RH253读书笔记(8)-Lab 8 Securing Data
Lab 8 Securing Data
Goal: Gain familiarity with encryption utilities
Sequence 1: Using SSH keys with no passphrase
Scenario: alice and bob are users on possibly different stations who would like to establish account equivalency. In other words, alice would like to be able to access bob's account without needing to issue a password, and vice versa. You will use ssh to provide this equivalency.
This sequence will refer to stationX, which contains the user alice, and stationY, which contains the user bob. When performing this lab, you will need to adjust the steps so the hostnames reflect your situation. If you are working with a partner, stationX and stationY would be the respective machine names of you and your partner. If you are using a single machine, both hostnames may be replaced with localhost.
Deliverable: Users bob and alice are using SSH secured communications
Instructions:
1. Create these user accounts if they do not already exist, and give them passwords. On stationX create the alice user account, and on stationY create the bob account. Give them passwords.
a. [root@stationX]# useradd alice
b. [root@stationX]# echo alice | passwd --stdin alice
c. [root@stationY]# useradd bob
d. [root@stationY]# echo bob | passwd --stdin bob
2. Have root on bob's machine ensure that the sshd daemon is running.
a. [root@stationY]# service sshd start
[root@stationY]# service sshd status
3. If alice knows bob's password, she can use ssh to access his account. Note that all transactions with bob's account are encrypted, including the password exchange. As alice, run the following commands, supplying bob's password when appropriate.
[alice@stationX]$ ssh bob@stationY ls /tmp
[alice@stationX]$ ssh bob@stationY
[bob@stationY]$ exit
[alice@stationX]$ scp bob@stationY:/etc/services .
[alice@stationX]$ scp -r bob@stationY:/etc/xinetd.d .
4. Assuming that alice and bob would like a more secure authentication scheme, have alice generate an ssh public/private key pair. Note that ssh-keygen should be invoked with the -t command-line switch, so that keys appropriate for the DSA algorithm are generated. Have alice examine her private key (id_dsa) and public key (id_dsa.pub).
Choose default options for key locations. Also, choose a null passphrase by pressing Enter when prompted.
a. [alice@stationX]$ ssh-keygen -t dsa
Generating public/private dsa key pair.
Enter file in which to save the key (/home/alice/.ssh/id_dsa):Enter
Created directory '/home/alice/.ssh'.
Enter passphrase (empty for no passphrase): Enter
Enter same passphrase again: Enter
Your identification has been saved in /home/alice/.ssh/id_dsa.
Your public key has been saved in /home/alice/.ssh/id_dsa.pub.
The key fingerprint is:
aa:11:33:45:11:cc:aa:66:99:00:ee alice@stationX.example.com
5. Take a look at the newly created files.
[alice@stationX]$ ls ~/.ssh
[alice@stationX]$ cat ~/.ssh/id_dsa
[alice@stationX]$ cat ~/.ssh/id_dsa.pub
6. Have alice mail bob a copy of her public key, if stationY accepts mail from stationX. If not, either setup the mail server on stationY, or use scp. Have bob save a copy of the public key as the file ~/.ssh/authorized_keys.
a. [alice@stationX]$ mail -s "my key" bob@stationY < ~/.ssh/id_dsa.pub
b. [bob@stationY]$ mail
Mail version 8.1 6/6/93. Type ? for help.
"/var/spool/mail/bob": 1 message 1 new
>N 1 alice@stationY.exa Sun Sep 24 23:00 71/3947 "my key"
& w alices_key
"alices_key" [New file]
& q
[bob@stationY]$ mkdir -p ~/.ssh; chmod 700 ~/.ssh
[bob@stationY]$ cat alices_key >> ~/.ssh/authorized_keys
[bob@stationY]$ chmod 600 ~/.ssh/authorized_keys
7. Assuming all pieces are in place (i.e., bob now has a copy of alice's public key in his list of authorized keys), alice should now be able to access bob's account without needing to supply a password.
[alice@stationX]$ ssh bob@stationY id
501(bob) gid=501(bob) groups=501(bob)
[alice@stationX]$ ssh bob@stationY tar czvf - /home/bob > /tmp/bob.stationY.tgz
If things are not properly configured, ssh will fall back to password authentication, and prompt alice for a password. There are several steps you can take to help debug the situation. First, examine /var/log/messages and /var/log/secure on the server for helpful information. Second, use the -v command-line switch with the ssh client. This will output useful debugging information. Multiple -v options will produce more debug information.
