1.) Copy Your afnog Account Public Key to the root Account [Top]
For this exercise we want you to copy /home/afnog/.ssh/id_rsa.pub over to your neighbor's machine and place the file in /root/.ssh/authorized_keys on your neighbor's machine (not your machine).
Note, you cannot log in directly to your neighbor's machine as root, so you must take advantage of the fact that you can get in as the userid afnog and then you can become root once you are logged in.
We will use our neighbor list again to avoid confusion:
Again, to make thing easier open two terminal
windows on your desktop. In one window make sure you are the
afnog user on your machine. We will call this your
local window. In another window type:
$ ssh afnog@pcX
This will be your remote window.
You have already generated your public/private ssh key pair. In your local window do the following:
$ cd ~/.ssh
$ scp id_rsa.pub afnog@pcX:/tmp/.
In your remote window do:
$ su -
# mkdir /root/.ssh
# cd /root/.ssh
$ cat /tmp/id_rsa.pub >> authorized_keys
$ rm /tmp/id_rsa.pub
You now have your public key for afnog in the
authorized_keys file for the root user on your
neighbor's machine.
At this point you still cannot use ssh to connect to your neighbor's
machine as root as this is blocked by the default ssh
configuration. In our next exercise we will update the ssh
configuration file on your neighbor's machine to allow you to connect
as root using your public/private key for the afnog account.
Remember to log out of your neighbor's machine in your remote window by doing:
# exit
$ exit
(Why did you have to type exit twice?).
2.) Update /etc/ssh/sshd_config [Top]
We have placed an sshd_config file on the noc server that you can copy to your machine to accomplish what we want to do. This configuration file allows access to the root user, but only using public/private ssh keys. It still allows you to connect to other users with passwords. This is not ideal (why?).
For this exercise you must be root. Do the following:
# cd /etc/ssh
# cp sshd_config sshd_config.bak
# scp afnog@196.200.218.1:configs/sshd_config .
password: What we have been using in class
# chown root:wheel sshd_config
Now you can restart your ssh server and the new configuration will take affect.
To restart your ssh server (as root) do:
# /etc/rc.d/sshd restart
Once your neighbor has done this as well try logging in on their
machine as root from your local account. For instance, if you are in a
terminal window as root on your machine do:
# su - afnog
[afnog@pcX ~]$ ssh root@pcN
You should be prompted for your passphrase, and you should be able to log in directly to your neighbor's machine as root! This is a very useful tool.
Be sure to exit your session on their machine:
# exit
And, have a look at the file /etc/ssh/sshd_config. Maybe compare it to /etc/ssh/sshd_config.bak to see some of the differences.
Note that this file will work for Linux as well.
Be sure everyone on your machine completes this exercise.
Finally, to disable all password access for users (ideal) and only
allow access via public/private keys change the following line in /etc/ssh/sshd_config:
#ChallengeResponseAuthentication yes
to read:
ChallengeResponseAuthentication no
(We suggest you keep the original line and add a new line with the new setting listed above.)
Now remember to restart the ssh server:
# /etc/rc.d/sshd restart
Don't do this unless you are sure your neighbor has already copied
over their public/private key pairs to your machine's afnog
and root accounts.
The key lines that we have changed in /etc/ssh/sshd_config are:
PermitRootLogin without-password
ChallengeResponseAuthentication no
By doing this you allow root access via ssh to your host, but only with public and private ssh keys. By turning off the Challenge Response Authentication fucntionality of SSH you only allow users in if they have public and private keys configured. No passwords are allowed.
Hervey Allen