Agenda: ssh-exercises.txt

File ssh-exercises.txt, 6.3 KB (added by kemp, 7 years ago)

ssh-exercises

Line 
1
2SSH Exercises - PacNOG 10
3
4In these exercises, you can use your own laptop as the client computer.
5This means you can use either "Putty" or another SSH client if you have one.
6
7If you have a Unix machine, you can use the "ssh" command.  Or if you would
8like, you can use the workshop pc as the client, and have the pc connect
9to itself, or have it connect to your neighbor workshop pc as the server.
10
11If you have a Windows machine, you can use putty. Download from:
12http://www.chiark.greenend.org.uk/~sgtatham/putty/
13Use the "puttygen" tool to create keys.
14
15Things we'll practice in these exercises:
16
17        -- automatic SSH key logins.
18        -- using scp command.
19        -- edit the sshd configuration and
20        -- automatic logins as root.
21        -- ssh-agent automatic logins.
22
23------------------------------------
24
25I. SSH User Keys
26
27a) Note, look at a regular simple SSH client login to start
28
29Login to your workshop pc with putty, or with
30your ssh client.  Notice: this is a "system" login.  It
31is using the shadow file/password file.  So this is known
32as a simple "password" login.
33
34b)  Generate User SSH Keys on Your Client
35
36If you are using a Unix client or workshop pc:
37
38        % ssh-keygen                    # the default
39        % ssh-keygen -t rsa -b 2048     # here's another way to do it
40
41NOTE: In these examples, just press <RETURN> instead of using a password on the key.
42
43Look in the .ssh directory to verify the new keys have been created.
44
45        % ls -ld .ssh
46        % ls -l .ssh/*
47
48What Unix permissions are set on the SSH directory?
49What Unix permissions are set on the SSH keys?
50
51------------------------------------
52II. authorized_keys
53
54Now let's do some automatic logins. 
55
56a) Copy your public key to the machine you want to login into.
57
58        % cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys
59
60NOTE: if you are using "dsa" keys, use the "dsa" name.
61NOTE: If you are using "rsa" keys, use the "rsa" name.
62NOTE: We use >> to append to the file, so we don't wipe
63out the file every time, rather we add to the end of the file.
64
65Now try it.  ssh to the same machine.
66
67        % ssh localhost
68        % exit
69
70Did you have to type a password?  Turn on debugging to
71watch the SSH client make decisions:
72
73        % ssh -v -v -v localhost
74
75b) Pick a partner machine, and add your public keys to their
76   ~sysadmin/.ssh/authorized_keys file
77   Do this between one machine and other machine, for
78   example: pc1 -> pc2 and pc1 -> pc2
79
80   Here is pc1 installing on pc2:
81
82        % cat ~/.ssh/id_rsa.pub | ssh sysadm@pc2 'cat >> .ssh/authorized_keys'
83       
84   Now try an ssh login to pc2:
85
86        % ssh sysadm@pc2
87        % exit
88
89Did you have to type a password?
90You now can automatically run commands on the remote system:
91
92        % ssh sysadm@pc2 w
93        % ssh
94
95------------------------------------
96
97III. scp commands
98
99Now that we have automatic login, we can automatically
100copy files from one system to another.
101
102Make a directory to test with.
103
104        % cd ; mkdir myjunk ; echo "HI" > myjunk/myfile
105
106Now let's copy that to another system:
107
108        % scp -rp myjunk sysadm@pc2:
109
110*** WARNING ***
111For "scp", use the ":" on the end of the command.  This is required
112in order to tell the "scp" that it is the end of the command, not
113that the target is a local filename.  If you said "sysadm@pc2" instead,
114it would create a file locally called "sysadm@pc2", instead of try to
115connect to the remote machine pc2.
116
117Now let's check for files:
118
119        % ssh pc2 -l sysadm ls -rl myjunk
120
121What does it mean when we used "-rp" on the scp command?
122
123        % man scp
124
125------------------------------------
126
127IV. SSHD configuration
128
129Look at the configuration file.
130Does your system permit root logins via ssh?
131
132        % cd /etc/ssh
133        % less sshd_config
134
135If you the "PermitRootLogin" option is set to "no",
136edit the file and change the setting to "yes".
137
138        % sudo service ssh restart
139
140------------------------------------
141
142V. root automatic login
143
144Now let's try do do this as root.  NOTE: we are generating
145automatic root access.  Be careful with commands like "rm".
146
147a) first try it one your own machine
148
149        % sudo -
150        # su -
151        # pwd
152
153NOTE: the su command was used to get into the root directory.
154You should now be in the "/root" home directory.
155Geneate some keys to create the directory for ssh automatically.
156
157        # ssh-keygen
158
159Now, exit back to yourself and copy in your public key:
160
161        % sudo  cat ~/.ssh/id_rsa.pub >> /root/authorized_keys
162
163Now, give it a try.
164
165        % ssh root@localhost
166
167Did it work? Do you see the "#" root prompt?
168
169b) now let's try and get automatic root on your partner machine
170
171First make sure the partner has sudo and a .ssh directory.
172
173        % ssh pc2 -l sysadm
174        % sudo -s
175        # ls -ld /root/.ssh
176        # exit
177
178Let's be careful this time about moving the file.
179Let's copy it to a /tmp file, then login and move
180the file in place on the remote system.
181
182        % scp ~/.ssh/id_rsa.pub sysadm@pc2:/tmp/pc1key.pub
183        % ssh pc2 -l sysadm
184        % sudo cat /tmp/pc1key.pub >> /root/.ssh/authorized_keys
185        exit
186
187Now give it a try.
188
189        % ssh root@pc2 w
190        % ssh root@pc2 id
191
192------------------------------------
193
194VI. ssh-agent
195
196We can load keys into memory on the local machine, and
197use those keys automatically.  This is helpful if you have
198a password on your key and you don't want to type the
199password all the time.  It's also helpful if you have multiple
200identities and want to load them all.
201
202If you are doing this with "putty" on Windows, the
203"pageant" tool can be used instead of ssh-agent.
204
205a) wipe out your old keys
206
207        % cd
208        % rm .ssh/id_rsa.pub
209        % rm .ssh/id_rsa
210
211b) generate a new key, but this time, enter a password
212when it requests a password.  Now when you use this key,
213you will have to type the password for the key.
214
215        % ssh-keygen -t rsa -b 2048
216       
217        (It will force you to pick a good password.)
218
219Now start the ssh-agent and add a key to the agent.
220NOTE: By default ssh-agent will add the default name keys.
221NOTE: You have to have the environment variables set so
222that ssh can find the ssha-agent socket, so....
223
224        % ssh-agent -s > sshenv
225        % source sshenv
226
227Now make sure your authorized_keys file is correct:
228
229        % cat ./ssh/id_rsa.pub >> ./ssh/authorized_keys
230
231Now you can add your key:
232
233        % ssh-add
234(or)
235        % ssh-add .ssh/id_rsa
236
237To list keys that are in the agent:
238
239        % ssh-add -l
240
241And you can login to localhost now without the
242having to type the private-key password again.
243
244        % ssh localhost
245
246You can do the same thing with loggin onto remote systems.
247You only enter the private-key password once to load the key
248into memory.  From then on, the password is given for you
249by ssh-agent.
250
251---------------------------------------------
252