Skip to content

Guided Exercise SSH

Before

  1. Clone your VM into servera and serverb

  2. Change servera hostname into servera and serverb hostname into serverb 

    [rehan@localhost ~]$ su -
Password:
[root@localhost ~]# hostnamectl set-hostname servera

    [rehan@webserver ~]$ su -
Password:
[root@webserver ~]# hostnamectl set-hostname serverb

  3. Create user operator1 by password redhat on servera and serverb 

    [root@servera ~]# useradd operator1
[root@servera ~]# passwd operator1
Changing password for user operator1.
New password: redhat
BAD PASSWORD: The password is shorter than 8 characters
Retype new password: redhat
passwd: all authentication tokens updated successfully.

    [root@serverb ~]# useradd operator1
[root@serverb ~]# passwd operator1
Changing password for user operator1.
New password:
BAD PASSWORD: The password is shorter than 8 characters
Retype new password:
passwd: all authentication tokens updated successfully.

  4. Create user student on serverb 

    [root@serverb ~]# useradd student
[root@serverb ~]# passwd student
Changing password for user student.
New password: 1234
BAD PASSWORD: The password is shorter than 8 characters
Retype new password: 1234
passwd: all authentication tokens updated successfully.

  5. Add servera at /etc/hosts/ 

    [root@serverb ~]# nano /etc/hosts
    tambahkan line berikut namun sesuaikan dengan ipaddress servera milik anda 
    172.16.20.35 servera

  1. From your windows cmd, open an SSH session to serverb as student 

    C:\Users\Monk>ssh rehan@your_ip_address

  2. Use the su command to switch to the operator1 user on serverb. User redhat as the password of operator1 

    [student@serverb ~]$ su - operator1
Password:
[operator1@serverb ~]$

  3. Use the ssh-keygen command to generate SSH keys. Do not enter a passphrase. 

    [operator1@serverb ~]$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/operator1/.ssh/id_rsa): enter
Created directory '/home/operator1/.ssh'.
Enter passphrase (empty for no passphrase): enter
Enter same passphrase again: enter
Your identification has been saved in /home/operator1/.ssh/id_rsa
Your public key has been saved in /home/operator1/.ssh/id_rsa.pub

  4. Use the ssh-copy-id command to send the public key of the SSH key pair to operator1 on servera. Use redhat as the password of operator1 on servera.

    [operator1@serverb ~]$ ssh-copy-id operator1@servera_ip_address
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/home/operator1/.ssh/id_rsa.pub"
The authenticity of host '192.168.1.5 (192.168.1.5)' can't be established.
ED25519 key fingerprint is SHA256:Xbp9Sh3L8OwG1pj62suEtSTM2CuJvcAty0GAaVdouHE.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
operator1@192.168.1.5's password: redhat

  5. Execute the hostname command on servera remotely using SSH without accessing the remote interactive shell. 

    [operator1@serverb ~]$ ssh operator1@servera hostname
servera
    Notice that the preceding ssh command did not prompt you for a password because it used the passphrase-less private key against the exported public key to authenticate as operator1 on servera. This approach is not secure, because anyone who has access to the private key file can log in to servera as operator1. The secure alternative is to protect the private key with a passphrase, which is the next step.

  6. Use the ssh-keygen command to generate another set of SSH keys with passphraseprotection. Save the key as /home/operator1/.ssh/key2. Use redhatpass as the passphrase of the private key

    [operator1@serverb ~]$ ssh-keygen -f .ssh/key2
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase): redhatpass
Enter same passphrase again: redhatpass
Your identification has been saved in .ssh/key2
Your public key has been saved in .ssh/key2.pub
The key fingerprint is:
SHA256:sZJuY84PaRxyW87F501M0mwTlVAWDXbtgV9fe9goi9E operator1@serverb
The key's randomart image is:

  7. Use the ssh-copy-id command to send the public key of the passphrase-protected key pair to operator1 on servera. 
    [operator1@serverb ~]$ ssh-copy-id -i .ssh/key2.pub operator1@servera
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: ".ssh/key2.pub"The authenticity of host 'servera (172.16.70.27)' can't be established.
ED25519 key fingerprint is SHA256:Xbp9Sh3L8OwG1pj62suEtSTM2CuJvcAty0GAaVdouHE.
This host key is known by the following other names/addresses:
    ~/.ssh/known_hosts:1: 192.168.1.5
    ~/.ssh/known_hosts:4: 172.16.70.27
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh 'operator1@servera'"
and check to make sure that only the key(s) you wanted were added.
  8. Execute the hostname command on servera remotely with SSH without accessing the remote interactive shell. Use /home/operator1/.ssh/key2 as the identity file. Specify redhatpass as the passphrase, which you set for the private key in the preceding step.
    [operator1@serverb ~]$ ssh -i .ssh/key2 operator1@servera hostname
Enter passphrase for key '.ssh/key2':
servera
    Notice that the preceding ssh command prompted you for the passphrase you used to protect the private key of the SSH key pair. This passphrase protects the private key. Should an attacker gain access to the private key, the attacker cannot use it to access other systems because the private key itself is protected with a passphrase. The ssh command uses a different passphrase than the one for operator1 on servera, requiring users to know both.
    You can use ssh-agent, as in the following step, to avoid interactively typing in the passphrase while logging in with SSH. Using ssh-agent is both more convenient and more secure in situations where the administrators log in to remote systems regularly.
  9. Run ssh-agent in your Bash shell and add the passphrase-protected private key (/home/ operator1/.ssh/key2) of the SSH key pair to the shell session.
    [operator1@serverb ~]$ eval $(ssh-agent)
Agent pid 1873
[operator1@serverb ~]$ ssh-add .ssh/key2
Enter passphrase for .ssh/key2: redhatpass
Identity added: .ssh/key2 (operator1@serverb)
  10. Execute the hostname command on servera remotely without accessing a remote interactive shell. Use /home/operator1/.ssh/key2 as the identity file
    [operator1@serverb ~]$ ssh -i .ssh/key2 operator1@servera hostname
servera
    Notice that the preceding ssh command did not prompt you to enter the passphrase interactively.
  11. Open another terminal on CMD and open an SSH session to serverb as student 
    C:\Users\Monk>ssh student@serverb_ip_address
student@172.16.70.23's password: 1234
  12. On serverb, use the su command to switch to operator1 and invoke an SSH connection to servera. Use /home/operator1/.ssh/key2 as the identity file to authenticate using the SSH keys.
    [student@serverb ~]$ su - operator1
Password: redhat

    [operator1@serverb ~]$ ssh -i .ssh/key2 operator1@servera
Enter passphrase for key '.ssh/key2': redhatpass
Last login: Wed Jul 24 10:02:16 2024 from 172.16.70.23
[operator1@servera ~]$
    Notice that the preceding ssh command prompted you to enter the passphrase interactively because you did not invoke the SSH connection from the shell that you used to start ssh-agent.
  13. Exit all the shells you are using in the second terminal. 
    [operator1@servera ~]$ exit
logout