1.) Copy Your inst Account Public Key to the root Account [Top]
For this exercise we want you to copy /home/inst/.ssh/id_rsa.pub over to your neighbor's machine and place the file in /root/.ssh/authorized_keys on your neighbor's machine (not your machine).
Note, you cannot log in directly to your neighbor's machine as root, so you must take advantage of the fact that you can get in as the userid inst and then you can become root once you are logged in.
We will use our neighbor list again to avoid confusion:
Again, to make thing easier open two terminal
windows on your desktop. In one window make sure you are the
inst
user on your machine. We will call this your
local window. In another window type:
$ ssh inst@pcX
This will be your remote window.
You have already generated your public/private ssh key pair. In your local window do the following:
$ cd ~/.ssh
$ scp id_rsa.pub inst@pcX:/tmp/.
In your remote window do:
$ su -
# mkdir /root/.ssh
# cd /root/.ssh
$ cat /tmp/id_rsa.pub >> authorized_keys
$ rm /tmp/id_rsa.pub
You now have your public key for inst
in the
authorized_keys
file for the root
user on your
neighbor's machine.
At this point you still cannot use ssh to connect to your neighbor's
machine as root
as this is blocked by the default ssh
configuration. In our next exercise we will update the ssh
configuration file on your neighbor's machine to allow you to connect
as root
using your public/private key for the inst
account.
Remember to log out of your neighbor's machine in your remote window by doing:
# exit
$ exit
(Why did you have to type exit
twice?).
2.) Update /etc/ssh/sshd_config [Top]
We have placed an sshd_config file on the noc server that you can copy to your machine to accomplish what we want to do. This configuration file allows access to the root user, but only using public/private ssh keys. It still allows you to connect to other users with passwords. This is not ideal (why?).
For this exercise you must be root. Do the following:
# cd /etc/ssh
# cp sshd_config sshd_config.bak
# scp inst@196.200.218.253:configs/sshd_config .
password: Your instructor will give you this in class
# chown root:wheel sshd_config
Now you can restart your ssh server and the new configuration will take affect.
To restart your ssh server (as root) do:
# /etc/rc.d/sshd restart
Once your neighbor has done this as well try logging in on their
machine as root from your local account. For instance, if you are in a
terminal window as root on your machine do:
# su - inst
[inst@pcX ~]$ ssh root@pcN
You should be prompted for your passphrase, and you should be able to log in directly to your neighbor's machine as root! This is a very useful tool.
Be sure to exit your session on their machine:
# exit
And, have a look at the file /etc/ssh/sshd_config. Maybe compare it to /etc/ssh/sshd_config.bak to see some of the differences.
Note that this file will work for Linux as well.
Be sure everyone on your machine completes this exercise.
Finally, to disable all password access for users (ideal) and only
allow access via public/private keys change the following line in /etc/ssh/sshd_config
:
#ChallengeResponseAuthentication yes
to read:
>ChallengeResponseAuthentication no
And remember to restart the ssh server:
# /etc/rc.d/sshd restart
Don't do this unless you are sure your neighbor has already copied
over their public/private key pairs to your machines inst
and root
accounts.
Hervey Allen