Llaves RSA

agosto 2, 2013

http://blog.firedaemon.com/2011/07/27/passwordless-root-ssh-public-key-authentication-on-centos-6/

¿Como loguearse con llaves RSA?

Logueo mediante llaves RSA <br>

1. Configurar ssh para permitir logueo mediante llaves de acme150 a acme180, con usuario websync
2. En acme 150, usuario websync generara su llave.
<pre>
[websync@acme150 ~]$ ssh-keygen -t rsa

[websync@acme150 ~]$ vim .ssh/id_rsa.pub
——————————————————————————-
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAxVFVUvxh/Ns2bc239f+yw9ZslRwmVMEJRl4EFikYj+RYL
6ARmZYPH8fHF0OkNVW5f9ScT0zb1Brd0J2FxELlzEnd7Nesv/1ANMlta1KotXxrqxT3AodZxEJmHPEyOe
OPR9wfPGDBaBDxmp1iQ92e852z6vtr2b6HAIkmhEPjkO7ase8p2dSbGblANp6HHTvRhMKLxH17w3p30nJ <—Llave Publica RSA de websync (acme150)
tdjPMTtzAOxqLIcUjNmSgKEd93l34zv9SKV7GatrRIrEtj8k4VBv30RxRTA8FmWyF5o6VzBEW/5N+VRJu
ox0RaaOkOW1LH7dVGaDuVmnc/b/DgOBZqGVlVvH4jxW1zciTpOyroQ== websync@acme150
——————————————————————————-
</pre>
3. La llave debe ser copiada y enviada a acme180. <br>
3.1 Se puede usar ssh-copy-id en caso de tener habilitado el login con pass, de la sgte forma
<pre>
[websync@acme150 ~]$ ssh-copy-id -i .ssh/id_rsa.pub websync@acme180 <—Copiamos la llave para acme180
The authenticity of host ‘acme180 (192.168.232.180)’ can’t be established.
RSA key fingerprint is 46:ca:41:54:5b:93:94:2c:b5:78:44:12:e0:4b:ac:71.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added ‘acme180,192.168.232.180’ (RSA) to the list of known hosts.
websync@acme180’s password:
Now try logging into the machine, with “ssh ‘root@acme180′”, and check in:

.ssh/authorized_keys

to make sure we haven’t added extra keys that you weren’t expecting.

[websync@acme150 ~]$ ssh websync@acme180 <—Probamos y deberia loguear
</pre>
3.2 O se copia y pega el archivo en la ruta /home/websync/.ssh/authorized_keys de acme180
<pre>
[websync@www ~]$ mkdir .ssh

[websync@www ~]$ chmod -R 700 .ssh/ <— permisos 700

[websync@acme180 ~]$ vim .ssh/authorized_keys <— estamos en acme180
——————————————————————————-
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEA4FWiKlH5r5KE8DoiBmgbn4Yo+EzC7An+5qN7BeyQZqVdY
2CUzuMvMO8zVhXawaHON0DacilNy1TcRZrAvcj/d5v5efYQrT/vN8RVLCUihOpUX+igbk2myC6OPO/ka9
/9NgoDiCpV/1XQQSEPtZI9v39kbbsrDlaO1AoAhlKHsvM= websync@acme180.com <——-Llave Publica RSA de websync (acme180)
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAxVFVUvxh/Ns2bc239f+yw9ZslRwmVMEJRl4EFikYj+RYL
6ARmZYPH8fHF0OkNVW5f9ScT0zb1Brd0J2FxELlzEnd7Nesv/1ANMlta1KotXxrqxT3AodZxEJmHPEyOe
OPR9wfPGDBaBDxmp1iQ92e852z6vtr2b6HAIkmhEPjkO7ase8p2dSbGblANp6HHTvRhMKLxH17w3p30nJ
tdjPMTtzAOxqLIcUjNmSgKEd93l34zv9SKV7GatrRIrEtj8k4VBv30RxRTA8FmWyF5o6VzBEW/5N+VRJu <-Llave Publica RSA de websync (acme150)
ox0RaaOkOW1LH7dVGaDuVmnc/b/DgOBZqGVlVvH4jxW1zciTpOyroQ== websync@acme150
——————————————————————————-

