RH253读书笔记(8)-Lab 8 Securing Data
Lab 8 Securing Data
Goal: Gain familiarity with encryption utilities
Sequence 1: Using SSH keys with no passphrase
Scenario: alice and bob are users on possibly different stations who would like to establish account equivalency. In other words, alice would like to be able to access bob's account without needing to issue a password, and vice versa. You will use ssh to provide this equivalency.
This sequence will refer to stationX, which contains the user alice, and stationY, which contains the user bob. When performing this lab, you will need to adjust the steps so the hostnames reflect your situation. If you are working with a partner, stationX and stationY would be the respective machine names of you and your partner. If you are using a single machine, both hostnames may be replaced with localhost.
Deliverable: Users bob and alice are using SSH secured communications
Instructions:
1. Create these user accounts if they do not already exist, and give them passwords. On stationX create the alice user account, and on stationY create the bob account. Give them passwords.
a. [root@stationX]# useradd alice
b. [root@stationX]# echo alice | passwd --stdin alice
c. [root@stationY]# useradd bob
d. [root@stationY]# echo bob | passwd --stdin bob
2. Have root on bob's machine ensure that the sshd daemon is running.
a. [root@stationY]# service sshd start
[root@stationY]# service sshd status
3. If alice knows bob's password, she can use ssh to access his account. Note that all transactions with bob's account are encrypted, including the password exchange. As alice, run the following commands, supplying bob's password when appropriate.
[alice@stationX]$ ssh bob@stationY ls /tmp
[alice@stationX]$ ssh bob@stationY
[bob@stationY]$ exit
[alice@stationX]$ scp bob@stationY:/etc/services .
[alice@stationX]$ scp -r bob@stationY:/etc/xinetd.d .
4. Assuming that alice and bob would like a more secure authentication scheme, have alice generate an ssh public/private key pair. Note that ssh-keygen should be invoked with the -t command-line switch, so that keys appropriate for the DSA algorithm are generated. Have alice examine her private key (id_dsa) and public key (id_dsa.pub).
Choose default options for key locations. Also, choose a null passphrase by pressing Enter when prompted.
a. [alice@stationX]$ ssh-keygen -t dsa
Generating public/private dsa key pair.
Enter file in which to save the key (/home/alice/.ssh/id_dsa):Enter
Created directory '/home/alice/.ssh'.
Enter passphrase (empty for no passphrase): Enter
Enter same passphrase again: Enter
Your identification has been saved in /home/alice/.ssh/id_dsa.
Your public key has been saved in /home/alice/.ssh/id_dsa.pub.
The key fingerprint is:
aa:11:33:45:11:cc:aa:66:99:00:ee alice@stationX.example.com
5. Take a look at the newly created files.
[alice@stationX]$ ls ~/.ssh
[alice@stationX]$ cat ~/.ssh/id_dsa
[alice@stationX]$ cat ~/.ssh/id_dsa.pub
6. Have alice mail bob a copy of her public key, if stationY accepts mail from stationX. If not, either setup the mail server on stationY, or use scp. Have bob save a copy of the public key as the file ~/.ssh/authorized_keys.
a. [alice@stationX]$ mail -s "my key" bob@stationY < ~/.ssh/id_dsa.pub
b. [bob@stationY]$ mail
Mail version 8.1 6/6/93. Type ? for help.
"/var/spool/mail/bob": 1 message 1 new
>N 1 alice@stationY.exa Sun Sep 24 23:00 71/3947 "my key"
& w alices_key
"alices_key" [New file]
& q
[bob@stationY]$ mkdir -p ~/.ssh; chmod 700 ~/.ssh
[bob@stationY]$ cat alices_key >> ~/.ssh/authorized_keys
[bob@stationY]$ chmod 600 ~/.ssh/authorized_keys
7. Assuming all pieces are in place (i.e., bob now has a copy of alice's public key in his list of authorized keys), alice should now be able to access bob's account without needing to supply a password.
[alice@stationX]$ ssh bob@stationY id
501(bob) gid=501(bob) groups=501(bob)
[alice@stationX]$ ssh bob@stationY tar czvf - /home/bob > /tmp/bob.stationY.tgz
If things are not properly configured, ssh will fall back to password authentication, and prompt alice for a password. There are several steps you can take to help debug the situation. First, examine /var/log/messages and /var/log/secure on the server for helpful information. Second, use the -v command-line switch with the ssh client. This will output useful debugging information. Multiple -v options will produce more debug information.
