| | 1 | = Secure SHell (SSL) = |
| | 2 | |
| | 3 | In this lab we are using your host machine as the ssh client and your Ubuntu VM as the ssh server. Download following applications |
| | 4 | - [https://the.earth.li/~sgtatham/putty/latest/w64/putty.exe PuTTY] (the Telnet and SSH client itself) |
| | 5 | - [https://the.earth.li/~sgtatham/putty/latest/w64/puttygen.exe PuTTYgen] (an RSA and DSA key generation utility |
| | 6 | |
| | 7 | == Setting up virtualbox == |
| | 8 | |
| | 9 | === Installation of VirtualBox and Downloading Ubuntu iso image === |
| | 10 | - Download and install VirtualBox |
| | 11 | - Download Ubuntu image from [https://releases.ubuntu.com/20.04.3/ubuntu-20.04.3-live-server-amd64.iso here] |
| | 12 | - Note down the location of the downloaded iso file |
| | 13 | |
| | 14 | === Creating the VM === |
| | 15 | - Start virtualbox and Click on New button (at top-right) to create new virtual machine |
| | 16 | - Enter name of the VM as: '''Ubuntu'''. |
| | 17 | - Select OS Type: '''Linux''' |
| | 18 | - Select Version: '''Ubuntu (64-bit)''' |
| | 19 | - Then click on '''Continue''' button |
| | 20 | - Set VM's memory size to '''1024MB''' and click on Continue button |
| | 21 | - Set VM's hard disk option to '''Create a virtual hard disk now''' and then click on '''Continue''' |
| | 22 | - Select disk type to '''VDI''' |
| | 23 | - Select storage type to '''Fixed size''' and '''Continue''' |
| | 24 | - Make sure virtual hard disk file name in following format |
| | 25 | '''Ubuntu''' |
| | 26 | - adjust the disk size to '''12.0GB''' and click on '''Create''' to create the VM |
| | 27 | |
| | 28 | This might take a couple of minutes |
| | 29 | |
| | 30 | (Note down the location of vdi image file when VirtualBox flashes it on the screen) |
| | 31 | |
| | 32 | === Setting up Network Interface === |
| | 33 | |
| | 34 | - Select the VM from the left panel on Virtual box, right-click and open '''Settings''' |
| | 35 | - Click on the '''Network''' title |
| | 36 | - On '''Adapter 1''' While ''Enable'' Network Adapter selected choose Attached to be '''Bride Adapter'''. |
| | 37 | |
| | 38 | === Setting up boot device and Booting=== |
| | 39 | |
| | 40 | - Click on '''Storage''' title and select '''CD ROM icon''' with Caption "Empty" under the '''Controller:IDE''', Click on CD ROM icon under the '''Attribute''' on the left side to select |
| | 41 | - Select '''Choose a disk file''' |
| | 42 | - Locate the '''Ubuntu CD Image''' file you downloaded. Press OK to close the settings window. |
| | 43 | - Right-click on VM and select Start to make a '''Normal Start'''. You should now see a separate window with Installation screen" |
| | 44 | |
| | 45 | === Installation === |
| | 46 | |
| | 47 | Installation is quite simple. You can figure it out yourself but make sure to select OpenSSH server when it asks. |
| | 48 | |
| | 49 | |
| | 50 | |
| | 51 | == Password Based Authentication == |
| | 52 | - Go to your host machine. |
| | 53 | - Start PuTTY utility, by double-clicking on its .exe file. |
| | 54 | - In the Host Name field, enter the IP address/Hostname of ssh server |
| | 55 | [[Image(https://ws.learn.ac.lk/raw-attachment/wiki/netsec2018ssh/putty.png)]] |
| | 56 | |
| | 57 | - Click open. |
| | 58 | - It will ask for username followd by password. |
| | 59 | - Logout/close this session. |
| | 60 | |
| | 61 | == Public Key Authentication == |
| | 62 | |
| | 63 | === Generating OpenSSH-compatible Keys for Use with PuTTY === |
| | 64 | To generate a set of RSA keys with PuTTYgen |
| | 65 | |
| | 66 | - Start the PuTTYgen utility, by double-clicking on its .exe file. |
| | 67 | - For Type of key to generate, select SSH-2 RSA |
