Security: ssh-exercises.html

File ssh-exercises.html, 10.7 KB (added by admin, 9 years ago)

SSH exercise

Line 
1<html><head><title>Exercises: SSH (Secure SHell): IP Services Workshop SANOG 16</title></head>
2<body>
3<a name="top"></a>
4<div align="center">
5<h2>Exercises: SSH (Secure SHell): IP Services Workshop SANOG 16</h2>
6July 18th, 2010
7</div>
8<p>
9<br>
10<h2>Exercises</h2>
11</p>
12<ol>
13<b>Using SSH to Admin yur Box</b>
14<p>
15<li><a href="#gen">Generate your public/private Key Pair</a></li>
16<li><a href="#admin">Copy Your Public Key to the admin Account</a></li>
17<li><a href="#root">Copy Your Public Key to the root Account</a></li>
18<li><a href="#update">Update /etc/ssh/sshd_config</a></li>
19<li><a href="#scp-r">Consider the Power of scp -r</a></li>
20</ol>
21
22
23<h2>Notes (CRITICAL)</h2>
24<ol>
25<li>The "#" and "$" characters before commands represents your system prompt and is not part of the command itself. "#" indicates a command issued as root while "$" indicates a command issued as a normal user.</li>
26<li><b><i>italics</i></b>: Items that are in <i>italics</i> are to be replaced with something of your choice. For instance, <i>username</i> means choose your own username, don't literally choose the word "username".</li>
27</ol>
28
29<!------- *********************** ------>
30
31<p><br>
32
33<a name="gen"></a>
34<b>1.) Generate your Public/Private Key Pair</b> [<a href="#top">Top</a>]
35</p><p>
36We will now generate a single RSA SSH protocol 2 key of 2048 bits. To do this, issue the following command. Do this as a normal user, not as root:
37<blockquote>
38<code>
39$ ssh-keygen -t rsa -b 2048
40</code>
41</blockquote>
42You will be prompted for a file location for the key as well as for a passphrase to encrypt the key file. Be sure to enter a passphrase. Private key files without passphrases are a security hole. Your passphrase can be pretty much anything you want.
43
44<!------- *********************** ------>
45
46<p><br>
47
48<a name="admin"></a>
49<b>2.) Copy Your Public Key to the sanog Account</b> [<a href="#top">Top</a>]
50</p><p>
51First connect to your neighbor's machine as the userid <i>sanog</i> using ssh. We'll refer to your neighbor's machine as <i>wsXX</i>. You can use the IP address of their machine in place of a name to connect.
52<p>
53Here's what you do (as a normal user):
54<blockquote>
55<code>
56$ ssh sanog@wsXX
57</code>
58</blockquote>
59Now you'll be faced with a prompt similar to this:
60<blockquote>
61<pre>
62The authenticity of host 'wsXX.ws3.conference.sanog.org (119.2.100.2xx)' can't be established.
63RSA2 key fingerprint is 60:f7:04:8b:f7:61:c4:41:6e:9a:6f:53:7d:95:cb:29.
64Are you sure you want to continue connecting (yes/no)?
65</pre>
66</blockquote>
67You should say <code>yes</code> to this prompt, but you should understand what this means. Do you? If not, please ask your instructor.
68<p>
69Once you say <code>yes</code>, then you see another message like this:
70<p>
71<blockquote>
72<pre>
73Warning: Permanently added 'wsXX.ws3.conference.sanog.org' (RSA2) to the list of known hosts.
74[/etc/ssh/ssh_host_key.pub]
75sanog@wsXX.ws3.conference.sanog.org's password:
76</pre>
77</blockquote>
78At this point enter in the password for the sanog account on your neighbor's machine.
79<p>
80Now you'll be logged in and see a prompt like this:
81<blockquote>
82<code>
83[sanog@wsXX ~]$
84</code>
85</blockquote>
86Now you should logout of your neighbor's machine, and then immediately log back in:
87<blockquote>
88<code>
89[sanog@wsXX ~]$ exit
90<br>
91$ ssh sanog@wsXX
92</code>
93</blockquote>
94Now you should simply be prompted for the sanog password on your neighbor's machine. You should not see the warning message again. Now, log out of your neighbor's machine again:
95<blockquote>
96<code>
97[sanog@wsXX ~]$ exit
98</code>
99</blockquote>
100Let's copy the public_key for your user account on your machine to the /home/sanog/.ssh directory on your neighbor's machine. As usual there are several ways to do this, but here's one set of steps that should work:_
101<blockquote>
102<code>
103$ cd /home/sanog/.ssh
104<br>
105$ scp id_rsa.pub sanog@wsXX:/tmp/.
