Public key authentication

From Grid5000
Jump to: navigation, search
See also: SSH | Public_key_authentication | SSH And Vulnerable keys

SSH public key authentication can be used by users to access machines without typing their password. Password free logins benefit remote access and automation. Moreover public key authentication prevent brute force attacks if all password-based authentication methods are disabled.

The following tip describes the SSH keys setup to access Grid'5000 from outside and then to access the resources of the grid.

Contents

Overview

As a Grid'5000 user, you use ssh in 3 cases:

  1. To access the grid from your workstation, via the connection to a site access machine (e.g. acces.site.grid5000.fr).
  2. To acces the frontends of the sites from your point of entrance in the grid (e.g. acces.site.grid5000.fr).
  3. To acces your resources (nodes) if you either use OAR with the "allow_classic_ssh" mode or deploy systems with a ssh server. (You should actually be using oarsh in any other case, and then do not have to bother customizing your ssh configuration as it is handled internally by OAR)

SSH keys security

Basically, SSH keys can be of two kind: with OR without passephrase

Keys with passphrase

Pros
  • protected from an eventual steal by a passphrase, hence more secure
Cons
  • In order to achieve non-interactive connection (with no passephrase to enter each time), one must use a SSH-Agent and forward it from host to host

Keys without passphrase

Pros
  • don't have to bother adding the keys to the SSH-Agent and to forward it.
Cons
  • stolen keys are unprotected

Authentication to access the grid (1)

Giving advice about SSH keys used outside of Grid'5000 is mostly out of the scope of the information here. However, you will certainly be using the same SSH keys to access servers of your lab or other labs and Grid'5000 access machines. As a general matter and in particular to access Grid'5000, we strongly recommend to use SSH keys with a passphrase in those cases.

Authentication from node to node, within the grid (2&3)

  • First of all, all users must be conscious that data within Grid'5000 are unsecure. Thru the OS deployement capability, and because of NFS lack of security, Grid'5000 cannot prevent a steal of uid and the access to the data from others even if protected in term of UNIX rights (perm 600 of 700). Hence, it is advised to only grant a relative trust in the grid, and for that reason, to use dedicated SSH keys within Grid'5000, and not store your personal SSH keys used to connect outside of Grid'5000 to you servers.
  • Second of all, as using the grid often require to connect from host to host non interactively, we advise the use of passphrase less SSH keys, even if unsecure with regard to a steal. Being dedicated to Grid'5000 internal usage, the security hole is not relevant, as anyway, NFS is not secure.
  • Third of all, one may want to use the SSH Agent within Grid'5000, but as a reminder, it may be a security hole (see man ssh), and one will in some annoyed because of broken agent forwarding (OARSH and screen for instance break the SSH Agent chain).

As a consequence, we advise the use of a dedicated SSH keys within Grid'5000.

A look to a good SSH keys configuration

The authorized_keys file

Your ~/.ssh/authorized_keys should look like the following:

ssh-rsa [...rsa public key data...] jdoe@workstation, key with passphrase
ssh-dss [...dss public key data...] jdoe@workstation, another key with passphrase (optional)
ssh-rsa [...rsa public key data...] jdoe@access.orsay.grid5000.fr Grid5000 dedicated key with no passphrase (idem id_rsa.pub below)

The ~/.ssh directory

Hence your ~/.ssh directory should contain the following files:

  • authorized_keys: file decribed above
  • id_rsa: your Grid'5000 dedicated key, private part
  • id_rsa.pub: your Grid'5000 dedicated key, public part
  • config: your eventual SSH client configuration file
  • known_hosts: the database of hosts keys that is checked and eventually updated upon every SSH connection

That directory and the files contained must be owned by you, and have permissions be at most 755. The id_rsa file must be 600.

NB
  • You private keys from your workstation must absolutely not be copied here (~/.ssh/id_rsa or ~/.ssh/id_dsa stored in your home directory of your workstation).
  • That directory must be replicated on every sites.

Step by step generation of your keys

to be completed

Personal tools
Namespaces

Variants
Actions
Public Portal
Users Portal
Admin portal
Wiki special pages
Toolbox