Goal: Practice using a variety of tools to transfer files between your system and a remote system.
System Setup: A working, installed Red Hat Enterprise Linux system with an unprivileged user account named student with a password of student.
Lab Setup : Instructor should set up one of the student machines as an ftp server and make sure there is a directory /home/student/data.
Do not forget to enable non-anonymous ftp in SELinux!
[root@stationY ~]# setsebool -P ftp_home_dir=1
Sequence 1: Transferring files with lftp
Scenario: One system will act as a repository for data from other computers. The remaining computers will store their data on the data repository and the synchronize their own data with that of the data repository.
Deliverable: A modified/renamed text file transferred to the ~student/data directory on the repository system.
Instructions:
- One student’s system will act as the data repository. The student whose system will perform this task should ensure that the student account on this system has a password of student and a directory called data. For the remainder of this lab, this system will be called stationY.
- The remaining students should verify network connectivity with stationY, using the ping command:
[student@stationX ~]$ ping -c 3 stationY
- Use lftp to connect anonymously to server1 and get a file:
[student@stationX ~]$ cd
[student@stationX ~]$ lftp server1
lftp server1:~> cd pub
lftp server1:/pub> ls
-rw-r–r– 1 0 0 26 Jun 13 23:57 getme
lftp server1:/pub> get getme
26 bytes transferred in 2 seconds (13b/s)
lftp server1:/pub> exit
- Examine, and then modify the text file that you have retrieved:
[student@stationX ~]$ cat getme
{Your name here} was here!
[student@stationX ~]$ vi getme
Insert your name where indicated, then save the file as getme.AB where AB are your initials.
[student@stationX ~]$ cat getme.bd
Bob Dobalina was here!
- Use lftp to connect to the repository system, stationY, as user student, with a password of student, and transfer your modified file into that user’s ~/data directory:
[student@stationX ~]$ lftp -u student stationY
Password: type_password_here
lftp student@stationY:~> cd data
lftp student@stationY:~/data> put getme.bd
21 bytes transferred.
lftp student@stationY:~/data> exit
Sequence 2: Encrypted communication — The ssh suite
Scenario: In this sequence, you will use the ssh suite of utilities to securely transfer a file between your machine and the data repository. You will then establish an encrypted login session with the remote host, and verify that your file was successfully transferred.
Instructions:
- Start by making a copy of your getme.AB file used in the last sequence (Be sure to replace the sample filename listed below with your initials):
[student@stationX ~]$ cd
[student@stationX ~]$ cp getme.bd getme.bd.secure
- Securely transfer your new file via an encrypted session back to the data directory of user student on the repository system:
[student@stationX ~]$ scp getme.bd.secure student@stationY:data
… output omitted …
- Establish an encrypted session to the repository system, and verify that your file has been successfully transferred:
[student@stationX ~]$ ssh student@stationY
student@stationY.example.com’s password: student
[student@stationY student]$ ls data/*bd*
getme.bd getme.bd.secure
[student@stationY student]$ exit
Sequence 3: Synchronizing your files with a remote system
Scenario: In this sequence, you will use the rsync command to perform a sync with several files on the repository system.
Deliverable: Synchronization between the student data directory on the repository system and your local home directory.
Instructions:
- Perform a sync operation against the home directory on the repository system, transferring new and changed files to your local system:
[student@stationX ~]$ cd
[student@stationX ~]$ rsync -e ssh student@stationY:data/get* .
student@stationY’s password: student
[student@stationX ~]$ ls getme*
getme.af getme.ai getme.bg
…output truncated…
Challenge Sequence 4: Authenticating with ssh keys
Scenario: During this lab, you shall setup a key pair and use them to authenticate to another station. You also will experience the authentication agent and related tools.
Instructions:
- Ask your neighbor, whose system we will refer to as stationY, to add a user named studentX, with the password “password”. This will require the following commands:
[root@stationY ~]# useradd studentX
[root@stationY ~]# passwd studentX
- Try connecting to your neighbor’s system.
[student@stationX ~]$ ssh studentX@stationY hostname
- Use ssh-keygen to create a dsa keypair. Use an empty passphrase and store your keys in the default location.
[student@stationX ~]$ ssh-keygen -t dsa
Generating public/private dsa key pair.
Enter file in which to save the key(/home/instructor/.ssh/id_dsa):
Enter
Enter passphrase (empty for no passphrase):
Enter
Enter same passphrase again:
Enter
Your identification has been saved in /home/instructor/.ssh/id_dsa.
Your public key has been saved in /home/instructor/.ssh/id_dsa.pub.
The key fingerprint is:
14:30:a7:52:c2:15:ad:a1:d8:b4:e6:03:8d:78:4b:bb
student@stationX.example.com
- Copy your public key to stationY.
[student@stationX ~]$ ssh-copy-id -i .ssh/id_dsa.pub
studentX@stationY
studentX@stationY’s password:
[studentX@stationY ~]$
- Try to connect using your key.
[student@stationX ~]$ ssh studentX@stationY
[studentX@stationY ~]$
- For simplicity’s sake, this lab has cut some corners. What might you have done differently to make your keypair more secure?
Secure your private key with a passphrase (you can add a passphrase afterwards with sshkeygen).
It is also recommended that you lock your screen ( System->Lock Screen) whenever leaving your system unattended.
- Apply a passphrase to your private key.
[student@stationX ~]$ ssh-keygen -f .ssh/id_dsa -p
- Now try connecting again. You should be prompted for your key’s passphrase.
[student@stationX ~]$ ssh studentX@stationY
Enter passphrase for key `.ssh/id_dsa`:
[studentX@stationY ~]$
- Disconnect from your neighbor’s station.
[studentX@stationY ~]$ exit
[student@stationX ~]$
- Remember that you can use the ssh-add command to add your key to Gnome’s authentication agent. This will make it so that you only need to enter your passphrase once per Gnome session.
[student@stationX ~]$ ssh-add
Enter passphrase for key `.ssh/id_dsa`:
Note that you did not need to specify the name of your key. As long as you are using one of the default key names, ~/.ssh/id_dsa or ~/.ssh/id_rsa, ssh-add doesnot need an explicit key name.
- Try connecting to your neighbor’s system again. You should no longer be prompted for a passphrase.
[student@stationX ~]$ ssh studentX@stationY
[studentX@stationY ~]$
- Key-based, passwordless authentication is especially useful for remote execution of commands. Try the following to see who is logged in on your neighbor’s system.
[student@stationX ~]$ ssh studentX@stationY
… output omitted …
Challenge Sequence 5: Using ssh keys with Gnome
Scenario: Gnome can be configured to automatically prompt for your passphrase when you log in, making secure, key-based ssh authentication very easy.
Instructions:
- First, access the Startup Programs dialog by clicking System->Preferences->More Preferences->Sessions and selecting the Startup Programs tab.
- Click Add and enter ssh-add in the Startup Command field.
- Click OK and then Close.
- Log out of Gnome
- Log in again as the same user
- You should be prompted for your key’s passphrase. Enter it and click OK.
- Confirm that everything works by opening a terminal and connecting to stationY again. You should not be prompted for a passphrase.