ComputerSecurityStudent (CSS) [Login] [Join Now]




|UNIX >> Ubuntu >> Ubuntu 12.04 Desktop >> Current Page |Views: 15500

(Ubuntu: Lesson 9)

{ How to setup an ssh key infrastructure }


Section 0. Background Information
  1. What is SSH?
    • Secure Shell (SSH) is a network protocol for secure data communication, remote shell services or command execution and other secure network services between two networked computers that it connects via a secure channel over an insecure network: a server and a client (running SSH server and SSH client programs, respectively)

  2. What is SSHD?
    • sshd (OpenSSH Daemon) is the daemon program for ssh(1). Together these programs replace rlogin(1) and rsh(1), and provide secure encrypted communications between two untrusted hosts over an insecure network.
     
  3. What are SSH Keys?
    • On Unix-like systems, the list of authorized keys are stored in the home folder of the user that is allowed to log in remotely, in the file ~/.ssh/authorized_keys. This file is only respected by ssh if it is not writable by anything apart from the owner and root.
    • When the public key is present on one side and the matching private key is present on another side, typing in the password is no longer required.
    • The private key can also be looked for in standard places, but its full path can also be specified as a command line setting (the switch -i for ssh). The ssh-keygen utility produces the public and private keys, always in pairs.

  4. Prerequisite
  5. Lab Notes
    • In this lab we will how to do the following:
      1. We will create a SSH Key Infrastructure between Ubuntu and Fedora.
      2. We will use ssh-keygen to create a private/public key pair for the student user on Ubunut.
      3. We will place the public key on the Fedora server in the appropriate directory for the student user.
      4. We will use Ubuntu's private key to authenticate and log into the Fedora server as student without a password. 
      5. We will use Ubuntu's private key to authenticate and run command against the Fedora server as student without a password.

  6. Legal Disclaimer
    • As a condition of your use of this Web site, you warrant to computersecuritystudent.com that you will not use this Web site for any purpose that is unlawful or that is prohibited by these terms, conditions, and notices.
    • In accordance with UCC § 2-316, this product is provided with "no warranties, either express or implied." The information contained is provided "as-is", with "no guarantee of merchantability."
    • In addition, this is a teaching website that does not condone malicious behavior of any kind.
    • You are on notice, that continuing and/or using this lab outside your "own" test environment is considered malicious and is against the law.
    • © 2012 No content replication of any kind is allowed without express written permission.

 

Section 1: Start Ubuntu 12.04
  1. Start VMware Player
    • Instructions
      1. For Windows 7
        1. Click Start Button
        2. Search for "vmware player"
        3. Click VMware Player
      2. For Windows XP
        • Starts --> Programs --> VMware Player

     

  2. Verify Virtual Machine Settings.
    • Instructions
      1. Click on Ubuntu 12.04
      2. Click on Edit virtual machine settings

     

  3. Configure Network Adapter
    • Instructions
      1. Click on Network Adapter
      2. Click on the Bridged Radio Button
      3. Click on the Close Button

     

  4. Start the Ubuntu 12.04 VM
    • Instructions
      1. Click on Ubuntu 12.04
      2. Click on Play virtual machine

 

Section 2: Login to Ubuntu
  1. Change to Gnome Classic
    • Instructions:
      1. Click on the Circle

     

  2. Select Gnome Classic
    • Instructions:
      1. Double Click on GNOME Classic

     

  3. Login to Server
    • Instructions
      1. User: Student
      2. Password: Please supply the student password.

 

Section 3: Become Root and Verify Network Connection
  1. Start up a Terminal
    • Instructions
      1. Click on the Terminal

     

  2. Become Root
    • Instructions
      1. sudo su -
      2. Supply the student password.

     

  3. Verify you have a network connection
    • Instructions
      1. ifconfig -a
        • eth0 is the name of my interface.
        • 192.168.1.103 is my network IP address.
    • Note(FYI):
      • If you do not have an DHCP IP Address try the following:
        • dhclient
          • OR
        • /etc/init.d/networking restart

 

Section 4: Create SSH Key Pair
  1. Switch User Back to "student"
    • Instructions
      1. su - student
    • Note(FYI):
      • Earlier, you became the root user just encase your network was down.
      • We su'ed back to student, because we are going to set up a SSH Key infrastructure for the student user.

     

  2. Create the .ssh directory
    • Instructions
      1. mkdir -p .ssh
      2. ls -ld .ssh
        • In my case, the permissions are set to 775.
        • This is a problem, because we don't want anybody to have access to our future ssh keys.
      3. chmod 700 .ssh
        • Now only student has read, write and execute permissions to the .ssh directory.
      4. ls -ld .ssh

     

  3. Create ssh key pair
    • Instructions
      1. cd .ssh
      2. ssh-keygen -t rsa -b 4096
        • ssh-keygen is a tool that creates key pairs.  (e.g., Private and Public keys).
        • "-t" specific the type of encryption used.
        • "-b" specific the length of the key.  Default is 2048
      3. Press <Enter>
      4. Press <Enter>
      5. Press <Enter>
    • Note(FYI):
      • For the purposes of this lab, you are not required to name your key or to create a passphrase.  It is an industry practice to do both, but lets just cover the basics to get you going.

