Security: ssh-exercises.html

<html><head><title>Exercises: SSH (Secure SHell): IP Services Workshop SANOG 16</title></head>
<body>
<a name="top"></a>
<div align="center">
<h2>Exercises: SSH (Secure SHell): IP Services Workshop SANOG 16</h2>
July 18th, 2010
</div>
<p>
<br>
<h2>Exercises</h2>
</p>
<ol>
<b>Using SSH to Admin yur Box</b>
<p>
<li><a href="#gen">Generate your public/private Key Pair</a></li>
<li><a href="#admin">Copy Your Public Key to the admin Account</a></li>
<li><a href="#root">Copy Your Public Key to the root Account</a></li>
<li><a href="#update">Update /etc/ssh/sshd_config</a></li>
<li><a href="#scp-r">Consider the Power of scp -r</a></li>
</ol>


<h2>Notes (CRITICAL)</h2>
<ol>
<li>The "#" and "$" characters before commands represents your system prompt and is not part of the command itself. "#" indicates a command issued as root while "$" indicates a command issued as a normal user.</li>
<li><b><i>italics</i></b>: Items that are in <i>italics</i> are to be replaced with something of your choice. For instance, <i>username</i> means choose your own username, don't literally choose the word "username".</li>
</ol>

<!------- *********************** ------>

<p><br>

<a name="gen"></a>
<b>1.) Generate your Public/Private Key Pair</b> [<a href="#top">Top</a>]
</p><p>
We will now generate a single RSA SSH protocol 2 key of 2048 bits. To do this, issue the following command. Do this as a normal user, not as root:
<blockquote>
<code>
$ ssh-keygen -t rsa -b 2048
</code>
</blockquote>
You will be prompted for a file location for the key as well as for a passphrase to encrypt the key file. Be sure to enter a passphrase. Private key files without passphrases are a security hole. Your passphrase can be pretty much anything you want.

<!------- *********************** ------>

<p><br>

<a name="admin"></a>
<b>2.) Copy Your Public Key to the sanog Account</b> [<a href="#top">Top</a>]
</p><p>
First connect to your neighbor's machine as the userid <i>sanog</i> using ssh. We'll refer to your neighbor's machine as <i>wsXX</i>. You can use the IP address of their machine in place of a name to connect.
<p>
Here's what you do (as a normal user):
<blockquote>
<code>
$ ssh sanog@wsXX
</code>
</blockquote>
Now you'll be faced with a prompt similar to this:
<blockquote>
<pre>
The authenticity of host 'wsXX.ws3.conference.sanog.org (119.2.100.2xx)' can't be established.
RSA2 key fingerprint is 60:f7:04:8b:f7:61:c4:41:6e:9a:6f:53:7d:95:cb:29.
Are you sure you want to continue connecting (yes/no)?
</pre>
</blockquote>
You should say <code>yes</code> to this prompt, but you should understand what this means. Do you? If not, please ask your instructor.
<p>
Once you say <code>yes</code>, then you see another message like this:
<p>
<blockquote>
<pre>
Warning: Permanently added 'wsXX.ws3.conference.sanog.org' (RSA2) to the list of known hosts.
[/etc/ssh/ssh_host_key.pub]
sanog@wsXX.ws3.conference.sanog.org's password: 
</pre>
</blockquote>
At this point enter in the password for the sanog account on your neighbor's machine.
<p>
Now you'll be logged in and see a prompt like this:
<blockquote>
<code>
[sanog@wsXX ~]$
</code>
</blockquote>
Now you should logout of your neighbor's machine, and then immediately log back in:
<blockquote>
<code>
[sanog@wsXX ~]$ exit
<br>
$ ssh sanog@wsXX
</code>
</blockquote>
Now you should simply be prompted for the sanog password on your neighbor's machine. You should not see the warning message again. Now, log out of your neighbor's machine again:
<blockquote>
<code>
[sanog@wsXX ~]$ exit
</code>
</blockquote>
Let's copy the public_key for your user account on your machine to the /home/sanog/.ssh directory on your neighbor's machine. As usual there are several ways to do this, but here's one set of steps that should work:_
<blockquote>
<code>
$ cd /home/sanog/.ssh
<br>
$ scp id_rsa.pub sanog@wsXX:/tmp/.
<br>
$ ssh sanog@wsXX
<br>
[sanog@wsXX ~]$ cd .ssh   [if ".ssh" is not there do "<code>mkdir .ssh</code>"]
<br>
[sanog@wsXX ~]$ cat /tmp/id_rsa.pub &gt;&gt; authorized_keys
<br>
[sanog@wsXX ~]$ rm /tmp/id_rsa.pub
<br>
[sanog@wsXX ~]$ exit
</code>
</blockquote>
If you don't understand what this meant <i>please</i> ask an instructor to explain and give you a hand.
<p>
OK, so now your public key is located in the file /home/sanog/.ssh/authorized_keys in the sanog homedir on your neighbor's machine. So, now let's try connecting to sanog on your neighbor's machine:
<blockquote>
<code>
$ ssh sanog@wsXX
</code>
</blockquote>
You should now see something like:
<blockquote>
<pre>
$ ssh sanog@wsXX
Enter passphrase for RSA key 'sanog@wsXX':
</pre>
</blockquote>
And, at this point you type in the <i>passphrase</i> you used when creating your public/private key pair on your machine for your account - <i>not</i> the password for the sanog account on your neighbor's machine. 
<p>
If you think about this that's pretty neat! Anywhere your public key resides you can log in using one passphrase, and it won't expire.
<p>
Now be sure that you log out of your neighbor's machine:
<blockquote>
<code>
[sanog@wsXX ~]$ exit
</code>
</blockquote>