106<br>
107$ ssh sanog@wsXX
108<br>
109[sanog@wsXX ~]$ cd .ssh   [if ".ssh" is not there do "<code>mkdir .ssh</code>"]
110<br>
111[sanog@wsXX ~]$ cat /tmp/id_rsa.pub &gt;&gt; authorized_keys
112<br>
113[sanog@wsXX ~]$ rm /tmp/id_rsa.pub
114<br>
115[sanog@wsXX ~]$ exit
116</code>
117</blockquote>
118If you don't understand what this meant <i>please</i> ask an instructor to explain and give you a hand.
119<p>
120OK, so now your public key is located in the file /home/sanog/.ssh/authorized_keys in the sanog homedir on your neighbor's machine. So, now let's try connecting to sanog on your neighbor's machine:
121<blockquote>
122<code>
123$ ssh sanog@wsXX
124</code>
125</blockquote>
126You should now see something like:
127<blockquote>
128<pre>
129$ ssh sanog@wsXX
130Enter passphrase for RSA key 'sanog@wsXX':
131</pre>
132</blockquote>
133And, at this point you type in the <i>passphrase</i> you used when creating your public/private key pair on your machine for your account - <i>not</i> the password for the sanog account on your neighbor's machine.
134<p>
135If you think about this that's pretty neat! Anywhere your public key resides you can log in using one passphrase, and it won't expire.
136<p>
137Now be sure that you log out of your neighbor's machine:
138<blockquote>
139<code>
140[sanog@wsXX ~]$ exit
141</code>
142</blockquote>
143
144
145
146<!------- *********************** ------>
147
148<p><br>
149
150<a name="root"></a>
151<b>3.) Copy Your Public Key to the root Account</b> [<a href="#top">Top</a>]
152</p><p>
153You will now repeat exercise #2, with just a couple of differences. Note, you cannot log in directly to your neighbor's machine as root, so you must take advantage of the fact that you can get in as the userid <i>sanog</i> and then you can become root once you are logged in. This should work as long as your neighbor has not changed the root password as requested, and they created the sanog account correctly placing it in the wheel group.
154<p>
155So, here are the steps to do this:
156<blockquote>
157<code>
158$ cd /home/sanog/.ssh
159<br>
160$ scp id_rsa.pub sanog@wsXX:/tmp/.
161<br>
162$ ssh sanog@wsXX
163<br>
164[sanog@wsXX ~]$ su -    [enter root password when requested]
165<br>
166# cd /root/.ssh        [if ".ssh" is not there do <code>mkdir /root/.ssh</code>]
167<br>
168# cat /tmp/id_rsa.pub >> authorized_keys
169<br>
170# rm /tmp/id_rsa.pub
171<br>
172# exit
173</code>
174</blockquote>
175Now your public key is in the /root/.ssh/authorized_keys file on your neighbor's machine. You cannot log in yet to your neighbor's machine as root since the file /etc/ssh/sshd_config is configured to block all root access. Our next exercise will change this.
176<p>
177Be sure that everyone on your machine completes this exercises (#3).
178
179
180<!------- *********************** ------>
181
182<p><br>
183
184<a name="update"></a>
185<b>4.) Update /etc/ssh/sshd_config</b> [<a href="#top">Top</a>]
186</p><p>
187We have placed an sshd_config file on the noc server that you can copy to your machine to accomplish what we want to do. This configuration file only allows access to your machine via ssh if someone has their public key in the account they are trying to connect with. In addition, this file allows you to connect directly as root. This can actually be very useful, especially if you need to copy over a large number of files with root privileges. It's important that the passphrase you used on your private key is strong enough to resist brute force attacks.
