Kapitel 03: SSH mit Keys und Agent

03/SSH-von-Anfang-an.txt

@@ -0,0 +1,71 @@
+kurs@tn011-purple:~$ ssh-keygen -t ed25519 -C Testkey
+Generating public/private ed25519 key pair.
+Enter file in which to save the key (/home/kurs/.ssh/id_ed25519): 
+Enter passphrase (empty for no passphrase): 
+Enter same passphrase again: 
+Your identification has been saved in /home/kurs/.ssh/id_ed25519
+Your public key has been saved in /home/kurs/.ssh/id_ed25519.pub
+The key fingerprint is:
+SHA256:V4vv6YvnJ2/YLexZ0ryBywOdgV+KsHkeojYfCggTqAY Testkey
+
+
+kurs@tn011-purple:~$ sudo lxc-ls -f | grep rocky
+tn011-rocky9   RUNNING 1         ansible 192.168.1.199 -    false        
+
+
+kurs@tn011-purple:~$ ssh-copy-id -i ~/.ssh/id_ed25519 root@192.168.1.199
+/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/home/kurs/.ssh/id_ed25519.pub"
+The authenticity of host '192.168.1.199 (192.168.1.199)' can't be established.
+ECDSA key fingerprint is SHA256:YY/m1KchoPhpiRXw8DK5rdsnPZEL6vyRBpYUSWRkVcA.
+Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
+/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
+/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
+root@192.168.1.199's password: 
+
+Number of key(s) added: 1
+
+Now try logging into the machine, with:   "ssh 'root@192.168.1.199'"
+and check to make sure that only the key(s) you wanted were added.
+
+
+kurs@tn011-purple:~$ ssh root@192.168.1.199
+Enter passphrase for key '/home/kurs/.ssh/id_ed25519': 
+[root@tn011-rocky9 ~]# cat .ssh/authorized_keys 
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOHv4f9x3eTnxpIsPE2q7ZFnhd8kzSAXbL5blc+rpLcV Sven Velt, 2015-06-05
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO6AKGshfnp+28Sb3SHLWfdT1DThgvADAbQ3Oq0TCAOm Sven Velt, Ansible-Kurs, 2017-11-26
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICVzRNqSc6cvRabMNWw7xUozbsCbGvkJckUPfbeX75as Testkey
+[root@tn011-rocky9 ~]# exit
+
+
+kurs@tn011-purple:~$ ssh-add -l
+Could not open a connection to your authentication agent.
+
+
+kurs@tn011-purple:~$ ssh-agent -t 86400 | tee ~/.ssh-agent.sh
+SSH_AUTH_SOCK=/tmp/ssh-Ccpc8jmJ5ERt/agent.3170813; export SSH_AUTH_SOCK;
+SSH_AGENT_PID=3170815; export SSH_AGENT_PID;
+echo Agent pid 3170815;
+
+
+kurs@tn011-purple:~$ source ~/.ssh-agent.sh
+Agent pid 3170815
+
+
+kurs@tn011-purple:~$ ssh-add -l
+The agent has no identities.
+
+
+kurs@tn011-purple:~$ ssh-add ~/.ssh/id_ed25519
+Enter passphrase for /home/kurs/.ssh/id_ed25519: 
+Identity added: /home/kurs/.ssh/id_ed25519 (kurs@tn011-purple)
+
+
+kurs@tn011-purple:~$ ssh-add -l
+256 SHA256:V4vv6YvnJ2/YLexZ0ryBywOdgV+KsHkeojYfCggTqAY Testkey (ED25519)
+
+
+kurs@tn011-purple:~$ ssh root@192.168.1.199
+Last login: Tue Mar 14 09:53:17 2023 from 192.168.1.1
+[root@tn011-rocky9 ~]#
+
+

