Llaves RSA

agosto 2, 2013

http://blog.firedaemon.com/2011/07/27/passwordless-root-ssh-public-key-authentication-on-centos-6/

¿Como loguearse con llaves RSA?

Logueo mediante llaves RSA <br>

1. Configurar ssh para permitir logueo mediante llaves de acme150 a acme180, con usuario websync
2. En acme 150, usuario websync generara su llave.
<pre>
[websync@acme150 ~]$ ssh-keygen -t rsa

[websync@acme150 ~]$ vim .ssh/id_rsa.pub
——————————————————————————-
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAxVFVUvxh/Ns2bc239f+yw9ZslRwmVMEJRl4EFikYj+RYL
6ARmZYPH8fHF0OkNVW5f9ScT0zb1Brd0J2FxELlzEnd7Nesv/1ANMlta1KotXxrqxT3AodZxEJmHPEyOe
OPR9wfPGDBaBDxmp1iQ92e852z6vtr2b6HAIkmhEPjkO7ase8p2dSbGblANp6HHTvRhMKLxH17w3p30nJ <—Llave Publica RSA de websync (acme150)
tdjPMTtzAOxqLIcUjNmSgKEd93l34zv9SKV7GatrRIrEtj8k4VBv30RxRTA8FmWyF5o6VzBEW/5N+VRJu
ox0RaaOkOW1LH7dVGaDuVmnc/b/DgOBZqGVlVvH4jxW1zciTpOyroQ== websync@acme150
——————————————————————————-
</pre>
3. La llave debe ser copiada y enviada a acme180. <br>
3.1 Se puede usar ssh-copy-id en caso de tener habilitado el login con pass, de la sgte forma
<pre>
[websync@acme150 ~]$ ssh-copy-id -i .ssh/id_rsa.pub websync@acme180 <—Copiamos la llave para acme180
The authenticity of host ‘acme180 (192.168.232.180)’ can’t be established.
RSA key fingerprint is 46:ca:41:54:5b:93:94:2c:b5:78:44:12:e0:4b:ac:71.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added ‘acme180,192.168.232.180’ (RSA) to the list of known hosts.
websync@acme180’s password:
Now try logging into the machine, with “ssh ‘root@acme180′”, and check in:

.ssh/authorized_keys

to make sure we haven’t added extra keys that you weren’t expecting.

[websync@acme150 ~]$ ssh websync@acme180 <—Probamos y deberia loguear
</pre>
3.2 O se copia y pega el archivo en la ruta /home/websync/.ssh/authorized_keys de acme180
<pre>
[websync@www ~]$ mkdir .ssh

[websync@www ~]$ chmod -R 700 .ssh/ <— permisos 700

[websync@acme180 ~]$ vim .ssh/authorized_keys <— estamos en acme180
——————————————————————————-
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEA4FWiKlH5r5KE8DoiBmgbn4Yo+EzC7An+5qN7BeyQZqVdY
2CUzuMvMO8zVhXawaHON0DacilNy1TcRZrAvcj/d5v5efYQrT/vN8RVLCUihOpUX+igbk2myC6OPO/ka9
/9NgoDiCpV/1XQQSEPtZI9v39kbbsrDlaO1AoAhlKHsvM= websync@acme180.com <——-Llave Publica RSA de websync (acme180)
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAxVFVUvxh/Ns2bc239f+yw9ZslRwmVMEJRl4EFikYj+RYL
6ARmZYPH8fHF0OkNVW5f9ScT0zb1Brd0J2FxELlzEnd7Nesv/1ANMlta1KotXxrqxT3AodZxEJmHPEyOe
OPR9wfPGDBaBDxmp1iQ92e852z6vtr2b6HAIkmhEPjkO7ase8p2dSbGblANp6HHTvRhMKLxH17w3p30nJ
tdjPMTtzAOxqLIcUjNmSgKEd93l34zv9SKV7GatrRIrEtj8k4VBv30RxRTA8FmWyF5o6VzBEW/5N+VRJu <-Llave Publica RSA de websync (acme150)
ox0RaaOkOW1LH7dVGaDuVmnc/b/DgOBZqGVlVvH4jxW1zciTpOyroQ== websync@acme150
——————————————————————————-