     

  4. Set SSH Key Permissions
    • Instructions
      1. ls -l
      2. chmod 600 *
        • We want to make sure nobody beside the "student" user can access the keys.
      3. ls -l
      4. file id_rsa
        • id_rsa, is the private key that is given out to nobody.
      5. file id_rsa.pub
        • id_rsa.pub, is the public key that is placed on other servers used to set up the securely authenticated SSH infrastructure.

 

Section 5: Start Up Fedora Server
  1. Start VMware Player
    • Instructions
      1. For Windows 7
        1. Click Start Button
        2. Search for "vmware player"
        3. Click VMware Player
      2. For Windows XP
        • Starts --> Programs --> VMware Player

     

  2. Edit Fedora Virtual Machine Settings
    • Instructions:
      1. Highlight fedora14
      2. Click Edit virtual machine settings

     

  3. Edit Network Adapter
    • Instructions:
      1. Highlight Network Adapter
      2. Select Bridged
      3. Click on the OK Button.

     

  4. Start Fedora14 VM Instance
    • Instructions:
      1. Start Up VMWare Player
      2. Select Fedora14
      3. Play virtual machine

     

Section 6: Login to Fedora14
  1. Login to Fedora14
    • Instructions:
      1. Login: student
      2. Password: <whatever you set it to>.

     

     
Section 7: Open Console Terminal and Retrieve IP Address
  1. Start a Terminal Console
    • Instructions:
      1. Applications --> Terminal

     

  2. Switch user to root
    • Instructions:
      1. su - root
      2. <Whatever you set the root password to>

     

  3. Get IP Address
    • Instructions:
      1. ifconfig -a
        • As indicated below, my IP address is 192.168.1.107.
        • Please record your IP address
    • Note(FYI):
      • If you do not have an DHCP IP Address try the following:
        • dhclient -v
          • OR
        • /etc/init.d/network restart

     

  4. Make sure sshd is running

 

Section 8: Set Up SSH Director on Fedora
  1. Switch User to "student"
    • Instructions
      1. su - student
    • Note(FYI):
      • Earlier, you became the root user just encase your network was down.
      • We su'ed back to student, because we are going to set up a SSH Key infrastructure for the student user.

     

  2. Create the .ssh directory
    • Instructions
      1. mkdir -p .ssh
      2. ls -ld .ssh
        • In my case, the permissions are set to 775.
        • This is a problem, because we don't want anybody to have access to our future ssh keys.
      3. chmod 700 .ssh
      4. ls -ld .ssh

     

  3. Create authorized_keys file
    • Instructions
      1. cd .ssh
      2. touch authorized_keys
        • The authorized_keys file contains all the public keys from servers and/or users that are allowed to authenticate into this Fedora server.
      3. ls -l authorized_keys
      4. chmod 600 authorized_keys
        • We only want the "student" use to have read and write permissions.
      5. ls -l authorized_keys

     

Section 9: Copy Ubuntu's Public SSH key to Fedora
  1. Copy Ubuntu's Public ssh key to Fedora
    • Note(FYI):
      • Go Back to your Ubuntu Server
    • Instructions
      1. cd /home/student/.ssh/
      2. scp id_rsa.pub student@192.168.1.107:/home/student/.ssh/
        • Replace 192.168.1.107 with the IP address obtained from (Section 7, Step 3).
      3. Answer "yes"
        • RSA fingerprint will be added to the student's known_hosts file.
        • The RSA finger print is stored in /home/student/.ssh/known_hosts
        • When initiating subsequent ssh sessions, your ssh client will hash the hostname and look it up in the known_hosts file to find the previously-recorded ssh host key for the remote server.
      4. <Enter Student Password to Fedora>

 

Section 10: Populate the authorized_keys file on Fedora
  1. Populate the authorized_keys file on Fedora
    • Note(FYI):
      • Go Back to your Fedora Server
    • Instructions
      1. cd /home/student/.ssh/
      2. ls -l
      3. cat id_rsa.pub >> authorized_keys
      4. cat authorized_keys
     

 

Section 11: Test SSH Key Infrastructure
  1. Testing the SSH key Infrastructure through Ubuntu
    • Note(FYI):
      • Go Back to your Ubuntu Server
    • Instructions
      1. ssh -i /home/student/.ssh/id_rsa student@192.168.1.107
        • Replace 192.168.1.107 with the IP address obtained from (Section 7, Step 3).
        • Notice that since you supplied the student SSH public key, you are now logged on to the Fedora server without supplying a username and password.
      2. hostname
      3. uptime
      4. who
      5. w
      6. exit

 

Section 12: Proof of Lab
  1. Issue commands through the SSH key Infrastructure
    • Note(FYI):
      • On your Ubuntu Server
      • For the below commands, replace 192.168.1.107 with the IP address obtained from (Section 7, Step 3).
      • Notice you can issue commands to Fedora using Ubuntu's public key.
    • Instructions
      1. ssh -i /home/student/.ssh/id_rsa student@192.168.1.107 "uptime"
      2. ssh -i /home/student/.ssh/id_rsa student@192.168.1.107 "uname -a"
      3. ssh -i /home/student/.ssh/id_rsa student@192.168.1.107 "echo \"Your Name\""
        • Replace the string "Your Name" with your actual name.
        • e.g., echo "John Gray"
    • Proof of Lab Instructions
      1. Press both the <Ctrl> and <Alt> keys at the same time.
      2. Do a <PrtScn>
      3. Paste into a word document
      4. Upload to Moodle

 



Help ComputerSecurityStudent
pay for continued research,
resources & bandwidth