Configuring Secure Shell

The following activities are covered in this task: • Configuring the private/public keys

• Copying the public key onto the remote host (server) • Verifying the Secure Shell (SSH) access

1. Verify that the Sol11-Server1 and Sol11-Desktop virtual machines are running. If the virtual machines are not running, start them now.

2. Log in to the Sol11-Server1 and Sol11-Desktop virtual machines as the oracle user. Use oracle1 as the password. Assume primary administrator privileges.

3. Starting on Sol11-Server1, use the su command to switch to the jholt account. root@s11-server1:~# su - jholt

Oracle Corporation SunOS 5.11 11.0 November 2011 jholt@s11-server1:~$

During SSH configuration for jholt, you will be moving back and forth between s11- server1 and s11-desktop. If you need to know which VM you are on, check the command prompt. In this example, it is s11-server1. Alternatively, use the hostname command.

4. Use the ssh command to remotely log in to s11-desktop. After a successful login, exit back to s11-server1.

jholt@s11-server1:~$ ssh s11-desktop

The authenticity of host 's11-desktop (192.168.0.111)' can't be established. RSA key fingerprint is

38:d3:8a:bb:be:d4:b8:93:08:7a:b5:99:5d:7f:04:40.

Are you sure you want to continue connecting (yes/no)? yes

Warning: Permanently added 's11-desktop,192.168.0.111' (RSA) to the list of known hosts.

Password: Mypass1

Last login: Fri Dec 2 08:17:26 2011 from s11-server1.myd

Oracle Corporation SunOS 5.11 11.0 November 2011 jholt@s11-desktop:~$ exit

Connection to s11-desktop closed.

Copyright © 2012, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 9: Controlling Access to Systems and Files

Can you tell the purpose of this login and exit without doing anything? As the warning displays, the system has added an entry in the known_hosts file in the .ssh directory in jholt’s home directory.

Confirm it.

5. Create the rsa pair of public and private keys on your system. jholt@s11-server1:~$ ssh-keygen -t rsa

Generating public/private rsa key pair.

Enter file in which to save the key (/home/jholt/.ssh/id_rsa):

Press Enter Key

Enter passphrase (empty for no passphrase): passphrase Enter same passphrase again: passphrase

Your identification has been saved in /home/jholt/.ssh/id_rsa. Your public key has been saved in /home/jholt/.ssh/id_rsa.pub. The key fingerprint is:

51:28:86:f9:3b:55:d3:bf:eb:a9:5d:af:0d:f5:2a:8f jholt@s11-server1 jholt@s11-server1:~$ ls .ssh

id_rsa id_rsa.pub known_hosts

You created the rsa private/public key pair to be used by ssh. Can you find these keys? Yes, they are in the .ssh directory.

6. Copy your rsa public key to the remote system and store it in jholt’s .ssh directory. jholt@s11-server1:~$ scp .ssh/id_rsa.pub jholt@s11-desktop:id_rsa.pub Password: Mypass1

id_rsa.pub 100% |*****************************| 399 00:00

jholt@s11-server1:~$ ssh s11-desktop Password: Mypass1

Last login: Fri Dec 2 08:17:26 2011 from s11-server1.myd

Oracle Corporation SunOS 5.11 11.0 November 2011 jholt@s11-desktop:~$ ls

id_rsa.pub …

jholt@s11-desktop:~$ mkdir -p .ssh

jholt@s11-desktop:~$ cat ./id_rsa.pub >> .ssh/authorized_keys

jholt@s11-desktop:~$ rm ./id_rsa.pub

.pub means that it is the public key and it must be placed in the

.ssh/authorized_keys file. This public key will be used by the s11-desktop host to authenticate your incoming ssh connection.

Copyright © 2012, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 9: Controlling Access to Systems and Files

7. Exit s11-desktop and go back in by using the ssh command to see the rsa prompt. jholt@s11-desktop:~$ exit

Connection to s11-desktop closed.

jholt@s11-server1:~$ ssh s11-desktop

Enter passphrase for key '/home/jholt/.ssh/id_rsa': passphrase Last login: Fri Dec 2 08:19:23 2011 from s11-server1.myd

Oracle Corporation SunOS 5.11 11.0 November 2011 jholt@s11-desktop:~$ exit

Connection to s11-desktop closed.

This demonstrates that your rsa public key is functioning, and it is supposed to ask you for the passphrase that you specified when you created the rsa key.

8. Repeat Steps 5–7 for the dsa pair of the private/public keys. These steps are listed here as a reminder.

jholt@s11-server1:~$ ssh-keygen -t dsa Generating public/private dsa key pair.

Enter file in which to save the key (/home/jholt/.ssh/id_dsa): Press Enter Key

Enter passphrase (empty for no passphrase): passphrase Enter same passphrase again: passphrase

Your identification has been saved in /home/jholt/.ssh/id_dsa. Your public key has been saved in /home/jholt/.ssh/id_dsa.pub. The key fingerprint is:

7a:b8:cb:f8:33:e5:fb:02:a5:c3:b2:53:cc:75:90:9e jholt@s11-server1

jholt@s11-server1:~$ scp ./.ssh/id_dsa.pub jholt@s11- desktop:id_dsa.pub

Enter passphrase for key '/home/jholt/.ssh/id_rsa': passphrase

id_dsa.pub 100% |*****************************| 607 00:00

jholt@s11-server1:~$ ssh s11-desktop

Enter passphrase for key '/home/jholt/.ssh/id_rsa': passphrase Last login: Fri Dec 2 08:18:06 2011 from s11-server1.myd

Oracle Corporation SunOS 5.11 11.0 November 2011 jholt@s11-desktop:~$ ls

id_dsa.pub …

jholt@s11-desktop:~$ cat ./id_dsa.pub >> .ssh/authorized_keys

jholt@s11-desktop:~$ rm ./id_dsa.pub

jholt@s11-desktop:~$ exit

Connection to s11-desktop closed.

Currently, you have created the rsa and dsa pairs of keys. The private keys are on your s11-server1 system and the public keys have been transmitted and stored on the remote system for authentication.

Copyright © 2012, Oracle and/or its affiliates. All rights reserved.

Practices for Lesson 9: Controlling Access to Systems and Files

9. Use the ssh command to log in to the s11-desktop machine. When prompted for the rsa key passphrase, do not supply the value. Just press the Enter key, but provide the

password for the dsa key prompt.

jholt@s11-server1:~$ ssh s11-desktop

Enter passphrase for key '/home/jholt/.ssh/id_rsa': Press Enter

Key

Enter passphrase for key '/home/jholt/.ssh/id_dsa': passphrase

Last login: Fri Dec 2 08:19:03 2011 from s11-server1.myd

Oracle Corporation SunOS 5.11 11.0 November 2011 jholt@s11-desktop:~$ exit

logout

Connection to s11-desktop is closed.

You exited from the ssh session to start the next task clean.

jholt@s11-server1:~$ exit logout

root@s11-server1:~#

Now when you ssh to s11-desktop, you are prompted for the rsa and the dsa passphrases. If you enter an incorrect passphrase for rsa and the correct passphrase for dsa, you will be connected.

So now you know that users can create their own ssh authentication keys and manage the authentication process by using passphrases.