| | 68 | - In the Number of bits in a generated key field, specify either 2048 or 4096 (increasing the bits makes it harder to crack the key by brute-force methods). |
| | 69 | - Click the Generate button. |
| | 70 | [[Image(https://ws.learn.ac.lk/raw-attachment/wiki/netsec2018ssh/puttygen.png)]] |
| | 71 | |
| | 72 | - Move your mouse pointer around in the blank area of the Key section, below the progress bar (to generate some randomness) until the progress bar is full. |
| | 73 | [[Image(https://ws.learn.ac.lk/raw-attachment/wiki/netsec2018ssh/puttygen1.png)]] |
| | 74 | |
| | 75 | - A private/ public key pair has now been generated. |
| | 76 | - In the Key comment field, enter your email address. |
| | 77 | - The Key passphrase field & re-type the same passphrase in the Confirm passphrase field.9. Click the Save private key button and save as private_key . |
| | 78 | - Right-click in the text field labeled Public key for pasting into OpenSSH authorized_keys file and choose Select All. |
| | 79 | [[Image(https://ws.learn.ac.lk/raw-attachment/wiki/netsec2018ssh/puttygen2.png)]] |
| | 80 | |
| | 81 | - Right-click again in the same text field and choose Copy. |
| | 82 | - Open notepad; paste the public key and save it as txt file. |
| | 83 | |
| | 84 | === Save The Public Key On The Server === |
| | 85 | Now, you need to paste the copied public key in the file ~/.ssh/authorized_keys on your server. |
| | 86 | |
| | 87 | - Log in to your destination server using putty with username apnic |
| | 88 | - If your SSH folder does not yet exist, create it manually |
| | 89 | {{{ |
| | 90 | mkdir ~/.ssh |
| | 91 | chmod 0700 ~/.ssh |
| | 92 | touch ~/.ssh/authorized_keys |
| | 93 | chmod 0644 ~/.ssh/authorized_keys |
| | 94 | }}} |
| | 95 | - Paste the SSH public key into your ~/.ssh/authorized_keys file: |
| | 96 | {{{ |
| | 97 | sudo vi ~/.ssh/authorized_keys |
| | 98 | }}} |
| | 99 | - Tap the '''i''' key on your keyboard & right-click your mouse to paste. |
| | 100 | - To save, tap the following keys on your keyboard (in this order): '''Esc, :wq''' Enter. |
| | 101 | |
| | 102 | === Create a PuTTY Profile to Save Your Server’s Settings === |
| | 103 | In PuTTY, you can create (and save) profiles for connections to your various SSH servers, so you don't have to remember, and continually re-type, redundant information. |
| | 104 | - Start PuTTY by double-clicking its executable file. |
| | 105 | - PuTTY's initial window is the Session Category (navigate PuTTY's various categories, along the left- hand side of the window). |
| | 106 | - In the Host Name field, enter the IP address/Hostname of ssh server |
| | 107 | - Enter the port number in the Port field as 22 |
| | 108 | - Along the left-hand side of the window, select Connection > SSH > Auth |
| | 109 | [[Image(https://ws.learn.ac.lk/raw-attachment/wiki/netsec2018ssh/puttyauth.png)]] |
| | 110 | |
| | 111 | - Browse your file system and select your previously created private key. |
| | 112 | - Return to the Session Category and enter a name for this profile in the Saved Sessions field. |
| | 113 | - Click the Save button for the Load, Save or Delete a stored session area. |
| | 114 | Now you can go ahead and log in and you will not be prompted for a password. However, if you had set a passphrase on your public key, you will be asked to enter the passphrase at that time (and every time you log in, in the future). |
| | 115 | |
| | 116 | == Two Factor Authenticating == |
| | 117 | We will enable two-factor authentication in our ubuntu server. To implement that we are going to use multifactor authentication with Google Authenticator. |
| | 118 | |