8. Perform the equivalent configuration for bob, so that he has access to alice's account.
Sequence 2: Using SSH keys with a passphrase
Scenario: If someone should find a way to get alice's private key, they would be indistinguishable from alice. A passphrase associated with alice's key would prevent this confusion, but then "she" (you) must enter a passphrase for the commands in the previous tasks. ssh-agent/ssh-add allows us to enter a passphrase only once per "session".
Note: the following assumes that you have logged in directly as alice, not using su.
Deliverable: Users alice and bob are using SSH keys with passphrases
Instructions:
1. Start by exiting your session and logging in directly as alice. Have alice generate a new key, this time with a passphrase. When asked if you want to overwrite id_dsa answer yes. Use a passphrase of your own choosing... of at least 6 characters.
a. [alice@stationX]$ ssh-keygen -t dsa
Generating public/private dsa key pair.
Enter file in which to save the key (/home/alice/.ssh/id_dsa): Enter
/home/alice/.ssh/id_dsa already exists.
Overwrite (y/n)? y
Enter passphrase (empty for no passphrase): passphrase
Enter same passphrase again: passphrase
Your identification has been saved in /home/alice/.ssh/id_dsa.
Your public key has been saved in /home/alice/.ssh/id_dsa.pub.
The key fingerprint is:
44:45:cc:22:66:66:ee:aa:0f:62:66 alice@stationX.example.com
2. Send bob a copy of your newly generated public key. Refer to the previous Sequence if you need help.
3. As alice, repeat the commands from the previous Sequence. Notice that now you are prompted for the passphrase for /home/alice/.ssh/id_dsa.
4. Start the ssh-agent running by typing the command:
[alice@stationX]$ ssh-agent
SSH_AUTH_SOCK=/tmp/ssh-BEKcxu4520/agent.4520; export SSH_AUTH_SOCK;
SSH_AGENT_PID=4521; export SSH_AGENT_PID;
echo Agent pid 4521;
If this command fails try: eval 'ssh-agent' or ssh-agent bash.
Provide your ssh-agent with the key for /home/alice/.ssh/id_dsa. You will be required to enter your passphrase so ssh-agent can access the key.
[alice@stationX]$ ssh-add
Enter passphrase for /home/alice/.ssh/id_dsa: passphrase
Identity added: /home/alice/.ssh/id_dsa(/home/alice/.ssh/id_dsa)
5. As alice, repeat the commands again(!) from the previous Sequence. Notice that now ssh-agent is able to reply to the challenge provided by stationY. No passphrase is required.
Note: if alice is logged in at a Red Hat Enterprise Linux graphical user interface (GUI), then the previous Sequence will play out as described. However, if all she has is a text terminal session, then execute:
[alice@stationX]$ ssh-agent bash
This will "wrap" the bash shell with the ssh-agent utility.
What makes the Red Hat Enterprise Linux GUI so SSH friendly? The desktop sessions are similarly "wrapped" as the bash shell is in the previous command example. In fact, as described in the Unit notes, by selecting from the System->Preferences->More Preferences->Sessions->Start Up Programs , and selecting the Add button the following dialog is displayed. Enter the path to ssh-add as shown, then save and close the dialog. Logout alice and login again. After the initial "splash screen" is displayed, a dialog will display asking for alice's SSH passphrase. All SSH connections spawned from processes within this X11 session will be provided the passphrase... you can even skip the previous step.
Logout alice and login again. After the initial "splash screen" is displayed, a dialog will display asking for alice's SSH passphrase. All SSH connections spawned from processes within this X11 session will be provided the passphrase... you can even skip the previous step.
Sequence 3: Using an SSH tunnel
Scenario: alice has established public key authenticated shell access to bob's account. She would now like to securely access the (plaintext) web server that is running on bob's machine.
Deliverable: Web access through an encrypted tunnel
Instructions:
1. Ensure that a webserver is running on bob's machine (stationY). If not, as root on bob's machine, install and start the web server. Refer to the appendix if bob's machine needs to register with the RHN server.
a. [root@stationX]# yum -y install httpd
2. Have alice test the web server from stationX.
a. [alice@stationX]$ links http://stationY/
3. Using ssh, have alice connect to bob's account, and as a side effect, establish an encrypted tunnel between alice's port 12345 (or any other unused port) and bob's webserver (port 80).
[alice@stationX]$ ssh bob@stationY -L 12345:stationY:80
(and from another terminal...)
[alice@stationX]$ links http://localhost:12345
alice should see the same web page in both step 1 and step 2. In step 1, however, data traveled from the webserver to alice's links client in plaintext, and were subject to packet sniffing. In step 2, packets traveled from the web server, through bob's ssh daemon, across the network in ciphertext to alice's ssh client, and then deciphered and passed to alice's links client.