<!------- *********************** ------>

<p><br>

<a name="root"></a>
<b>3.) Copy Your Public Key to the root Account</b> [<a href="#top">Top</a>]
</p><p>
You will now repeat exercise #2, with just a couple of differences. Note, you cannot log in directly to your neighbor's machine as root, so you must take advantage of the fact that you can get in as the userid <i>sanog</i> and then you can become root once you are logged in. This should work as long as your neighbor has not changed the root password as requested, and they created the sanog account correctly placing it in the wheel group.
<p>
So, here are the steps to do this:
<blockquote>
<code>
$ cd /home/sanog/.ssh
<br>
$ scp id_rsa.pub sanog@wsXX:/tmp/.
<br>
$ ssh sanog@wsXX
<br>
[sanog@wsXX ~]$ su -    [enter root password when requested]
<br>
# cd /root/.ssh        [if ".ssh" is not there do <code>mkdir /root/.ssh</code>]
<br>
# cat /tmp/id_rsa.pub >> authorized_keys
<br>
# rm /tmp/id_rsa.pub
<br>
# exit
</code>
</blockquote>
Now your public key is in the /root/.ssh/authorized_keys file on your neighbor's machine. You cannot log in yet to your neighbor's machine as root since the file /etc/ssh/sshd_config is configured to block all root access. Our next exercise will change this.
<p>
Be sure that everyone on your machine completes this exercises (#3).


<!------- *********************** ------>

<p><br>

<a name="update"></a>
<b>4.) Update /etc/ssh/sshd_config</b> [<a href="#top">Top</a>]
</p><p>
We have placed an sshd_config file on the noc server that you can copy to your machine to accomplish what we want to do. This configuration file only allows access to your machine via ssh if someone has their public key in the account they are trying to connect with. In addition, this file allows you to connect directly as root. This can actually be very useful, especially if you need to copy over a large number of files with root privileges. It's important that the passphrase you used on your private key is strong enough to resist brute force attacks.
<p>
For this exercise you must be root. Do the following:


