Exercises: SSH Part II: AfNOG Workshop: Cairo

Exercises: SSH Part II

AfNOG Workshop: Cairo

May 13, 2008

Exercises

Using SSH to Admin your Box

Copy Your inst Account Public Key to the root Account
Update /etc/ssh/sshd_config

Notes (CRITICAL)

The "#" and "$" characters before commands represents your system prompt and is not part of the command itself. "#" indicates a command issued as root while "$" indicates a command issued as a normal user.

1.) Copy Your inst Account Public Key to the root Account [Top]

For this exercise we want you to copy /home/inst/.ssh/id_rsa.pub over to your neighbor's machine and place the file in /root/.ssh/authorized_keys on your neighbor's machine (not your machine).

Note, you cannot log in directly to your neighbor's machine as root, so you must take advantage of the fact that you can get in as the userid inst and then you can become root once you are logged in.

We will use our neighbor list again to avoid confusion:

Neighbor List

pc5 <==> pc6
pc7 <==> pc8
pc11 <==> pc12
pc13 <==> pc13

Again, to make thing easier open two terminal windows on your desktop. In one window make sure you are the inst user on your machine. We will call this your local window. In another window type:

$ ssh inst@pcX

This will be your remote window.

You have already generated your public/private ssh key pair. In your local window do the following:

$ cd ~/.ssh $ scp id_rsa.pub inst@pcX:/tmp/.

In your remote window do:

$ su - # mkdir /root/.ssh # cd /root/.ssh $ cat /tmp/id_rsa.pub >> authorized_keys $ rm /tmp/id_rsa.pub

You now have your public key for inst in the authorized_keys file for the root user on your neighbor's machine.

At this point you still cannot use ssh to connect to your neighbor's machine as root as this is blocked by the default ssh configuration. In our next exercise we will update the ssh configuration file on your neighbor's machine to allow you to connect as root using your public/private key for the inst account.

Remember to log out of your neighbor's machine in your remote window by doing:

# exit $ exit

(Why did you have to type exit twice?).

2.) Update /etc/ssh/sshd_config [Top]

We have placed an sshd_config file on the noc server that you can copy to your machine to accomplish what we want to do. This configuration file allows access to the root user, but only using public/private ssh keys. It still allows you to connect to other users with passwords. This is not ideal (why?).

For this exercise you must be root. Do the following:

# cd /etc/ssh # cp sshd_config sshd_config.bak # scp inst@196.200.218.253:configs/sshd_config . password: Your instructor will give you this in class # chown root:wheel sshd_config

Now you can restart your ssh server and the new configuration will take affect.

To restart your ssh server (as root) do:

# /etc/rc.d/sshd restart

Once your neighbor has done this as well try logging in on their machine as root from your local account. For instance, if you are in a terminal window as root on your machine do:

# su - inst [inst@pcX ~]$ ssh root@pcN

You should be prompted for your passphrase, and you should be able to log in directly to your neighbor's machine as root! This is a very useful tool.

Be sure to exit your session on their machine:

# exit

And, have a look at the file /etc/ssh/sshd_config. Maybe compare it to /etc/ssh/sshd_config.bak to see some of the differences.

Note that this file will work for Linux as well.

Be sure everyone on your machine completes this exercise.

Finally, to disable all password access for users (ideal) and only allow access via public/private keys change the following line in /etc/ssh/sshd_config:

#ChallengeResponseAuthentication yes

to read:

>ChallengeResponseAuthentication no

And remember to restart the ssh server:

# /etc/rc.d/sshd restart

Don't do this unless you are sure your neighbor has already copied over their public/private key pairs to your machines inst and root accounts.

[Return to Top]

Hervey Allen

Last modified: Wed May 13 10:48:09 EEST 2009