Welcome to Austin Godber’s Tech Log

Tech Log Intro

I often take notes when trying to accomplish a particular task. In these notes I write down the steps I take and make note of particular problems with documentation or setup specific assumptions. I also often collect references for that task. I have decided that it would be convenient for me to put some of these notes on the web where others can refer to them as well.

I have recently acquired a new cellphone. It is an LG VX4400 with Verizon Wireless as the carrier. I chose this phone primarily because I had tested the carrier and phone at my home for signal strength and usability (a major problem with my previous carrier). Another reason I chose the phone was because there was an LG VX4400 FAQthat had a lot of excellent information. A few highlights that I found really interesting:

bitpim - free sync software that works in Linux
kannel - free WAP portal software, allegedly allows you to browse the web on the phone without paying the carrier for anything except airtime.

I look forward to learning more about this phone in the next few weeks. I have one initial complaint however, the phone’s software is written in Qualcomm’s BREW language (v1.1 it seems). The development kit for this is freely available, but it appears that in order to install an application you will have to meet several criteria that may end up costing a signifigant amount of money (e.g. $400 Verisign certificate). This was just on a cursory inspection of the Qualcomm website so I may be wrong, perhaps there is a way for me to put an app on my own phone.

Rather than using usernames and passwords to log into a remote machine via SSH you can use public key authentication (using RSA or DSA). This could help prevent the theft of user credentials if used carefully. I haven’t quite decided what "carefully" means however. Despite my uncertainty about the best method for deploying this, we shall procede with the example.

Step 1 - Generate Your Keypair

The first step is to generate your key pairs. You have the choice of RSA1 keys for RSA used in SSH v1, and RSA or DSA keys for SSH v2. You will definately want to stick with the SSH v2 options. I have chosen DSA:

godber@monk ~>ssh-keygen -t dsa -C "Primary Key"
Generating public/private dsa key pair.
Enter file in which to save the key (/home/godber/.ssh/id_dsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/godber/.ssh/id_dsa.
Your public key has been saved in /home/godber/.ssh/id_dsa.pub.
The key fingerprint is:
fa:2f:30:ea:a5:50:ac:f3:de:e2:fc:a0:f4:fe:de:b7 Primary Key

For details on the command line options you can of course read the ssh-keygen man page. You should now have two files in your .ssh directory, by default they will be named id_dsa and id_dsa.pub. id_dsa.pub is the public key which will be copied to all of the remote hosts you want to login to. id_dsa is the private key which must be in the .ssh directory of any host you want to login from.

Step 2 - Put Public Key on Remote Machine

You must now add your id_dsa.pub key to the authorized keys list on each host you want to login to using this keypair.

godber@monk ~>cat ~/.ssh/id_dsa.pub | ssh godber@waldon 'cat - >> ~/.ssh/authorized_keys'
godber@waldon's password:

You could, of course, do this by hand by scping id_dsa.pub and then cating it. Also, some versions of SSH name the authorized_keys file authorized_keys2.

Step 3 - Adding Key to SSH Agent

This final step will load your private key into the ssh-agent, which is the program that will handle your authentication for you. The command you use for this is ssh-add, read the ssh-add manpage for details.

Using ssh-add assumes that ssh-agent is already running. In most modern Linux distributions this is already handled when you start Xwindows or login using [xkg]dm. If you don't see ssh-agent running and ssh-add gives you an error then google for other pages on ssh-agent they can help. Assuming ssh-agent is running, all you need to do is add your key and check to see that the key is there.

godber@monk ~>ssh-add
Enter passphrase for /home/godber/.ssh/id_dsa:
Identity added: /home/godber/.ssh/id_dsa (/home/godber/.ssh/id_dsa)
godber@monk ~>ssh-add -l
1024 fa:2f:30:ea:a5:50:ac:f3:de:e2:fc:a0:f4:fe:de:b7 /home/godber/.ssh/id_dsa (DSA)

Now, you can login from this machine to all of the machines you added your ssh key to they authorized_keys file. You won’t even have to provide a password. Of course leaving this agent enable could be dangerous (see the -t switch for ssh-add)

SSH Agent Tips

I have already shown how to list the keys in your ssh-agent with the -l switch. There are several more useful commands. You can lock your ssh-agent with a password using the -x switch and unlock with the same password with the -X switch.

godber@monk ~>ssh-add -x
Enter lock password:
Again:
Agent locked.
godber@monk ~>ssh-add -X
Enter lock password:
Agent unlocked.

Another excellent thing you can do with ssh keys is restrict them to a single operation, for instance allowing passwordless authentication to run only one script. This is accomplished by placing a string that specifies the command to execute in front of the key in the authorized_keys file.

command="echo I\'m `/usr/bin/whoami` on `/bin/hostname`",no-port-forwarding,no-X11-forwarding,no-agent-forwarding ssh-dss AAAAB3NzaC1kc3MAAACBAKYix5tPK0jca...

Make sure that the private key name isn’t id_dsa, change it to something that describes the command. You can then add this key to your ssh-agent and then run the remote command as follows:

godber@monk ~/.ssh>ssh-add test
Enter passphrase for test:
Identity added: test (test)
godber@monk ~/.ssh>ssh -i test waldon
I am godber on waldon
Connection to waldon closed.

Acknowledgements

Much of this is based on the following excellent pages regarding ssh:

Mark A. Hershberger’s Using ssh-agent with ssh.
Paul Keck’s HOWTO: set up ssh keys