03/ssh-key_per_ansible.txt

@@ -0,0 +1,30 @@
+% ansible all -i 192.168.1.117, -u service -k -m authorized_key -a "user=service key=\"$(cat ~/.ssh/id_ed25519.pub)\""
+#         ^^^ ^^^^^^^^^^^^^^^^^ ^^^^^^^^^^ ^^
+#         |   |                 |          |
+#         |   |                 |          Frage nach SSH-Passwort, "sshpass" muss installiert sein,
+#         |   |                 |          Hostkey muss bereits gespeichert/akzeptiert sein
+#         |   |                 |
+#         |   |                 SSH-Login als User "service"
+#         |   |
+#         |   "Host-List", Komma-Liste der IP-Adressen - bei einer IP mit abschließendem Komma!
+#         |
+#         Alle bekannten Rechner
+
+
+% ansible all -i 192.168.1.117, -u service -k -b -K -m authorized_key -a "user=service key=\"$(cat ~/.ssh/id_ed25519.pub)\""
+#                                             ^^ ^^
+#                                             |  |
+#                                             |  Frage nach "Become"-Passwort, hier "sudo" (default)
+#                                             |
+#                                             Benutze "Become"
+
+
+% ansible all -i 192.168.1.117, -u service -k -b --become-method=su -K -m authorized_key -a "user=service key=\"$(cat ~/.ssh/id_ed25519.pub)\""
+#                                             ^^ ^^^^^^^^^^^^^^^^^^ ^^
+#                                             |  |                  |
+#                                             |  |                  Frage nach "Become"-Passwort, hier "su"
+#                                             |  |
+#                                             |  Nutze "su" für erweiterte Rechte/"Become"
+#                                             |
+#                                             Benutze "Become"
+

README.md

@@ -53,4 +53,86 @@ lrwxrwxrwx 1 root root 18 Aug 17 21:58 /etc/alternatives/vim -> /usr/bin/vim.bas
 
 
 
+## SSH-Agent
+
+### SSH-Agent in einer Sitzung starten
+
+```
+kurs@tn00-purple:~# eval $(ssh-agent)
+Agent pid 2720104
+```
+
+### SSH-Key am Agent registrieren
+```
+kurs@tn00-purple:~# ssh-add
+Enter passphrase for /home/svelt/.ssh/id_ed25519:
+```
+
+### Ein SSH-Agent in mehreren SSH-Verbindungen
+
+1. SSH-Agent starten
+```
+kurs@tn00-purple:~# eval $(ssh-agent | tee ~/.ssh-agent.sh)
+SSH_AUTH_SOCK=/tmp/ssh-r4RVMmRg9KAR/agent.2720217; export SSH_AUTH_SOCK;
+SSH_AGENT_PID=2720218; export SSH_AGENT_PID;
+echo Agent pid 2720218;
+Agent pid 2720218;
+```
+2. In **jeder weiteren** SSH-Verbindung auf die VM (per copy&paste):
+  - Kann für weitere Verbindungen auch später gemacht werden
+```
+kurs@tn00-purple:~# source ~/.ssh-agent.sh
+Agent pid 2720218;
+```
+3. Verbindung zum SSH-Agent mit `ssh-add -l` testen
+  - "Could not connect to agent" -> Agent läuft nicht und/oder Variablen nicht gesetzt
+  - "This agent has no identities" -> Verbindung zum Agent geht, Agent hat aber keine Keys
+  - Key -> Verbindung zum Agent geht, Key(s) registriert und verfügbar (4. überflüssig)
+4. SSH-Key registrieren
+  - nur einmal nötig
+  - Variablen via Script aus 2. Schritt müssen gesetzt sein
+```
+kurs@tn00-purple:~# ssh-add
+```
+Damit könnt Ihr dann den einen Agent in allen SSH-Verbindungen zur VM nutzen.
+
+### Alternative: Keychain
+
+Voraussetzung: SSH-Key existiert, liegt unter (beliebigem) Namen unter `~/.ssh/`
+
+1. Keychain installieren
+```
+kurs@tn00-purple:~$ apt install keychain
+```
+2. Von Hand testen
+```
+kurs@tn00-purple:~$ keychain ~/.ssh/id_ed25519
+
+ * keychain 2.8.5 ~ http://www.funtoo.org
+ * Starting ssh-agent...
+ * Adding 1 ssh key(s): /home/kurs/.ssh/id_ed25519
+Enter passphrase for /home/kurs/.ssh/id_ed25519: 
+ * ssh-add: Identities added: /home/kurs/.ssh/id_ed25519
+
+kurs@tn00-purple:~$ ssh-add -l
+Could not open a connection to your authentication agent.
+
+kurs@tn00-purple:~$ cat ~/.keychain/${HOSTNAME}-sh
+SSH_AUTH_SOCK=/tmp/ssh-pZf3VyTB4hs3/agent.1612572; export SSH_AUTH_SOCK;
+SSH_AGENT_PID=1612575; export SSH_AGENT_PID;
+
+kurs@tn00-purple:~$ . ~/.keychain/${HOSTNAME}-sh
+kurs@tn00-purple:~$ ssh-add -l
+256 SHA256:9+6FWilZKB46vt/n8HX3eVggjmdt40vXclBPkggaHvM kurs@tn00-purple (ED25519)
+```
+3. In Shell automatisch starten
+```
+cat <<EOF >>.bashrc
+keychain ~/.ssh/id_ed25519
+. ~/.keychain/${HOSTNAME}-sh
+EOF
+```
+
+
+