<blockquote>
<code>
# cd /etc/ssh
<br>
# cp sshd_config sshd_config.bak
<br>
# ftp noc
<br>
username: ftp
<br>
password: ftp
<br>
ftp&gt; cd pub/FreeBSD/configs
<br>
ftp&gt; lcd /etc/ssh
<br>
ftp&gt; get sshd_config
<br>
ftp&gt; exit
</code>
</blockquote>
Now you can restart your ssh server and the new configuration will take effect, <i>but</i> you must coordinate this with your neighbors first. If they are still accessing your box to copy over keys, then wait to to do this until they are done. If you don't, then they won't be able to log in and finish these exercises.
<p>
If your neighbor or neighbors are not ready, just go on to the final exercise and come back to this last step later.
<p>
To restart your ssh server (as root) do:
<blockquote>
<code>
# /etc/rc.d/sshd restart
</code>
</blockquote>
Once your neighbor has done this as well try logging in on their machine as root from your local account. For instance, if you are in a terminal window as root and your want to ssh to another machine as "sanog" you could do:
<blockquote>
<code>
# su - sanog
<br>
[sanog@wsXX ~]$ ssh root@wsXX
</code>
</blockquote>
You should be prompted for your passphrase, and you should be able to log in directly to your neighbor's machine as root! This is a very useful tool.
<p>
Be sure to exit your session on their machine:
<blockquote>
<code>
# exit
</code>
</blockquote>
And, have a look at the file /etc/ssh/sshd_config. Maybe compare it to /etc/ssh/sshd_config.bak to see some of the differences.
<p>
Be sure everyone on your machine completes this exercise.


<!------- *********************** ------>

<p><br>

<a name="scp-r"></a>
<b>5.) </b> Consider the Power of scp -r[<a href="#top">Top</a>]
</p><p>
One of the most useful features of ssh are the <code>scp</code> and <code>sftp</code> tools that come with it. With scp (Secure CoPy) you can do some of the following:
<ul>
<li>Securely copy files from your machine to another remote machine</li>
<li>Securely copy file from a remote machine to your machine</li>
<li>Securely copy files from one remote machine to another remote machine (less likely to work as ssh versions must match)</li>
<li>Securely copy entire directory trees from one machine to another</li>
</ul>
We'll do one example of a directory structure copy from your neighbor's machine to your machine. Let's copy all the files in your neighbors /usr/ports/palm directory structure to a directory in your /tmp directory.
<blockquote>
<code>
$ mkdir /tmp/palm
<br>
scp -r sanog@wsXX:/usr/ports/palm/* /tmp/palm/.
</code>
</blockquote>
That's it. Have a look at the /tmp/palm directory structure to convince yourself that things are there:
<blockquote>
<code>
$ cd /tmp/palm
<br>
$ ls 
<br>
$ ls -lah
<br>
$ ls -R
<br>
$ du -h
</code>
</blockquote>
"<code>ls -R</code>" shows all directories recursively under the directory you are in. "<code>du -h</code>" tell you in "h"uman readable format how much space all the files in the directories under your current directory are using.
<p>
The "-r" option in <code>scp</code> can make system administration much easier.
<p>If you want to remove /tmp/palm and all its subdirectories you can do this:
<blockquote>
<code>
$ rm -rf /tmp/palm
</code>
</blockquote>
Always be very careful with the "<code>rm -rf</code>" command as it can delete anything you have r/w access to recursively, with no warning, very quickly.


<p>
<div align="center">
[<a href="#top">Return to Top</a>]
</div>
<p>
<font size="1">
Hervey Allen, Phil Regnauld
</font>
<p>
<hr width="224" size="3" align="left">
<font size="1">
<!-- Created: Sun Jun 12 00:54:08 CLT 2005 -->
<!-- hhmts start -->
Last modified: Sun Jul 18 16:13:58 BTT 2010
<!-- hhmts end -->
</font>
</body>
</html>