[websync@www ~]$ chmod -R 600 .ssh/authorized_keys <—- Permisos 600
<pre>
4. como root verificar en acme180 la configuracion de sshd_config
<pre>
[root@acme180 ~]# vim /etc/ssh/sshd_config
——————————————————————————-
Descomentar (opcional)
RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys

#PasswordAuthentication yes
PasswordAuthentication no
——————————————————————————-
</pre>
4. Reiniciamos el servicio
<pre>
[root@acme180 ~]# /etc/init.d/sshd restart
Parando sshd: [ OK ]
Iniciando sshd: [ OK ]
</pre>

5. Prueba <br>
5.1. Logueamos de host acme150 a acme180
<pre>
[websync@acme150 ~]$ ssh websync@acme180
The authenticity of host ‘acme180 (192.168.232.180)’ can’t be established.
RSA key fingerprint is 46:ca:41:54:5b:93:94:2c:b5:78:44:12:e0:4b:ac:71.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added ‘acme180,192.168.232.180’ (RSA) to the list of known hosts.
[websync@acme180 ~]$ <——-Estamos conectados
</pre>
Con estos ya podemos conectarnos de acme150 a acme180, mas no al reves, si se desea hacerlo al revez, seguir el procedimiento y generar llave en acme180 y agregarla a acme150.<br>

¿Como generar llaves tipo amazon aws.pem?

==Escenario==
* PC: Orbis
** Usuario: jhon

* Servidor: acme150
**usuario: root
**usuario: Websync

* Servidor: acme180
**Usuario: root
**Usuario: Websync
<br>

Caso 1: Pc Orbis, contiene una llave rsa para conectarse como root a los servidores<br>
¿como hacer el aws.pem de amazon?
<pre>
[jhon@localhost ~]$ ssh-keygen -t rsa <—–Generamos la llave RSA de JHON
Generating public/private rsa key pair.
Enter file in which to save the key (/home/jhon/.ssh/id_rsa):
Enter passphrase (empty for no passphrase): <—–Sin frase, para que no este pidiendo
Enter same passphrase again:
Your identification has been saved in /home/jhon/.ssh/id_rsa.
Your public key has been saved in /home/jhon/.ssh/id_rsa.pub.
The key fingerprint is:
38:d8:a9:05:18:c1:8f:d5:b8:94:d1:62:76:b8:fc:33 jhon@localhost.localdomain
The key’s randomart image is:
+–[ RSA 2048]—-+
| .o..B |
| .oX + |
| .O.= |
| . =+ o |
| ..* S |
| oE. |
| . o |
| |
| |
+—————–+
[jhon@localhost ~]$ ssh-copy-id -i .ssh/id_rsa.pub root@acme150 <—Copiamos nuestra llave publica al servidor acme150 (Se puede hacer manual)
The authenticity of host ‘acme150 (192.168.232.150)’ can’t be established.
RSA key fingerprint is 3a:78:78:63:1a:6d:35:cd:a3:c5:b0:cb:a2:3b:43:cb.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added ‘acme150’ (RSA) to the list of known hosts.
root@acme150’s password:
Now try logging into the machine, with “ssh ‘root@acme150′”, and check in:

.ssh/authorized_keys <—-Ubicacion donde se copiara el archivo

to make sure we haven’t added extra keys that you weren’t expecting.

[jhon@localhost ~]$ ssh root@acme150 <—Probamos la conexion
Last login: Thu Aug 1 19:43:19 2013 from 192.168.232.140

[root@acme150 ~]# vim /etc/ssh/sshd_config <—Configuramos para que ssh no permita conexion con password

PermitRootLogin without-password

PasswordAuthentication no

[root@acme150 ~]# /etc/init.d/sshd restart
Parando sshd: [ OK ]
Iniciando sshd: [ OK ]

[root@acme150 ~]# logout
Connection to acme150 closed.

