Linux Exercise: Secure Shell

This exercise requires that you logon to a remote system, but also requires that you have console root access to this remote system. It is therefore easiest to use "localhost" as your remote system, and simply access the console via the VMWare/VirtualBox console.

SSH Host Keys

  1. Login to your system as a regular user. Look at the contents of your .ssh directory, and look at the .ssh/known_hosts file.
    • $ ls -l ~/.ssh
    • $ cat .ssh/known_hosts
      If you have not yet logged on onto another system from this system and user accounts, your known_hosts file is likely to be empty.
  2. Use SSH to logon to another system (or use your own system: localhost). Do you get a message about your host keys? Accept the host keys, login, then log out.
    • $ ssh root@localhost
    • # exit
  3. Look at your .ssh/known_hosts file again. Is the remote system now listed here? Again, logon to the remote system. Do you get a question about keys now?
    • $ cat .ssh/known_hosts
    • $ ssh root@localhost
    • # exit
  4. Logon as root to the console of the remote system. (So don't use an SSH connection.) Stop the SSH daemon and delete all keyfiles in /etc/ssh. Restart the SSH daemon. This will force the creation of new host keys.
    • # systemctl stop sshd
    • # cd /etc/ssh
    • # ls -l
    • # rm -f ssh*key*
    • # systemctl start sshd
    • # ls -l
  5. As a regular user, try to logon to the remote system again. What happens?
    • $ ssh root@localhost
      The connection attempt will fail and you'll get an error about host keys.
  6. Remove the key of the remote system from your .ssh/known_hosts file and logon again. This will ensure the right key is added to your known_hosts file.
    • # vi .ssh/known_hosts
      Remove the key.
    • $ ssh root@localhost
    • # exit

Using SSH, SCP and SFTP

  1. Use SSH to execute the "date" command remotely.
    • $ ssh root@localhost date
  2. Use SCP to copy the remote file /etc/passwd to your local system.
    • $ scp root@localhost:/etc/passwd ~/passwd
  3. Use SFTP to copy the remote file /etc/group to your local system.
    • $ sftp root@localhost
    • sftp> get /etc/group group
    • sftp> exit

SSH User Keys

  1. Generate an SSH keypair for yourself. Look at your keypair.
    • $ ssh-keygen -t dsa
    • $ ls -l ~/.ssh
    • $ cat ~/.ssh/id_dsa
    • $ cat ~/.ssh/id_dsa.pub
  2. Copy your public key to the remote system and add it to the file .ssh/authorized_keys. If this file does not exist yet, create it. Make sure it gets the right permissions. Logout and then try to login again. Do you need to supply a password? Which password?
    • $ scp ~/.ssh/id_dsa.pub root@locahost:mykey
    • $ ssh root@localhost
    • # mkdir .ssh
    • # chmod 700 .ssh
    • # cat mykey >> .ssh/authorized_keys
    • # chmod 600 .ssh/authorized_keys
    • # exit
    • $ ssh root@localhost
      If you've done things correctly, then you need to enter the password of the private key, NOT the password of the root account.
    • # exit

SSH Agent

An SSH agent is a process which will "remember" private keys in its memory. This means you only need to load your private key into the SSH agent once, typing your password in the process. From that point onwards, any SSH client (SSH, SCP, SFTP) will contact the agent for the private key.

SSH agents have been built into most operating system (e.g. MacOS) and in all Linux Desktop Environments (KDE and GNOME). Windows does not contain an SSH agent by default, but you can install Pageant, which is part of the SSH suite.

If you are using Linux but without a Graphical Desktop Environment such as KDE or GNOME, you can use ssh-agent. This will start the SSH agent and then starts a subshell as its client process. Every SSH command that runs as a child process of this ssh-agent can then use the keys that are stored in the ssh-agent. However, at first usage you need to add the keys using ssh-add.

  1. Look at the PID of your current shell.
    • $ echo $$
  2. Start the ssh-agent with bash as its subshell. Look at the PID of the current shell, and look at the process hierarcy.
    • $ ssh-agent bash
    • $ echo $$
    • $ pstree -p
  3. Add your private key to the SSH agent.
    • $ ssh-add
      Provide your password when requested.
  4. Now try to logon to the remote system again. Does this work?
    • $ ssh root@localhost
  5. (Challenge) Try the same thing, but this time using Linux in a graphical mode (so your runlevel needs to be five, or your systemd target needs to be Graphical). Because both GNOME and KDE contain an SSH agent, you don't have to run a separate ssh-agent process. You can immediately add your keys using ssh-add, and these keys will be retained in your "keyring". The keyring is automatically saved on disk but will normally be encrypted with your login password. So as soon as you login, all the contents of your keyring will be available again.
End of exercise