[websync@www ~]$ chmod -R 600 .ssh/authorized_keys <—- Permisos 600
<pre>
4. como root verificar en acme180 la configuracion de sshd_config
<pre>
[root@acme180 ~]# vim /etc/ssh/sshd_config
——————————————————————————-
Descomentar (opcional)
RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys

#PasswordAuthentication yes
PasswordAuthentication no
——————————————————————————-
</pre>
4. Reiniciamos el servicio
<pre>
[root@acme180 ~]# /etc/init.d/sshd restart
Parando sshd: [ OK ]
Iniciando sshd: [ OK ]
</pre>

5. Prueba <br>
5.1. Logueamos de host acme150 a acme180
<pre>
[websync@acme150 ~]$ ssh websync@acme180
The authenticity of host ‘acme180 (192.168.232.180)’ can’t be established.
RSA key fingerprint is 46:ca:41:54:5b:93:94:2c:b5:78:44:12:e0:4b:ac:71.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added ‘acme180,192.168.232.180’ (RSA) to the list of known hosts.
[websync@acme180 ~]$ <——-Estamos conectados
</pre>
Con estos ya podemos conectarnos de acme150 a acme180, mas no al reves, si se desea hacerlo al revez, seguir el procedimiento y generar llave en acme180 y agregarla a acme150.<br>

¿Como generar llaves tipo amazon aws.pem?

==Escenario==
* PC: Orbis
** Usuario: jhon

* Servidor: acme150
**usuario: root
**usuario: Websync

* Servidor: acme180
**Usuario: root
**Usuario: Websync
<br>

Caso 1: Pc Orbis, contiene una llave rsa para conectarse como root a los servidores<br>
¿como hacer el aws.pem de amazon?
<pre>
[jhon@localhost ~]$ ssh-keygen -t rsa <—–Generamos la llave RSA de JHON
Generating public/private rsa key pair.
Enter file in which to save the key (/home/jhon/.ssh/id_rsa):
Enter passphrase (empty for no passphrase): <—–Sin frase, para que no este pidiendo
Enter same passphrase again:
Your identification has been saved in /home/jhon/.ssh/id_rsa.
Your public key has been saved in /home/jhon/.ssh/id_rsa.pub.
The key fingerprint is:
38:d8:a9:05:18:c1:8f:d5:b8:94:d1:62:76:b8:fc:33 jhon@localhost.localdomain
The key’s randomart image is:
+–[ RSA 2048]—-+
| .o..B |
| .oX + |
| .O.= |
| . =+ o |
| ..* S |
| oE. |
| . o |
| |
| |
+—————–+
[jhon@localhost ~]$ ssh-copy-id -i .ssh/id_rsa.pub root@acme150 <—Copiamos nuestra llave publica al servidor acme150 (Se puede hacer manual)
The authenticity of host ‘acme150 (192.168.232.150)’ can’t be established.
RSA key fingerprint is 3a:78:78:63:1a:6d:35:cd:a3:c5:b0:cb:a2:3b:43:cb.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added ‘acme150’ (RSA) to the list of known hosts.
root@acme150’s password:
Now try logging into the machine, with “ssh ‘root@acme150′”, and check in:

.ssh/authorized_keys <—-Ubicacion donde se copiara el archivo

to make sure we haven’t added extra keys that you weren’t expecting.

[jhon@localhost ~]$ ssh root@acme150 <—Probamos la conexion
Last login: Thu Aug 1 19:43:19 2013 from 192.168.232.140

[root@acme150 ~]# vim /etc/ssh/sshd_config <—Configuramos para que ssh no permita conexion con password

PermitRootLogin without-password

PasswordAuthentication no

[root@acme150 ~]# /etc/init.d/sshd restart
Parando sshd: [ OK ]
Iniciando sshd: [ OK ]

[root@acme150 ~]# logout
Connection to acme150 closed.

