Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

SSH keys are used in portal to access servers. it's not possible to add server membership to users without SSH key.

Once you have your SHH key pair generated, go to your user profile and input public part of your key into Public SSH key field in Security management section.


Table of Contents

Recommendations

TDS recommends using EdDSA keys (ed25519):

Generating SSH key on Linux

This step fully follows Recommendations chapter.

Run following commands with properly defining your email in a comment:

Code Block
ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519 -C "pista.bacik@example.com"
cat ~/.ssh/id_ed25519.pub

Here we explain used options:

  • -t: Specifies the type of key to create, we recommend most secure option currently - Ed25519
  • -f: Specify the filename of the generated key file. If you want it to be discovered automatically by the SSH agent, it must be stored in the default `.ssh` directory within your home directory.
  • -C: An option to specify a comment. It’s purely informational and can be anything. But it’s usually filled with <login>@<hostname> who generated the key.

Then copy output of cat command and use it in desired application like TDS Portal profile, Gitlab profile, etc...

Generating SSH Key in a Windows

Generating SSH key using Git SCM aka Git Bash

Install Git Bash

Make sure you have Git SCM installed as it contains Git Bash.

  • automated installation using winget
    • Open PowerShell as administrator
    • Run following command and wait 1-2 minutes for finishing of installation:

      Code Block
      winget install --id Git.Git -e --source winget

      If you are getting error with missing winget tool, install winget using these instructions before, you will use it in future for other stuff.

  • manual installation
    • Go to https://git-scm.com/download/win
    • Download relevant installer, 64 bit is recommended
    • Execute installation, simply click next, next... Advanced users can focus on some steps during wizard:
      • Choosing default editor (code, notepad++, vim, nano...)
      • Configuring line ending conventions >> Checkout as-is, commit as-is

Generate SSH key using Git Bash

Then follow pretty much same instructions as in GeneratingSSHkeyonLinux

Generating SSH key using Putty

Download PuTTY Key Generator (puttygen.exe) from official Putty home page https://www.putty.org/ and start it.

  1. Change type to EdDSA, default 256bits is fine. This step fully follows Recommendations chapter.

  2. Run the program and click on Generate and move your mouse (within the SSH generator window) until key is generated
    Image AddedImage Removed
  3. Change Key comment to to your Tieto email email address in format like in format this example name.surname@tietosurname@example.com
  4. Optional: fill Key passphrase and confirm passphrase if you need one.
    If you skip this step then you need to confirm that you want to save the keys without passphrase in the next steps.
  5. Save public key as id_rsaed25519.pub
  6. Then save your private key in 2 commonly used formats. Please remember to keep private keys as private, never share it with anyone. Only public key can be shared. 
    1. Putty format - Click Save private key
    as 
    1. and store as id_
    rsa
    1. ed25519.ppk
    2. OpenSSH format - From the top menu in Conversions select Export OpenSSH Key and save it
    as 
    1. as id_
    rsa
    Note that id_rsa.pub is your public key and can be shared, while id_rsa is your private key and should be kept secret.
    Image Removed
    1. ed25519
      Image Added
  7. Copy content of "Public key for pasting into OpenSSH authorized_keys file"
    Image AddedImage Removed
  8. Go to the TDS Portal and click on you name and then on SSH and then click on Add or change keyuser icon located in top right corner of portal page. Then click on your name.
  9. In your profile click on "EDIT" button and then enter public part of your SSH key.
  10. Paste copied key from the step 87. Click on the Save button.

 

SSH key must be in the following format: [key-type] [key] [user-identifier]
[key-type] use ssh-rsa
[key] is the public key
[user-identifier] is your email address in format name.surname@tieto.com
Make sure not to include any "ENTER" or SPACE key between the portions of the inserted text.

Generating a SSH key on Linux

  1. From the Terminal or Git Bash, run ssh-keygen
  2. Confirm the default path .ssh/id_rsa
  3. Enter a passphrase (recommended) or leave it blank.
    Remember this passphrase, as you will need it to unlock the key whenever you use it.
  4. Open ~/.ssh/id_rsa.pub and copy & paste the contents into the box below, then click on "Add".
    Note that id_rsa.pub is your public key and can be shared, while id_rsa is your private key and should be kept secret.
  5. Go to TDS portal and click on your name and then in left menu on SSH and then on Add or change key
  6.  Paste the SSH key and click on the Save button.

Once you upload an SSH key it will be used on newly created server for authentication.

SSH key must be in the following format: [key-type] [key] [user-identifier]

...

  1. Save all your generated SSH key files into folder ~/.ssh which is the same as C:\Users\<your_username>\.ssh folder. Thanks to this standardised location some of your applications will start using SSH key automatically. You will be always able to find it in case of need. Also TDS support team can help you more promptly in case of need.

Converting SSH Keys to PPK Format

  1. Download PuTTY Key Generator
  2. Open the program and click on Conversion in top menu. Then choose Import key.
    Image RemovedImage Added
  3. Locate your key in your computer and click open.
  4. Once the key is loaded, you can save it as PPK file by clicking on Save Private Key or on Save Public Key if if you want public version of your key.

Troubleshooting

SSH Keys converting to PPK Format

My authentication gets rejected when I try to connect from Windows client to Linux servers via SSH

Recommendation for Windows users - please make sure that your username provided to server is correct one.

For example user "Pišta Báčik" with username "bacikpis" with computer in XYZ domain will have username "XYZ+bacikpis" which is not gonna work as server expects just your username.

There are at least 2 ways how to make it work properly

  • Use always your username in SSH command during connecting to server as in example:

    Code Block
    bacikpis@server123...


  • Or you can configure SSH client to use certain username for any servers by default by configuring this into ~/.ssh/config file:

    Code Block
    Host *
      User bacikpis


Couldn't agree a key exchange algorithm

Symptoms

Otherwise you might experience errors while trying to connect.

Code Block
FATAL ERROR: Couldn't agree a key exchange algorithm (available: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256)

Root cause

Several old ssh exchange algorithms were removed since CentOS 8 and Ubuntu 20. Most probably you are using old SSH RSA key. Lets resolve it as described in next steps.

Solution

  • Make sure to always use latest version SSH client on your side (OpenSSH, Putty or other).
  • Make sure you have Ed25519 SSH key generated according to instructions.
  • Upload this new PUB key into portal - it will get distributed to your servers automatically, please be patient, it might take some time to replicate.

Workaround

Warning

This is NOT recommended for permanent use, it is only intended for emergency temporary use when you have other serious blockers/obstacles in you way and you are able to accept lower security standards.

If you accept temporarily lowering security standards, you can allow other ciphers in SSH config on server

...

.