| | 119 | === Google auhtenticator === |
| | 120 | - Install Google Authenticator from following link in your Android device/iPhone/iPad/BlackBerry/Firefox devices |
| | 121 | {{{ |
| | 122 | https://support.google.com/accounts/answer/1066447?hl=en |
| | 123 | }}} |
| | 124 | - Follow the instruction and install the app on your mobile. |
| | 125 | - Or you can search for google-authenticator in Google Play or Apple Store. |
| | 126 | |
| | 127 | === Create an Authentication Key === |
| | 128 | - Go to the Ubuntu VM |
| | 129 | - Install google-authenticator module first: |
| | 130 | {{{ |
| | 131 | sudo apt-get update |
| | 132 | sudo apt-get install libpam-google-authenticator |
| | 133 | }}} |
| | 134 | - Log in as the user you’ll be logging in with remotely and run the google-authenticator command to create a secret key for that user. |
| | 135 | {{{ |
| | 136 | $ google-authenticator |
| | 137 | |
| | 138 | Do you want authentication tokens to be time-based (y/n) y |
| | 139 | }}} |
| | 140 | - You will get some QR code ouput like bellow: |
| | 141 | [[Image(https://ws.learn.ac.lk/raw-attachment/wiki/netsec2018ssh/qr.png)]] |
| | 142 | |
| | 143 | You will be prompted for some configurations. |
| | 144 | - Scan the QRcode that appears with the Google Authenticator app or you can add the secret key Google Authenticator app. |
| | 145 | - Save the backup codes listed somewhere safe. They will allow you to regain access if you lose your phone with the Authenticator app. |
| | 146 | - Next it will ask several question; unless you have a good reason to, the defaults presented are sane. Just enter "y" for them. |
| | 147 | {{{ |
| | 148 | Do you want me to update your "/home/myuser/.google_authenticator" file (y/n) |
| | 149 | Do you want to disallow multiple uses of the same authentication |
| | 150 | token? This restricts you to one login about every 30s, but it increases |
| | 151 | your chances to notice or even prevent man-in-the-middle attacks (y/n) |
| | 152 | By default, tokens are good for 30 seconds and in order to compensate for |
| | 153 | possible time-skew between the client and the server, we allow an extra |
| | 154 | token before and after the current time. If you experience problems with poor |
| | 155 | time synchronization, you can increase the window from its default |
| | 156 | size of 1:30min to about 4min. Do you want to do so (y/n) |
| | 157 | If the computer that you are logging into isn't hardened against brute-force |
| | 158 | login attempts, you can enable rate-limiting for the authentication module. |
| | 159 | By default, this limits attackers to no more than 3 login attempts every 30s. |
| | 160 | Do you want to enable rate-limiting (y/n) |
| | 161 | }}} |
| | 162 | |
| | 163 | === Enable two factor authentication for SSH === |
| | 164 | - Edit the /etc/pam.d/sshd file |
| | 165 | {{{ |
| | 166 | sudo vi /etc/pam.d/sshd |
| | 167 | }}} |
| | 168 | - Add the following line: |
| | 169 | {{{ |
| | 170 | auth required pam_google_authenticator.so |
| | 171 | }}} |
| | 172 | - ''':wq''' Save and quit. |
| | 173 | - Edit /etc/ssh/sshd_config file |
| | 174 | {{{ |
| | 175 | sudo vi /etc/ssh/sshd_config |
| | 176 | }}} |
| | 177 | - Search for '''ChallengeResponseAuthentication''' and replace no with yes |
| | 178 | {{{ |
| | 179 | ChallengeResponseAuthentication yes |
| | 180 | }}} |
| | 181 | - ''':wq''' Save and quit. |
| | 182 | - Now you need to reload the ssh service. You can do it to way: |
| | 183 | {{{ |
| | 184 | sudo service ssh restart |
| | 185 | }}} |
| | 186 | |
| | 187 | === Login to the server === |
| | 188 | Try to ssh to the server from a new terminal. It will ask for the verification code. |
