Exercises: SSH (Secure SHell): PacNOG3 Workshop: Rarotonga, Cook Islands

June 18, 2007


    Using SSH to Admin your Box

  1. Install the SSH Server

  2. Place inst in the admin group

  3. Generate your public/private Key Pair

  4. Copy Your Public Key to the admin Account

  5. Copy Your Public Key to the root Account

  6. Update /etc/ssh/sshd_config


  1. The "#" and "$" characters before commands represents your system prompt and is not part of the command itself. "#" indicates a command issued as root while "$" indicates a command issued as a normal user.

  2. italics: Items that are in italics are to be replaced with something of your choice. For instance, username means choose your own username, don't literally choose the word "username".

1.) Install the SSH Server [Top]

By default Ubuntu comes with the SSH client, but not the server installed. To install both the latest versions of the server and client simply do:

$ sudo apt-get install ssh

You will see a number of items scroll by on the screen – including the generation of the system-wide ssh RSA and DSA keys.

2.) Place inst in the admin group [Top]

Before we can continue with these exercises we need to clean up something we missed when we originally created the inst account. This account must be in the admin group in order to be able to use the sudo command. To do this simply type:

$ sudo usermod -G admin inst

If you are interested you can read more about the usermod command by typing “man usermod.

3.) Generate your Public/Private Key Pair [Top]

We will now generate a single RSA SSH protocol 2 key of 2048 bits for your user account. To do this, issue the following command:

$ ssh-keygen -t rsa -b 2048

You will be prompted for a file location for the key as well as for a passphrase to encrypt the key file. Be sure to enter a passphrase. Private key files without passphrases are a security hole. Your passphrase can be pretty much anything you want. Press <ENTER> when prompted for file locations. You definitely want the default locations.

4.) Copy Your Public Key to the inst Account [Top]

First connect to your neighbor's machine as the userid inst using ssh. We'll refer to your neighbor's machine as pc1. You can use the IP address or name of their machine to connect.

Here's what you do:

$ ssh inst@pc1

Now you'll be faced with a prompt similar to this:

The authenticity of host 'pc1.conference.pacnog.org (' can't be established.
RSA2 key fingerprint is 60:f7:04:8b:f7:61:c4:41:6e:9a:6f:53:7d:95:cb:29.
Are you sure you want to continue connecting (yes/no)?

You should say yes to this prompt, but you should understand what this means. Do you? If not, please ask your instructor.

Once you say yes, then you see another message like this:

Warning: Permanently added 'pc1.conference.pacnog.org' (RSA2) to the list of known hosts.
inst@pc1.conference.pacnog.org's password: 

At this point enter in the password for the inst account on your neighbor's machine.

Now you'll be logged in and see a prompt like this:


Now you should logout of your neighbor's machine, and then immediately log back in:

inst@pc1: ~$ exit
$ ssh inst@pc1

Now you should simply be prompted for the inst password on your neighbor's machine. You should not see the warning message again. Now, log out of your neighbor's machine again:

inst@pc1: ~$ exit

Let's copy the public_key for your user account on your machine to the /home/inst/.ssh directory on your neighbor's machine. As usual there are several ways to do this, but here's one set of steps that should work:_

$ cd /home/your_userid/.ssh
$ scp id_rsa.pub inst@pc1:/tmp/.
$ ssh inst@pc1
inst@pc1: ~$ cd .ssh [if ".ssh" is not there do "mkdir .ssh"]
inst@pc1: ~$ cat /tmp/id_rsa.pub >> authorized_keys
inst@pc1: ~$ rm /tmp/id_rsa.pub
inst@pc1: ~$ exit

If you don't understand what this means please ask an instructor to explain and give you a hand.

OK, so now your public key is sitting in the file /home/inst/.ssh/authorized_keys in the inst account on your neighbor's machine. So, now let's try connecting to inst on our neighbor's machine:

$ ssh inst@pc1

You should now see something like:

$ ssh inst@pc1
Enter passphrase for RSA key 'inst@pc2':

And, at this point you type in the passphrase you used when creating your public/private key pair on your machine for your account - not the password for the inst account on your neighbor's machine.

If you think about this that's pretty neat! Anywhere your public key resides you can log in using one passphrase, and it won't expire.

Now be sure that you log out of your neighbor's machine:

inst@pc1: ~$ exit

5.) Copy Your Public Key to the root Account [Top]

You will now repeat exercise #4, with just a couple of differences. Note, you cannot log in directly to your neighbor's machine as root, so you must take advantage of the fact that you can get in as the userid inst and then you can become root once you are logged in. This should work as long as your neighbor has not changed the root password as requested, and they created the inst account as well.

Here are the steps to do this:

$ cd /home/your_userid/.ssh
$ scp id_rsa.pub inst@pc1:/tmp/.
$ ssh inst@pc1

inst@pc1: ~$ sudo bash [enter root password when requested]

# cd /root/.ssh [if ".ssh" is not there do mkdir .ssh]
# cat /tmp/id_rsa.pub >> authorized_keys
# rm /tmp/id_rsa.pub
# exit

Now your public key is in the /root/.ssh/authorized_keys file on your neighbor's machine. You cannot log in yet to your neighbor's machine as root since the file /etc/ssh/sshd_config is configured to block all root access. Our next exercise will change this.

6.) Update /etc/ssh/sshd_config [Top]

We have placed an sshd_config file on the noc server that you can copy to your machine to accomplish what we want to do. This configuration file only allows access to your machine via ssh if someone has their public key in the account they are trying to connect with. In addition, this file allows you to connect directly as root. This can actually be very useful, especially if you need to copy over a large number of files with root privileges. It's important that the passphrase you used on your private key is strong enough to resist brute force attacks.

Warning: This exercise relies on timing between you and your neighbor. If you replace the /etc/sshd_config file on your machine and restart the ssh server before your neighbor has placed their public keys in your root account (or vice versa), then you will effectively have locked them out of your machine until you put the old sshd_config file back in place and restart the ssh server again.

To update the ssh server configuration on your machine do:

$ sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
$ cd
$ wget http://noc.conference.pacnog.org/workshop/scripts/sshd_config
$ sudo cp sshd_config /etc/ssh/.
$ sudo /etc/init.d/ssh restart

If your neighbor or neighbors are not ready give them a hand to make sure they get their public key copied over to your machine's /root/.ssh/authorized_keys file.

Once your neighbor has done this as well try logging in on their machine as root from your local account. For instance:

$ ssh root@pc2.conference.pacnog.org

You should be prompted for your passphrase, and you should be able to log in directly to your neighbor's machine as root! This is a very useful tool.

Be sure to exit your session on their machine:

# exit

And, have a look at the file /etc/ssh/sshd_config. Maybe compare it to /etc/ssh/sshd_config.bak to see some of the differences.

[Return to Top]

Hervey Allen

Last modified: Mon Jun 18 01:12:49 CKT 2007