Goal: Practice using a variety of tools to transfer files between your system and a remote system.
System Setup: A working, installed Red Hat Enterprise Linux system with an unprivileged user account named student with a password of student.
Lab Setup: Instructor should set up one of the student machines as an ftp server and make sure there is a directory /home/student/data. Do not forget to enable non-anonymous ftp in SELinux!
[root@stationY ~]# setsebool -P ftp_home_dir=1
Sequence 1: Transferring files with lftp
Scenario: One system will act as a repository for data from other computers. The remaining computers will store their data on the data repository and the synchronize their own data with that of the data repository.
Deliverable: A modified / renamed text file transferred to the ~student/data directory on the repository system.
Instructions:
1. One student's system will act as the data repository. The student whose system will perform this task should ensure that the student account on this system has a password of student and a directory called data. For the remainder of this lab, this system will be called stationY.
2. The remaining students should verify network connectivity with stationY, using the ping command:
[student@stationX ~]$ ping -c 3 stationY
3. Use lftp to connect anonymously to server1 and get a file:
[student@stationX ~]$ cd
[student@stationX ~]$ lftp server1
lftp server1:~> cd pub
lftp server1:/pub> ls
-rw-r--r-- 1 0 0 26 Jun 13 23:57 getme
lftp server1:/pub> get getme
26 bytes transferred in 2 seconds (13b/s)
lftp server1:/pub> exit
4. Examine, and then modify the text file that you have retrieved:
[student@stationX ~]$ cat getme
{Your name here} was here!
[student@stationX ~]$ vi getme
Insert your name where indicated, then save the file as getme.AB where AB are your initials.
[student@stationX ~]$ cat getme.bd
Bob Dobalina was here!
5. Use lftp to connect to the repository system, stationY, as user student, with a password of student, and transfer your modified file into that user's ~/data directory:
[student@stationX ~]$ lftp -u student stationY
Password: type_password_here
lftp student@stationY:~> cd data
lftp student@stationY:~/data> put getme.bd
21 bytes transferred.
lftp student@stationY:~/data> exit
Sequence 2: Encrypted communication -- The ssh suite
Scenario: In this sequence, you will use the ssh suite of utilities to securely transfer a file between your machine and the data repository. You will then establish an encrypted login session with the remote host, and verify that your file was
successfully transferred.
Instructions:
1. Start by making a copy of your getme.AB file used in the last sequence (Be sure to replace the sample filename listed below with your initials):
[student@stationX ~]$ cd
[student@stationX ~]$ cp getme.bd getme.bd.secure
2. Securely transfer your new file via an encrypted session back to the data directory of user student on the repository system:
[student@stationX ~]$ scp getme.bd.secure student@stationY:data
... output omitted ...
3. Establish an encrypted session to the repository system, and verify that your file has been successfully transferred:
[student@stationX ~]$ ssh student@stationY
student@stationY.example.com's password: student
[student@stationY student]$ ls data/*bd*
getme.bd getme.bd.secure
[student@stationY student]$ exit
Sequence 3: Synchronizing your files with a remote system
Scenario: In this sequence, you will use the rsync command to perform a sync with several files on the repository system.
Deliverable: Synchronization between the student data directory on the repository system and your local home directory.
Instructions:
1. Perform a sync operation against the home directory on the repository system, transferring new and changed files to your local system:
[student@stationX ~]$ cd
[student@stationX ~]$ rsync -e ssh student@stationY:data/get* .
student@stationY's password: student
[student@stationX ~]$ ls getme*
getme.af getme.ai getme.bg
...output truncated...
Challenge Sequence 4: Authenticating with ssh keys
Scenario: During this lab, you shall setup a key pair and use them to authenticate to
another station. You also will experience the authentication agent and related
tools.
Instructions:
1. Ask your neighbor, whose system we will refer to as stationY, to add a user named
studentX, with the password "password". This will require the following commands:
[root@stationY ~]# useradd studentX
[root@stationY ~]# passwd studentX
2. Try connecting to your neighbor's system.
[student@stationX ~]$ ssh studentX@stationY hostname
3. Use ssh-keygen to create a dsa keypair. Use an empty passphrase and store your keys in the
default location.
[student@stationX ~]$ ssh-keygen -t dsa
Generating public/private dsa key pair.
Enter file in which to save the key(/home/instructor/.ssh/id_dsa):Enter
Enter passphrase (empty for no passphrase):Enter
Enter same passphrase again: Enter
Your identification has been saved in /home/instructor/.ssh/id_dsa.
Your public key has been saved in /home/instructor/.ssh/id_dsa.pub.
The key fingerprint is:
14:30:a7:52:c2:15:ad:a1:d8:b4:e6:03:8d:78:4b:bb student@stationX.example.com
4. Copy your public key to stationY.
[student@stationX ~]$ ssh-copy-id -i .ssh/id_dsa.pub
studentX@stationY
studentX@stationY's password:
[studentX@stationY ~]$
5. Try to connect using your key.
[student@stationX ~]$ ssh studentX@stationY
[studentX@stationY ~]$
6. For simplicity's sake, this lab has cut some corners. What might you have done differently to make your keypair more secure?
Secure your private key with a passphrase (you can add a passphrase afterwards with sshkeygen).
It is also recommended that you lock your screen ( System->Lock Screen) whenever leaving your system unattended.
7. Apply a passphrase to your private key.
[student@stationX ~]$ ssh-keygen -f .ssh/id_dsa -p
8. Now try connecting again. You should be prompted for your key's passphrase.
[student@stationX ~]$ ssh studentX@stationY
Enter passphrase for key `.ssh/id_dsa`:
[studentX@stationY ~]$
9. Disconnect from your neighbor's station.
[studentX@stationY ~]$ exit
[student@stationX ~]$
10. Remember that you can use the ssh-add command to add your key to Gnome's authentication agent. This will make it so that you only need to enter your passphrase once per Gnome session.
[student@stationX ~]$ ssh-add
Enter passphrase for key `.ssh/id_dsa`:
Note that you did not need to specify the name of your key. As long as you are using one of the default key names, ~/.ssh/id_dsa or ~/.ssh/id_rsa, ssh-add does not need an explicit key name.
11. Try connecting to your neighbor's system again. You should no longer be prompted for a passphrase.
[student@stationX ~]$ ssh studentX@stationY
[studentX@stationY ~]$
12. Key-based, passwordless authentication is especially useful for remote execution of commands. Try the following to see who is logged in on your neighbor's system.
[student@stationX ~]$ ssh studentX@stationY w
... output omitted ...
Challenge Sequence 5: Using ssh keys with Gnome
Scenario: Gnome can be configured to automatically prompt for your passphrase when
you log in, making secure, key-based ssh authentication very easy.
Instructions:
1. First, access the Startup Programs dialog by clicking System->Preferences->More
Preferences->Sessions and selecting the Startup Programs tab.
2. Click Add and enter ssh-add in the Startup Command field.
3. Click OK and then Close.
4. Log out of Gnome
5. Log in again as the same user
6. You should be prompted for your key's passphrase. Enter it and click OK.
7. Confirm that everything works by opening a terminal and connecting to stationY again. You should not be prompted for a passphrase.