SSH Exercises - PacNOG 10 In these exercises, you can use your own laptop as the client computer. This means you can use either "Putty" or another SSH client if you have one. If you have a Unix machine, you can use the "ssh" command. Or if you would like, you can use the workshop pc as the client, and have the pc connect to itself, or have it connect to your neighbor workshop pc as the server. If you have a Windows machine, you can use putty. Download from: http://www.chiark.greenend.org.uk/~sgtatham/putty/ Use the "puttygen" tool to create keys. Things we'll practice in these exercises: -- automatic SSH key logins. -- using scp command. -- edit the sshd configuration and -- automatic logins as root. -- ssh-agent automatic logins. ------------------------------------ I. SSH User Keys a) Note, look at a regular simple SSH client login to start Login to your workshop pc with putty, or with your ssh client. Notice: this is a "system" login. It is using the shadow file/password file. So this is known as a simple "password" login. b) Generate User SSH Keys on Your Client If you are using a Unix client or workshop pc: % ssh-keygen # the default % ssh-keygen -t rsa -b 2048 # here's another way to do it NOTE: In these examples, just press instead of using a password on the key. Look in the .ssh directory to verify the new keys have been created. % ls -ld .ssh % ls -l .ssh/* What Unix permissions are set on the SSH directory? What Unix permissions are set on the SSH keys? ------------------------------------ II. authorized_keys Now let's do some automatic logins. a) Copy your public key to the machine you want to login into. % cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys NOTE: if you are using "dsa" keys, use the "dsa" name. NOTE: If you are using "rsa" keys, use the "rsa" name. NOTE: We use >> to append to the file, so we don't wipe out the file every time, rather we add to the end of the file. Now try it. ssh to the same machine. % ssh localhost % exit Did you have to type a password? Turn on debugging to watch the SSH client make decisions: % ssh -v -v -v localhost b) Pick a partner machine, and add your public keys to their ~sysadmin/.ssh/authorized_keys file Do this between one machine and other machine, for example: pc1 -> pc2 and pc1 -> pc2 Here is pc1 installing on pc2: % cat ~/.ssh/id_rsa.pub | ssh sysadm@pc2 'cat >> .ssh/authorized_keys' Now try an ssh login to pc2: % ssh sysadm@pc2 % exit Did you have to type a password? You now can automatically run commands on the remote system: % ssh sysadm@pc2 w % ssh ------------------------------------ III. scp commands Now that we have automatic login, we can automatically copy files from one system to another. Make a directory to test with. % cd ; mkdir myjunk ; echo "HI" > myjunk/myfile Now let's copy that to another system: % scp -rp myjunk sysadm@pc2: *** WARNING *** For "scp", use the ":" on the end of the command. This is required in order to tell the "scp" that it is the end of the command, not that the target is a local filename. If you said "sysadm@pc2" instead, it would create a file locally called "sysadm@pc2", instead of try to connect to the remote machine pc2. Now let's check for files: % ssh pc2 -l sysadm ls -rl myjunk What does it mean when we used "-rp" on the scp command? % man scp ------------------------------------ IV. SSHD configuration Look at the configuration file. Does your system permit root logins via ssh? % cd /etc/ssh % less sshd_config If you the "PermitRootLogin" option is set to "no", edit the file and change the setting to "yes". % sudo service ssh restart ------------------------------------ V. root automatic login Now let's try do do this as root. NOTE: we are generating automatic root access. Be careful with commands like "rm". a) first try it one your own machine % sudo - # su - # pwd NOTE: the su command was used to get into the root directory. You should now be in the "/root" home directory. Geneate some keys to create the directory for ssh automatically. # ssh-keygen Now, exit back to yourself and copy in your public key: % sudo cat ~/.ssh/id_rsa.pub >> /root/authorized_keys Now, give it a try. % ssh root@localhost Did it work? Do you see the "#" root prompt? b) now let's try and get automatic root on your partner machine First make sure the partner has sudo and a .ssh directory. % ssh pc2 -l sysadm % sudo -s # ls -ld /root/.ssh # exit Let's be careful this time about moving the file. Let's copy it to a /tmp file, then login and move the file in place on the remote system. % scp ~/.ssh/id_rsa.pub sysadm@pc2:/tmp/pc1key.pub % ssh pc2 -l sysadm % sudo cat /tmp/pc1key.pub >> /root/.ssh/authorized_keys exit Now give it a try. % ssh root@pc2 w % ssh root@pc2 id ------------------------------------ VI. ssh-agent We can load keys into memory on the local machine, and use those keys automatically. This is helpful if you have a password on your key and you don't want to type the password all the time. It's also helpful if you have multiple identities and want to load them all. If you are doing this with "putty" on Windows, the "pageant" tool can be used instead of ssh-agent. a) wipe out your old keys % cd % rm .ssh/id_rsa.pub % rm .ssh/id_rsa b) generate a new key, but this time, enter a password when it requests a password. Now when you use this key, you will have to type the password for the key. % ssh-keygen -t rsa -b 2048 (It will force you to pick a good password.) Now start the ssh-agent and add a key to the agent. NOTE: By default ssh-agent will add the default name keys. NOTE: You have to have the environment variables set so that ssh can find the ssha-agent socket, so.... % ssh-agent -s > sshenv % source sshenv Now make sure your authorized_keys file is correct: % cat ./ssh/id_rsa.pub >> ./ssh/authorized_keys Now you can add your key: % ssh-add (or) % ssh-add .ssh/id_rsa To list keys that are in the agent: % ssh-add -l And you can login to localhost now without the having to type the private-key password again. % ssh localhost You can do the same thing with loggin onto remote systems. You only enter the private-key password once to load the key into memory. From then on, the password is given for you by ssh-agent. ---------------------------------------------