8. Perform the equivalent configuration for bob, so that he has access to alice's account.
Sequence 2: Using SSH keys with a passphrase
Scenario: If someone should find a way to get alice's private key, they would be indistinguishable from alice. A passphrase associated with alice's key would prevent this confusion, but then "she" (you) must enter a passphrase for the commands in the previous tasks. ssh-agent/ssh-add allows us to enter a passphrase only once per "session".
Note: the following assumes that you have logged in directly as alice, not using su.
Deliverable: Users alice and bob are using SSH keys with passphrases
Instructions:
1. Start by exiting your session and logging in directly as alice. Have alice generate a new key, this time with a passphrase. When asked if you want to overwrite id_dsa answer yes. Use a passphrase of your own choosing... of at least 6 characters.
a. [alice@stationX]$ ssh-keygen -t dsa
Generating public/private dsa key pair.
Enter file in which to save the key (/home/alice/.ssh/id_dsa): Enter
/home/alice/.ssh/id_dsa already exists.
Overwrite (y/n)? y
Enter passphrase (empty for no passphrase): passphrase
Enter same passphrase again: passphrase
Your identification has been saved in /home/alice/.ssh/id_dsa.
Your public key has been saved in /home/alice/.ssh/id_dsa.pub.
The key fingerprint is:
44:45:cc:22:66:66:ee:aa:0f:62:66 alice@stationX.example.com
2. Send bob a copy of your newly generated public key. Refer to the previous Sequence if you need help.
3. As alice, repeat the commands from the previous Sequence. Notice that now you are prompted for the passphrase for /home/alice/.ssh/id_dsa.
4. Start the ssh-agent running by typing the command:
[alice@stationX]$ ssh-agent
SSH_AUTH_SOCK=/tmp/ssh-BEKcxu4520/agent.4520; export SSH_AUTH_SOCK;
SSH_AGENT_PID=4521; export SSH_AGENT_PID;
echo Agent pid 4521;
If this command fails try: eval 'ssh-agent' or ssh-agent bash.
Provide your ssh-agent with the key for /home/alice/.ssh/id_dsa. You will be required to enter your passphrase so ssh-agent can access the key.
[alice@stationX]$ ssh-add
Enter passphrase for /home/alice/.ssh/id_dsa: passphrase
Identity added: /home/alice/.ssh/id_dsa(/home/alice/.ssh/id_dsa)
5. As alice, repeat the commands again(!) from the previous Sequence. Notice that now ssh-agent is able to reply to the challenge provided by stationY. No passphrase is required.
Note: if alice is logged in at a Red Hat Enterprise Linux graphical user interface (GUI), then the previous Sequence will play out as described. However, if all she has is a text terminal session, then execute:
[alice@stationX]$ ssh-agent bash
This will "wrap" the bash shell with the ssh-agent utility.
What makes the Red Hat Enterprise Linux GUI so SSH friendly? The desktop sessions are similarly "wrapped" as the bash shell is in the previous command example. In fact, as described in the Unit notes, by selecting from the System->Preferences->More Preferences->Sessions->Start Up Programs , and selecting the Add button the following dialog is displayed. Enter the path to ssh-add as shown, then save and close the dialog. Logout alice and login again. After the initial "splash screen" is displayed, a dialog will display asking for alice's SSH passphrase. All SSH connections spawned from processes within this X11 session will be provided the passphrase... you can even skip the previous step.
Logout alice and login again. After the initial "splash screen" is displayed, a dialog will display asking for alice's SSH passphrase. All SSH connections spawned from processes within this X11 session will be provided the passphrase... you can even skip the previous step.
Sequence 3: Using an SSH tunnel
Scenario: alice has established public key authenticated shell access to bob's account. She would now like to securely access the (plaintext) web server that is running on bob's machine.
Deliverable: Web access through an encrypted tunnel
Instructions:
1. Ensure that a webserver is running on bob's machine (stationY). If not, as root on bob's machine, install and start the web server. Refer to the appendix if bob's machine needs to register with the RHN server.
a. [root@stationX]# yum -y install httpd
2. Have alice test the web server from stationX.
a. [alice@stationX]$ links http://stationY/
3. Using ssh, have alice connect to bob's account, and as a side effect, establish an encrypted tunnel between alice's port 12345 (or any other unused port) and bob's webserver (port 80).
[alice@stationX]$ ssh bob@stationY -L 12345:stationY:80
(and from another terminal...)
[alice@stationX]$ links http://localhost:12345
alice should see the same web page in both step 1 and step 2. In step 1, however, data traveled from the webserver to alice's links client in plaintext, and were subject to packet sniffing. In step 2, packets traveled from the web server, through bob's ssh daemon, across the network in ciphertext to alice's ssh client, and then deciphered and passed to alice's links client.