[jhon@localhost ~]$ ssh-copy-id -i .ssh/id_rsa.pub root@acme180 <—Copiamos la llave para acme180
The authenticity of host ‘acme180 (192.168.232.180)’ can’t be established.
RSA key fingerprint is 46:ca:41:54:5b:93:94:2c:b5:78:44:12:e0:4b:ac:71.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added ‘acme180,192.168.232.180’ (RSA) to the list of known hosts.
root@acme180’s password:
Now try logging into the machine, with “ssh ‘root@acme180′”, and check in:

.ssh/authorized_keys

to make sure we haven’t added extra keys that you weren’t expecting.

[jhon@localhost ~]$ ssh root@acme180 <—Probamos
Last login: Thu Aug 1 03:25:03 2013 from http://www.acme150.com

[root@acme180 ~]# vim /etc/ssh/sshd_config <—Configuramos para que ssh no permita conexion con password

PermitRootLogin without-password

PasswordAuthentication no

[root@acme180 ~]# /etc/init.d/sshd restart
Parando sshd: [ OK ]
Iniciando sshd: [ OK ]

[root@www ~]# logout
Connection to acme180 closed.

[jhon@localhost ~]$ cp .ssh/id_rsa aws.pem <—Copiamos nuestra llave privada y llamamos aws.pem

[jhon@localhost ~]$ ls
aws.pem Descargas Documentos Escritorio Imágenes llaves Música Plantillas Público Vídeos

[jhon@localhost ~]$ ssh -i aws.pem root@acme180 <—Nos podemos conectar asi, otro usuario podra usar nuestra llave.
Last login: Thu Aug 1 03:32:40 2013 from 192.168.232.140

[root@www ~]#

EJEMPLO:
1. Juanito tiene nuestra llave privada

[juanito@orbis ~]$ ls
aws.pem <—Aqui esta la llave

[juanito@orbis ~]$ ssh -i aws.pem root@acme150 <—intento usarla
Enter passphrase for key ‘aws.pem’: <—me pide una frase?
Permission denied (publickey,gssapi-keyex,gssapi-with-mic).

/* Para que no pida la frase, la llave RSA debe tener permisos 600 y debe pertenecerle al usuario */
[juanito@orbis ~]$ ls -l
total 4
-rw——-. 1 root root 1675 ago 1 15:53 aws.pem <—tiene permisos 600, pero no pertenece a juanito

[juanito@orbis ~]$ su –
Contraseña:

[root@orbis ~]# chown juanito /home/juanito/aws.pem

[root@orbis ~]# chgrp juanito /home/juanito/aws.pem

[root@orbis ~]# logout

[juanito@orbis ~]$ ssh -i aws.pem root@acme150
Last login: Thu Aug 1 22:31:30 2013 from 192.168.232.140

[root@acme150 ~]# <—Estamos logueado, usando la llave pivada de jhon@localhost
</pre>

Ahora debemos proteger nuestras llaves, sobretodo la privada, que le dara acceso a cualquier usuario que la utilize.<br>
”’NOTA:”’ hay un bug en centos6.0 en caso de no funcionar, se resuelve con el comando
<pre>
[root@acme180 ~]# restorecon -R -v /root/.ssh
</pre>

CentOS 6 + Chromium

agosto 1, 2013

Seguir estas indicaciones:

http://www.if-not-true-then-false.com/2013/install-chromium-on-centos-red-hat-rhel/

El google chrome no se puede iniciar como root, solo como usuario.

Si no cargara el chromium, es un problema en la libreria LibX11, se soluciona asi:

yum -y install libX11

Hello world!

febrero 7, 2009

Welcome to WordPress.com. This is your first post. Edit or delete it and start blogging!


Seguir

Recibe cada nueva publicación en tu buzón de correo electrónico.