Embed Size (px)
Citation preview
Chapter 14 - Page 10
Lab 14
Task 1Introduction to ssh and scpEstimated Time: 5 minutes
Objectives
y Establish a secure session to a remote host using ssh.y Copy files securely from one host to another using scp.
Requirements
b (1 station)
Relevance
The ssh and scp commands are the de-facto tools for authenticated and encryptedcommunication between hosts. Users and administrators alike should be very familiar withthese commands.
Notices
y The SSH suite of utilities should be pre-installed on the system and the commands in thepath. Type ssh and hitÕ at the prompt. This should show a list of switches supportedby the ssh command (a usage summary). If this is not the case ( an error is shown,instead), ask the Instructor for assistance.
Use ssh to establish an encrypted session to the system. Log in to the station as the user1)visitor:
$ ssh visitor@localhostThis response isbecause SSH is unableto verify that thesystem claiming to belocalhost really islocalhost and notanother host.
The authenticity of host localhost can't be established.RSA key fingerprint is 80:1f:26:6f:ac:5e:6e:8b:dd:2d:82:58.Are you sure you want to continue connecting (yes/no)? yesWarning: Permanently added 'localhost' (RSA) to the list ofa known hosts.visitor@localhost's password: work Õ
This should havelogged into thelocalhost as the uservisitor (over anencrypted session) andsitting at a prompt.
$
Use the SSH utility, scp, to securely transfer files. Transfer some files from the /etc/ directory to2)the /tmp/ directory on the system:
Chapter 14 - Page 11
Be sure to replacestationX with the IPaddress or name ofthe system.
$ scp /etc/e* guru@stationX:/tmp/guru@stationX's password: work Õ. . . output omitted . . .
As the visitor user log out of ssh:3)
$ exitConnection to localhost closed.
Chapter 14 - Page 12
Lab 14
Task 2SSH Key-based UserAuthenticationEstimated Time: 10 minutes
Objectives
y Generate and use RSA and DSA user keys.
Requirements
b (1 station)
Relevance
Public key authentication of users is one of the major features that SSH provides.Administrators and power users with many systems to connect to take advantage of thisfeature for efficiency and ease of authentication. This lab task covers generation anddeployment of an SSH public user key.
Before key based user authentication can take place, it is necessary to generate a key pair using1)the ssh-keygen program. Run this command on the local workstation as the guru user:
The -t dsa optionspecifies the creationof a SSH version 2DSA key pair. Thedefault is a SSHversion 1 RSA keypair.
$ ssh-keygen -t dsaGenerating public/private dsa key pair.Enter file in which to save the key (~guru/.ssh/id_dsa): ÕEnter passphrase (empty for no passphrase): secret ÕEnter same passphrase again: secret ÕYour identification has been saved in ~guru/.ssh/id_dsa.Your public key has been saved in ~guru/.ssh/id_dsa.pub.The key fingerprint is:17:42:19:d4:7a:a0:59:d5:3e:d3:63:d3:e3:5e:38:2f guru@stationX
Examine the key pair files generated by the previous command:2)
$ ls -l ~/.ssh/id_dsa*Note the secure (useronly) permissions onthe private key.
-rw------- 1 guru guru 736 Apr 6 18:54 ~guru/.ssh/id_dsa-rw-r--r-- 1 guru guru 602 Apr 6 18:54 ~guru/.ssh/id_dsa.pub
To enable RSA / DSA authentication, the public key must be copied to each remote system, for3)each account that needs to be accessed via SSH. This step only needs to be performed once perremote account. SSH keys, either RSA or DSA, need to be stored in the ~/.ssh/authorized_keysfile. Multiple public keys can be used by simply appending additional keys to the file:
$ cd ~/.ssh/$ scp id_dsa.pub visitor@localhost:~/guru@stationX-id_dsa.pubvisitor@localhost's password: work Õid_dsa.pub 100% 616 0.6KB/s 00:00
Chapter 14 - Page 13
SSH to the visitor account to setup the .ssh directory:4)
$ ssh visitor@localhostvisitor@localhost's password: work Õ
Make sure that the .ssh directory exists. If it does not, create it and ensure that it has the correct5)permissions set:
$ ls -d .sshls: .ssh: No such file or directory$ mkdir .ssh$ chmod 700 .ssh/
If the ~/.ssh/ directory does not have the correct mode (permissions) set, the sshd daemon willnot utilize its contents and key-based authentication will not be possible.
Move the copied public key file to the correct location:6)
$ mv guru@stationX-id_dsa.pub .ssh/
If it was know that the ~/.ssh/ directory already existed, the file could have been copied directlythere, instead, using the earlier scp command. In that case, this mv command would beunnecessary.
Append the new public key to the authorized_keys file:7)
$ cd .ssh/Note, if the file doesnot already exist, thiscommand will createit; if it does alreadyexist, this commandwill append thecontents of thepublic-key file to theend of it, alsopreserving any keysalready in place. Forthis reason, it isHIGHLY recommendedthat you always usethis command to addkeys to the~/.ssh/authorized_keysfile.
$ cat guru@stationX-id_dsa.pub >> authorized_keys
Chapter 14 - Page 14
It is only necessary torun this commandwhen theauthorized_keys file isfirst created. If thisfile's mode is not setproperly, newerversions of OpenSSH'ssshd will not allow theuse of theauthorized_keys file.
$ chmod 600 authorized_keys
Logout of the visitor account:8)
$ exitConnection to localhost closed.
Test RSA / DSA authentication by attempting a ssh or scp connection to the remote account. If9)the previous steps were performed properly, the system will prompt for the passphrase used toencrypt the private key:
$ cd$ ssh visitor@localhostEnter passphrase for key '/home/guru/.ssh/id_dsa': secret ÕLast login: Fri Mar 3 10:52:35 2006 from localhost
The RSA / DSAauthentication worked,so return to the localworkstation.
$ exit