4. Challenge Question: Can you find the options that will put the ssh tunnel in the background and not execute a remote command?
Run the ssh command again, to determine the differences.
a. The options are -f and -N. The command should be:
[alice@stationX]$ ssh -Nf bob@stationY -L 12345:stationY:80
RH253读书笔记(8)-Lab 8 Securing Data的更多相关文章
- RH253读书笔记(3)-Lab 3 Securing Networking
Lab 3 Securing Networking Goal: To build skills with the Netfilter packet filter Sequence 1: Applyin ...
- RH253读书笔记(1)-Lab 1 System Monitoring
Lab 1 System Monitoring Goal: To build skills to better assess system resources, performance and sec ...
- RH253读书笔记(4)-Lab 4 The Domain Name System
Lab 4 The Domain Name System Goal: To install and configure a DNS server System Setup: Throughout th ...
- RH253读书笔记(6)-Lab 6 Implementing Web(HTTP) Services
Lab 6 Implementing Web(HTTP) Services Goal: To implement a Web(HTTP) server with a virtual host and ...
- RH253读书笔记(5)-Lab 5 Network File Sharing Services
Lab 5 Network File Sharing Services Goal: Share file or printer resources with FTP, NFS and Samba Se ...
- RH253读书笔记(9)-Lab 9 Account Management Methods
Lab 9 Account Management Methods Goal: To build skills with PAM configuration Sequence 1: Track Fail ...
- RH253读书笔记(2)-Lab 2 System Resource Access Controls
Lab 2 System Resource Access Controls Goal: To become familiar with system resource access controls. ...
- RH253读书笔记(7)-Lab 7 Electronic Mail
Lab 7 Electronic Mail Goal: To build common skills with MTA configuration Estimated Duration: 90 min ...
- RH133读书笔记(2)-Lab 2 Working with packages
Lab 2 Working with packages Goal: To gain working experience with package management System Setup: A ...
随机推荐
- 依赖注入(DI)
依赖注入(DI) IoC主要体现了这样一种设计思想:通过将一组通用流程的控制从应用转移到框架之中以实现对流程的复用,同时采用“好莱坞原则”是应用程序以被动的方式实现对流程的定制.我们可以采用若干设 ...
- WPF换肤之六:酷炫的时区浏览小精灵
原文:WPF换肤之六:酷炫的时区浏览小精灵 由于工作需要,经常要查看到不同地区的 当前时间,以前总是对照着时区表来进行加减运算,现在有了这个小工具以后,感觉省心了不少.下面是软件的截图: 效果图赏析 ...
- java名词,关键字
抽象类:规定一个或多个抽象方法的类别本身必须定义为abstract,抽象类只是用来派生子类,而不能用它来创建对象. final类:又称“最终类”,它只能用来创建对象,而不能被继承,与抽象类刚好相反,而 ...
- POJ 1696 Space Ant(点积的应用)
Space Ant 大意:有一仅仅蚂蚁,每次都仅仅向当前方向的左边走,问蚂蚁走遍全部的点的顺序输出.開始的点是纵坐标最小的那个点,開始的方向是開始点的x轴正方向. 思路:从開始点開始,每次找剩下的点中 ...
- cocos2dx的发展的例子2048(加入动画版)
网上找了很多写作教程2048.只是不知道卡的移动动画,我写了一个完美的动画版少. 开发步骤: 1,一个设计CardSprite类. 2,设计主游戏场景GameScene,实现游戏逻辑,加入动画逻辑. ...
- Understanding responsibilities is key to good object-oriented design(转)
对象和数据的主要差别就是对象有行为,行为可以看成责任职责(responsibilities以下简称职责)的一种,理解职责是实现好的OO设计的关键.“Understanding responsibili ...
- Android asynctask使用
继承asynctask,有三个參数 三个參数的含义是第一个表示输入參数.第二个为progress,表示当前的进度,第三个为doInbackground 返回值 须要一个參数传入url,返回一个r ...
- 初识google多语言通信框架gRPC系列(四)C++中使用gRPC
我的这几篇文章都是使用gRPC的example,不是直接编译example,而是新建一个项目,从添加依赖,编译example代码,执行example.这样做可以为我们创建自己的项目提供借鉴.如果对gR ...
- URAL 1934 Black Spot --- 最短的简单修改
右侧是1.维护的同时保持最短路p值至少,我有直接存款(1-p).该概率不满足,为了使这个值极大. #include <iostream> #include <cstdlib> ...
- div 浮动框