CUCC Expedition Handbook

Cryptographic Key Exchange

As of the server move in spring 2019 you need authorisation on the expo server to log in. This takes the form of an ssh key. You generate it on the machine you use for access, then send the public half to the server. Once done all logins are automatic - no passwords needed.

'ssh' is 'secure shell' and is widely used for secure access to machines and services.

What do I need to do?

You will need to run ssh-keygen/PuTTYgen on your device, email the public key to someone who already has ssh access (Wookey, Paul Fox, Philip Sargent, Sam Wenham). Once installed by them you should be able to log in as 'expo' over ssh (and other software like tortoise will also use this behind the scenes). This only needs doing once (for any machine you want access from).

Explanation of how ssh keys work.

A public key file looks like this: ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEApc9+PAMrDtWa8D8/ZneLP2X9UOYmTITAhTd2DRs8SE+NDgis5pYo/Xhtbrg86ePMAC2YM5xAkYx3jNA/VZ/PkB3gTzYJW3T/zTH+cc7YeWhy9l1zIMaYqeyvw7FxeSBaR4XoLPVtVUlai8DUDiWAEm7VvOKj1n68z1LxVh1MZXLm7btckf6fske2YU9UpjqT++AURQvFheRJ4la7KBJ7LXZ3A/TQ7HQaTpqmcQKCiRj/yZ5FNHxBk0M+ShbHUtz1GhXRCMJ3LZHaw24OJyVJ8YNzBiStBb1qcWCXX7HR9CUNhz7tA5HZyc1lau/1vwk8MSe93lyyLntzJKkqmkW/cQ== wookey@khi.e. a long string of characters with 'ssh-rsa' at the start and a 'user'@'machine' ID at the end.

Windows

On a Windows machine use puttygen, which is part of PuTTY. You need to install that if you don't already have it.

Follow the Puttygen instructions, but the really short version is:

  • Run PuTTYgen
  • Click on 'Generate'. Follow the instructions. Don't bother adding a passphrase.
  • Save the key
  • Copy all of the public key out of the window and paste that into the email. Make sure not to miss part or add newlines or otherwise mess with it.
  • Linux

    1. You need openssh-client installed - it's it extremely likely to already be installed. If not (as root/with sudo) apt install openssh-client.
    2. You may already have a key on this machine. If you already have ~/.ssh/id_rsa.pub, then send that.
    3. If not, run ssh-keygen. It may ask about passwords: you can add a password for extra security, but a passwordless key is fine, and more convenient.
    4. That will create a file: .ssh/id_rsa.pub in your home directory. Email that file to one of the admins listed above.

    MacOS

  • Erm, dunno...please fill in
  • Android

    iOS

  • Erm, dunno...please fill in
  • Your second machine

    OK, you have an uploaded and usable key and you can ssh into the expo server. Now you want to set up a key for another machine such as your phone. You don't need a nerd admin now, you can do this yorself.

    1. On your new machine, generate a key-pair. Since you are probably using a different operating system on your second machine, read the instructions above for the relevant OS. Yes you will be generating a new key. Do not re-use the key you had already.
    2. This time though, you will want to be sure that the key has a meaningful label. On Linux this means something like this: ssh-keygen -C "anathema.device@crowley" (if your name is Anathema Device and your new machine is "crowley"). Just click through the questions it asks accepting the defaults. It will tell you what the key files are called and where it has put them.
    3. If you accepted the defaults, the public key will be called id_rsa.pub and it will be in ~/.ssh/ - check that this is the case.
    4. Now copy the public key file to your first machine, the one that is already set up with a working key exchange with the expo server. Using email to yourself is easiest.
    5. Rename the public key file to something that won't be confused with anyone else's key file, to e.g. anathema-id_rsa.pub
    6. Now upload the public key using sFTP to expo.survex.com/home/expo/.ssh/keys/
    7. Now login to the expo server on your first machine and do these commands: $ ssh expo@expo.survex.com
      expo@expo:~$ cd .ssh
      expo@expo:~/.ssh$ cat keys/anathema-id_rsa.pub >>authorized_keys
      expo@expo:~/.ssh$ ./list-keys.sh
      expo@expo:~/.ssh$ cat list-of-key-owners
      This adds your key on to the end of the authorized keys list, runs a little script to extract the names of all the people who have added keys (24 keys as of Jan.2020) and prints out the list. You should see that the last line says:
      anathema.device@crowley
    8. Now your public key is installed for your second machine. You check that it works by logging into the expo server using ssh from your second machine.

      Note that by using sFTP like this we avoid having to use a text editor over ssh. If you know what you are doing you can do this of course, but the above process is less likely to cause problems for a Windows user setting up their phone as a second device where they are not experienced with vi or nano.