zones might I suggest you first read my notes on creating Solaris 10 zones. These notes will go over making a whole root zone with a shared network interface. For the purpose of this guide. We will use the hostname, earth for our Global zone (host). We will create a zone named moon.

Create the zone
root@earth> zonecfg -z moon "create -b; set zonepath=/export/zones/test; set autoboot=true; add net; set physical=e1000g0; set address=10.1.1.232/24; end; verify; commit; exit"

Alternately you can put all the sub-commands into a file.

Install zone
root@earth> zoneadm -z moon  install
A ZFS file system has been created for this zone.
Preparing to install zone moon.
Creating list of files to copy from the global zone.
Copying 82181 files to the zone.
Initializing zone product registry.
Determining zone package initialization order.
Preparing to initialize 783 packages on the zone.
Initialized 783 packages on zone.
Zone moon is initialized.
Installation of 1 packages was skipped.
The file contains a log of the zone installation.

Check the zone (Optional)
root@earth> zoneadm list -cv
ID NAME     STATUS      PATH                            BRAND      IP
0   global        running        /                                 native          shared
-    moon        installed       /export/zones/moon     native          shared

Make an answer file
You must create the sysidcfg configuration file and put it in the zone's /etc directory. For example: /export/zones/moon/root/etc/. This must be done after the zone install but before the you boot the zone. Below is an example of a sysiccfg that worked for my setup.

system_locale=en_US
timezone=US/Eastern
terminal=vt100
timeserver=localhost
root_password=$1$w/3YH4kq$R3Tk2lHWRIL2FiiJ2eJqQ1
network_interface=PRIMARY {hostname=moon
                     default_route=NONE
                     ip_address=10.1.1.232
                     netmask=255.255.254.0
                     protocol_ipv6=no}
nfs4_domain=sun
security_policy=NONE
name_service=NONE


Get remote console on the zone
Run this command in a different terminal.
root@earth> zlogin -C moon
Note -C option gives you a persistent console. To get back to the global zone type .~

Boot the zone
root@earth> zoneadm -z moon boot
After you run the command above, look at the other terminal where you ran zlogin. You should see the zone booting up. After the zone boots up, you should see a login prompt. If instead the setup process starts up, then there is an error with the sysidcfg file. I that case you will have to delete you zone. Check out my notes on how to uninstall and delete a zone. If there are no issues then your done.

I hope this was helpful to someone. If you have any questions or comments please post them below.

Related posts on this blog:
Creating Solaris 10 zones
Uninstall and delete a zone