|
| 1 | +# SSH key-based auth |
| 2 | + |
| 3 | +Instruments run an SSH server, which can be used to execute commands remotely. |
| 4 | + |
| 5 | +It is possible to access this SSH server using key-based authentication. Keys are associated with |
| 6 | +an individual, but are used to grant access to the instrument accounts. This means that keys |
| 7 | +for individuals no longer on the team can be easily revoked. |
| 8 | + |
| 9 | +## Key-pair generation |
| 10 | + |
| 11 | +:::{note} |
| 12 | +If you already have a suitable SSH key, which is encrypted using a passphrase, you may |
| 13 | +skip this step. |
| 14 | +::: |
| 15 | + |
| 16 | +Generate a key-pair using a strong algorithm, for example `ed25519`: |
| 17 | +``` |
| 18 | +ssh-keygen -t ed25519 |
| 19 | +``` |
| 20 | +**You must encrypt this key with a strong password when prompted.** |
| 21 | +Don't use an empty passphrase for these keys. This is not a shared |
| 22 | +password, it is a password for your personal key-pair; store it in your password |
| 23 | +manager. This will generate two files: `~\.ssh\id_ed25519` and `~\.ssh\id_ed25519.pub`. The file |
| 24 | +ending in `.pub` is a public key, the one without the `.pub` extension is a private key. It |
| 25 | +would be sensible to store copies of these two files in your password manager too. |
| 26 | + |
| 27 | +:::{warning} |
| 28 | +For the avoidance of doubt, the **public** key (`*.pub`) can be freely shared with everyone (for |
| 29 | +example, by being copied onto instruments). Do not share your **private** key. The private key |
| 30 | +is additionally encrypted using your selected password. |
| 31 | +::: |
| 32 | + |
| 33 | +## Setting up SSH agent |
| 34 | + |
| 35 | +In a powershell window, run the following commands: |
| 36 | +```powershell |
| 37 | +Get-Service ssh-agent | Set-Service -StartupType Automatic |
| 38 | +Start-Service ssh-agent |
| 39 | +``` |
| 40 | + |
| 41 | +## Deploying the public key |
| 42 | + |
| 43 | +- Add your public key to the [keys repository](https://github.com/ISISComputingGroup/keys). |
| 44 | +- Ask a developer whose key is *already* deployed to run the [`deploy_keys.py` script](https://github.com/ISISComputingGroup/keys/blob/main/deploy_keys.py), which will |
| 45 | +update the `authorized_keys` files on each instrument. |
| 46 | + |
| 47 | +If the permissions on `administrators_authorized_keys` are wrong, that file won't work. The |
| 48 | +permissions can be fixed by running: |
| 49 | + |
| 50 | +``` |
| 51 | +icacls.exe "c:\ProgramData\ssh\administrators_authorized_keys" /inheritance:r /grant "Administrators:F" /grant "SYSTEM:F" |
| 52 | +``` |
| 53 | + |
| 54 | +## One-off usage |
| 55 | + |
| 56 | +To connect via SSH to an instrument, use: |
| 57 | + |
| 58 | +``` |
| 59 | +ssh spudulike@NDXINST |
| 60 | +``` |
| 61 | + |
| 62 | +This will prompt you on each connection for the passphrase to unlock your SSH key, this is the |
| 63 | +password you set earlier for your personal SSH key. You will not be prompted for an |
| 64 | +account password; your key is sufficient to grant you access. |
| 65 | + |
| 66 | +## Bulk usage |
| 67 | + |
| 68 | +:::{caution} |
| 69 | +If you intend to run a command across many instruments, it is worth getting that command |
| 70 | +reviewed by another developer and running it together. This is **especially** true if you intend to |
| 71 | +run a command as a privileged user. |
| 72 | +::: |
| 73 | + |
| 74 | +Typing the password to unlock your SSH key for each instrument would be tedious. |
| 75 | +To avoid this, we can **temporarily** add the key to the SSH agent: |
| 76 | + |
| 77 | +``` |
| 78 | +ssh-add |
| 79 | +``` |
| 80 | +This will prompt for the passphrase to unlock your SSH key. You can check that your key is now in |
| 81 | +the SSH agent by running: |
| 82 | + |
| 83 | +``` |
| 84 | +ssh-add -l |
| 85 | +``` |
| 86 | + |
| 87 | +Once the key has been added to the agent, you can SSH to an instrument without any further prompts: |
| 88 | + |
| 89 | +``` |
| 90 | +ssh spudulike@NDXINST |
| 91 | +``` |
| 92 | + |
| 93 | +Commands can be executed like: |
| 94 | + |
| 95 | +``` |
| 96 | +ssh spudulike@NDXINST "dir /?" |
| 97 | +``` |
| 98 | + |
| 99 | +Since we no longer have any authentication prompts (having added our key to the SSH-agent), |
| 100 | +this command is suitable for automating in a loop over instruments - for example from python |
| 101 | +or a `.bat` script. |
| 102 | + |
| 103 | +Once you have finished with the administration task which needed SSH across multiple instruments, you |
| 104 | +should remove your key from the agent (and then verify that it has been removed): |
| 105 | + |
| 106 | +``` |
| 107 | +ssh-add -D |
| 108 | +ssh-add -l |
| 109 | +``` |
| 110 | + |
| 111 | +:::{important} |
| 112 | +Do not leave these keys permanently added to the SSH agent - having *immediate* SSH access to *every* |
| 113 | +instrument is an unnecessary risk most of the time (for example if your developer machine was compromised). |
| 114 | +Add the keys to the SSH agent only when needed, and remove them from the agent again when your administration |
| 115 | +task is complete. The usual sudo lecture applies: |
| 116 | +> We trust you have received the usual lecture from the local System |
| 117 | +> Administrator. It usually boils down to these three things: |
| 118 | +> 1) Respect the privacy of others. |
| 119 | +> 2) Think before you type. |
| 120 | +> 3) With great power comes great responsibility. |
| 121 | +::: |
0 commit comments