4. ssh explorations

4.1. hosts, accounts, simple ssh

4.1.1. set up two new VMs

in my case one with ubuntu 14.04, the other with ubuntu 16.04. Call the hosts tclient and tserver (test client, test server).

4.1.2. create entries in /etc/hosts for u1404 and u1604

You do this by adding entries below the boiler-plate “localhost” stuff. In my case the end of my /etc/hosts files has these two lines: tclient tserver

4.1.3. create a user on each VM called “ts” (test ssh):

$ sudo adduser ts

and for the purpose of this testing you can give it a quick password to type: this will all be erased when the experiment is over.

4.1.4. experiment with simple ssh between hosts

All these tests will be done by logging in on the VM console, rather than from ssh-ing in to the VMs with a terminal on your own console.

  • on tclient:

    $ ssh tserver
  • on tserver:

    $ ssh tclient

In both cases you should be prompted for a password and it should then let you log in to the other host.

Now log out of all those ssh sessions.

4.2. Making ssh private/public key pairs, default (i.e. with-passphrase)

Log out and log back in as ts on the console of both client and server. Then:

4.2.1. Prepare the private/public key pairs

On the client run:

$ ssh-keygen

and give it a passphrase.

4.2.2. Test ssh from client to server

Redo the simple ssh from client to server and then log out:

tclient$ ssh tserver
(give password)
tserver$ exit

4.2.3. Test ssh to localhost

ssh to localhost on client and then log out:

tclient$ ssh localhost
(give password)
tclient$ exit

The last two exercises show that although we have created keys, they are not being used: it asks for password, not passphrase! This is because neither client nor server has an authorized_keys file.

4.2.4. Create authorized_keys on the server

From tclient copy the id_rsa.pub to the server, then pull it into the server’s authorized_keys:

tclient$ scp ~/.ssh/id_rsa.pub tserver:/tmp/
tserver$ mkdir ~/.ssh
tserver$ chmod 700 ~/.ssh
tserver$ cat /tmp/id_rsa.pub >> ~/.ssh/authorized_keys
tserver$ chmod 600 ~/.ssh/authorized_keys

4.2.5. Try again to log in from client into server

tclient$ ssh tserver

This is now crucial: tclient should get a desktop-level prompt asking you for your passphrase. If not something is wrong and we have to look at it. Enter your passphrase.

You should now be logged in to tserver.

4.2.6. See if the ssh agent is working well for your next login

Do two experiments on tclient:

  • in the window you just used, exit from tserver and repeat:

    tclient$ ssh tserver
  • in a new terminal also log in to tserver:

    tclient$ ssh tserver

    What you learn from these last two experiments is that the passphrase has been applied to the entire environment of this login session.

4.3. part III

FIXME: not yet written