4. Challenge Question: Can you find the options that will put the ssh tunnel in the background and not execute a remote command?
Run the ssh command again, to determine the differences.
a. The options are -f and -N. The command should be:
[alice@stationX]$ ssh -Nf bob@stationY -L 12345:stationY:80
RH253读书笔记(8)-Lab 8 Securing Data的更多相关文章
- RH253读书笔记(3)-Lab 3 Securing Networking
Lab 3 Securing Networking Goal: To build skills with the Netfilter packet filter Sequence 1: Applyin ...
- RH253读书笔记(1)-Lab 1 System Monitoring
Lab 1 System Monitoring Goal: To build skills to better assess system resources, performance and sec ...
- RH253读书笔记(4)-Lab 4 The Domain Name System
Lab 4 The Domain Name System Goal: To install and configure a DNS server System Setup: Throughout th ...
- RH253读书笔记(6)-Lab 6 Implementing Web(HTTP) Services
Lab 6 Implementing Web(HTTP) Services Goal: To implement a Web(HTTP) server with a virtual host and ...
- RH253读书笔记(5)-Lab 5 Network File Sharing Services
Lab 5 Network File Sharing Services Goal: Share file or printer resources with FTP, NFS and Samba Se ...
- RH253读书笔记(9)-Lab 9 Account Management Methods
Lab 9 Account Management Methods Goal: To build skills with PAM configuration Sequence 1: Track Fail ...
- RH253读书笔记(2)-Lab 2 System Resource Access Controls
Lab 2 System Resource Access Controls Goal: To become familiar with system resource access controls. ...
- RH253读书笔记(7)-Lab 7 Electronic Mail
Lab 7 Electronic Mail Goal: To build common skills with MTA configuration Estimated Duration: 90 min ...
- RH133读书笔记(2)-Lab 2 Working with packages
Lab 2 Working with packages Goal: To gain working experience with package management System Setup: A ...
随机推荐
- OCP读书笔记(19) - 数据库空间管理
传输表空间:将linux下的数据库中的test表空间传输到windows平台下的数据库 在传输表空间前,先确定一下源库与目标数据库字符集一致: select * from nls_database_p ...
- Effective C++规定45 附加代码
这部分是额外的代码的博客.键45条款想法已经实现. #include<iostream> using namespace std; template<typename T> c ...
- Atitit. .net c# web 跟clientwinform 的ui控件结构比較
Atitit. .net c# web 跟clientwinform 的ui控件结构比較 .net 4.5 webform Winform 命名空间 System.Web.UI.WebContro ...
- Windows Phone开发(22):启动器与选择器之BingMapsDirectionsTask
原文:Windows Phone开发(22):启动器与选择器之BingMapsDirectionsTask 从今天开发始,我们又开始新的征程,接下来的课程我们要熟悉一下启动器和选择器,其实二者是一样的 ...
- ASM时的OFM特性对影的建数据文件名称的影响及为SYSTEM表空间的数据文件使用别名
客户遇到个DG的问题,存储使用的ASM管理,有多个磁盘盘. 在主库创建数据文件,备库自己主动创建的数据文件都在同一磁盘组,而且在主库创建数据文件是指定的是类似**.DBF的名字,到备库也变成了使用AS ...
- C#项目开发实践前言
曾经没有做过项目开发实现解说,都是在工作过程其中,自动学习,查找资料,由于在曾经的公司就我一人在做c#WinForm开发,所以,有时候在公司培训会上,我也会为新的员工进行过一些简单的项目解说,基于在培 ...
- POJ 2914 Minimum Cut 最小割图论
Description Given an undirected graph, in which two vertices can be connected by multiple edges, wha ...
- 玩转html5(一)-----盘点html5新增的那些酷酷的input类型和属性
今天正式开始学习html5了,相比html以前的版本,html5新增了好多功能,属性,使我们做出来的界面更加的绚丽,而且使用起来超级简单,这篇文章先来说说html增加的那些input类型和属性. 这些 ...
- top 查看资源使用
top:动态观察程序的变化 ? [root@linux ~]# top [-d] | top [-bnp] 参数: -d :后面可以接秒数,就是整个程序画面更新的秒数.预设是 5 秒: -b :以批次 ...
- 查看linux信息
1.操作系统内核 cat /proc/version 2.操作系统版本 head -n 1 /etc/issue # 查看操作系统版本 3.查看cpu信息 more /proc/cpuinfo --- ...