[jhon@localhost ~]$ ssh-copy-id -i .ssh/id_rsa.pub root@acme180 <—Copiamos la llave para acme180
The authenticity of host ‘acme180 (192.168.232.180)’ can’t be established.
RSA key fingerprint is 46:ca:41:54:5b:93:94:2c:b5:78:44:12:e0:4b:ac:71.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added ‘acme180,192.168.232.180’ (RSA) to the list of known hosts.
root@acme180’s password:
Now try logging into the machine, with “ssh ‘root@acme180′”, and check in:

.ssh/authorized_keys

to make sure we haven’t added extra keys that you weren’t expecting.

[jhon@localhost ~]$ ssh root@acme180 <—Probamos
Last login: Thu Aug 1 03:25:03 2013 from http://www.acme150.com

[root@acme180 ~]# vim /etc/ssh/sshd_config <—Configuramos para que ssh no permita conexion con password

PermitRootLogin without-password

PasswordAuthentication no

[root@acme180 ~]# /etc/init.d/sshd restart
Parando sshd: [ OK ]
Iniciando sshd: [ OK ]

[root@www ~]# logout
Connection to acme180 closed.

[jhon@localhost ~]$ cp .ssh/id_rsa aws.pem <—Copiamos nuestra llave privada y llamamos aws.pem

[jhon@localhost ~]$ ls
aws.pem Descargas Documentos Escritorio Imágenes llaves Música Plantillas Público Vídeos

[jhon@localhost ~]$ ssh -i aws.pem root@acme180 <—Nos podemos conectar asi, otro usuario podra usar nuestra llave.
Last login: Thu Aug 1 03:32:40 2013 from 192.168.232.140

[root@www ~]#

EJEMPLO:
1. Juanito tiene nuestra llave privada

[juanito@orbis ~]$ ls
aws.pem <—Aqui esta la llave

[juanito@orbis ~]$ ssh -i aws.pem root@acme150 <—intento usarla
Enter passphrase for key ‘aws.pem’: <—me pide una frase?
Permission denied (publickey,gssapi-keyex,gssapi-with-mic).

/* Para que no pida la frase, la llave RSA debe tener permisos 600 y debe pertenecerle al usuario */
[juanito@orbis ~]$ ls -l
total 4
-rw——-. 1 root root 1675 ago 1 15:53 aws.pem <—tiene permisos 600, pero no pertenece a juanito

[juanito@orbis ~]$ su –
Contraseña:

[root@orbis ~]# chown juanito /home/juanito/aws.pem

[root@orbis ~]# chgrp juanito /home/juanito/aws.pem

[root@orbis ~]# logout

[juanito@orbis ~]$ ssh -i aws.pem root@acme150
Last login: Thu Aug 1 22:31:30 2013 from 192.168.232.140

[root@acme150 ~]# <—Estamos logueado, usando la llave pivada de jhon@localhost
</pre>

Ahora debemos proteger nuestras llaves, sobretodo la privada, que le dara acceso a cualquier usuario que la utilize.<br>
”’NOTA:”’ hay un bug en centos6.0 en caso de no funcionar, se resuelve con el comando
<pre>
[root@acme180 ~]# restorecon -R -v /root/.ssh
</pre>

CentOS 6 + Chromium

agosto 1, 2013

Seguir estas indicaciones:

http://www.if-not-true-then-false.com/2013/install-chromium-on-centos-red-hat-rhel/

El google chrome no se puede iniciar como root, solo como usuario.

Si no cargara el chromium, es un problema en la libreria LibX11, se soluciona asi:

yum -y install libX11

Hello world!

febrero 7, 2009

Welcome to WordPress.com. This is your first post. Edit or delete it and start blogging!