{{tag>SSH Crypt Sécurité}} = Notes clefs SSH Voir l'exemple tuto ici : [[connexion_par_clefs_ssh_-_exemple|Connexion par clefs SSH - Exemple]] Voir : * [Comment choisir sa clef SSH RSA DSA ECDSA ED25519](http://blog.adminrezo.fr/2016/01/comment-choisir-sa-cle-ssh-rsa-dsa-ecdsa-ed25519) * http://www.sysmic.org/dotclear/index.php?post/2010/03/24/Convert-keys-betweens-GnuPG%2C-OpenSsh-and-OpenSSL ## Création de la paire de clefs ### Création de la paire de clefs par script ~~~bash if [ ! -e ~/.ssh/id_rsa ] then ssh-keygen -q -N "" < /dev/zero fi ~~~ ### SSH Générer une clef publique à partir d'une clef privée Create Public Key from Private ~~~bash ssh-keygen -y -f ~/.ssh/id_rsa > ~/.ssh/id_rsa.pub ~~~ ### Emprunte (Fingerprint) de la clef SSH ~~~bash ssh-keygen -lf ~/.ssh/id_rsa.pub ssh-keygen -E md5 -lf ~/.ssh/id_rsa.pub ~~~ Ou ~~~bash ssh-add ~/.ssh/id_rsa_jbl2 ssh-add -l ssh-add -L | ssh-keygen -E md5 -lf - ~~~ Pour une clef pem générée via AWS //(à partir de la clef privée)// ~~~bash openssl pkcs8 -in /home/jibe/.ssh/id_rsa_jbl2 -nocrypt -topk8 -outform DER | openssl sha1 -c ~~~ ## Pb ### Pb userauth_pubkey: key type ssh-dss not in PubkeyAcceptedKeyTypes Voir * https://superuser.com/questions/1016989/ssh-dsa-keys-no-longer-work-for-password-less-authentication?lq=1 * http://www.openssh.com/legacy.html * http://www.openssh.com/txt/release-7.0 ''/var/log/auth.log'' ~~~ Jan 23 22:40:37 server1 sshd[26567]: userauth_pubkey: key type ssh-dss not in PubkeyAcceptedKeyTypes [preauth] ~~~ ''/etc/ssh/sshd_config'' ~~~ini PubkeyAcceptedKeyTypes=+ssh-dss ~~~ ~~~bash ssh-keygen -t ecdsa #ssh-keygen -t ecdsa -b 521 ~~~ ### Err no mutual signature algorithm ~~~ $ ssh -v old-rhel5 ... debug1: send_pubkey_test: no mutual signature algorithm ... ~~~ #### Solution (contournement) ''PubkeyAcceptedKeyTypes +ssh-rsa'' ''~/.ssh/config'' ~~~ Host old-rhel5 Hostname 192.168.1.20 KexAlgorithms +diffie-hellman-group1-sha1,diffie-hellman-group14-sha1 HostKeyAlgorithms +ssh-rsa PubkeyAcceptedKeyTypes +ssh-rsa ~~~