188<p>
189For this exercise you must be root. Do the following:
190
191
192<blockquote>
193<code>
194# cd /etc/ssh
195<br>
196# cp sshd_config sshd_config.bak
197<br>
198# ftp noc
199<br>
200username: ftp
201<br>
202password: ftp
203<br>
204ftp&gt; cd pub/FreeBSD/configs
205<br>
206ftp&gt; lcd /etc/ssh
207<br>
208ftp&gt; get sshd_config
209<br>
210ftp&gt; exit
211</code>
212</blockquote>
213Now you can restart your ssh server and the new configuration will take effect, <i>but</i> you must coordinate this with your neighbors first. If they are still accessing your box to copy over keys, then wait to to do this until they are done. If you don't, then they won't be able to log in and finish these exercises.
214<p>
215If your neighbor or neighbors are not ready, just go on to the final exercise and come back to this last step later.
216<p>
217To restart your ssh server (as root) do:
218<blockquote>
219<code>
220# /etc/rc.d/sshd restart
221</code>
222</blockquote>
223Once your neighbor has done this as well try logging in on their machine as root from your local account. For instance, if you are in a terminal window as root and your want to ssh to another machine as "sanog" you could do:
224<blockquote>
225<code>
226# su - sanog
227<br>
228[sanog@wsXX ~]$ ssh root@wsXX
229</code>
230</blockquote>
231You should be prompted for your passphrase, and you should be able to log in directly to your neighbor's machine as root! This is a very useful tool.
232<p>
233Be sure to exit your session on their machine:
234<blockquote>
235<code>
236# exit
237</code>
238</blockquote>
239And, have a look at the file /etc/ssh/sshd_config. Maybe compare it to /etc/ssh/sshd_config.bak to see some of the differences.
240<p>
241Be sure everyone on your machine completes this exercise.
242
243
244<!------- *********************** ------>
245
246<p><br>
247
248<a name="scp-r"></a>
249<b>5.) </b> Consider the Power of scp -r[<a href="#top">Top</a>]
250</p><p>
251One of the most useful features of ssh are the <code>scp</code> and <code>sftp</code> tools that come with it. With scp (Secure CoPy) you can do some of the following:
252<ul>
253<li>Securely copy files from your machine to another remote machine</li>
254<li>Securely copy file from a remote machine to your machine</li>
255<li>Securely copy files from one remote machine to another remote machine (less likely to work as ssh versions must match)</li>
256<li>Securely copy entire directory trees from one machine to another</li>
257</ul>
258We'll do one example of a directory structure copy from your neighbor's machine to your machine. Let's copy all the files in your neighbors /usr/ports/palm directory structure to a directory in your /tmp directory.
259<blockquote>
260<code>
261$ mkdir /tmp/palm
262<br>
263scp -r sanog@wsXX:/usr/ports/palm/* /tmp/palm/.
264</code>
265</blockquote>
266That's it. Have a look at the /tmp/palm directory structure to convince yourself that things are there:
267<blockquote>
268<code>
269$ cd /tmp/palm
270<br>
271$ ls
272<br>
273$ ls -lah
274<br>
275$ ls -R
276<br>
277$ du -h
278</code>
279</blockquote>
280"<code>ls -R</code>" shows all directories recursively under the directory you are in. "<code>du -h</code>" tell you in "h"uman readable format how much space all the files in the directories under your current directory are using.
281<p>
282The "-r" option in <code>scp</code> can make system administration much easier.
283<p>If you want to remove /tmp/palm and all its subdirectories you can do this:
284<blockquote>
285<code>
286$ rm -rf /tmp/palm
287</code>
288</blockquote>
289Always be very careful with the "<code>rm -rf</code>" command as it can delete anything you have r/w access to recursively, with no warning, very quickly.
290
291
292<p>
293<div align="center">
294[<a href="#top">Return to Top</a>]
295</div>
296<p>
297<font size="1">
298Hervey Allen, Phil Regnauld
299</font>
300<p>
301<hr width="224" size="3" align="left">
302<font size="1">
303<!-- Created: Sun Jun 12 00:54:08 CLT 2005 -->
304<!-- hhmts start -->
305Last modified: Sun Jul 18 16:13:58 BTT 2010
306<!-- hhmts end -->
307</font>
308</body>
309</html>