home       inleiding       sysadmin       services       links       bash       werk       nothing      

>> mrt 2018: -5- keys en filezilla

keyd logon by filezilla

  1. create a virtual linux mint 18 clone
     
  2. create my two users (example: bob and dylan) in mint18-clone
    bert@mint18-M02 ~ $ sudo useradd -m bob
    [sudo] password for bert: 
    bert@mint18-M02 ~ $ sudo useradd -m dylan

    check the work

    bert@mint18-M02 ~ $ tail -n 2 /etc/passwd
    bob:x:1001:1001::/home/bob:
    dylan:x:1003:1003::/home/dylan:

    create passwords:

    bert@mint18-M02 ~ $ sudo passwd bob
    Enter new UNIX password: 
    Retype new UNIX password: 
    passwd: password updated successfully
    bert@mint18-M02 ~ $ sudo passwd dylan
    Enter new UNIX password: 
    Retype new UNIX password: 
    passwd: password updated successfully
  3. give access to centOS by password
     
    [bert@cOS74-T06-2 ~]$ sudo passwd bob
    [sudo] password for bert: 
    Changing password for user bob.
    New password: 
    Retype new password: 
    passwd: all authentication tokens updated successfully.
    [bert@cOS74-T06-2 ~]$ sudo passwd dylan
    Changing password for user dylan.
    New password: 
    Retype new password: 
    passwd: all authentication tokens updated successfully.
  4. bob & dylan generate keys and put them on centos
    bert@mint18-M02 ~ $ sudo su bob
    bob@mint18-M02 /home/bert $ cd
    bob@mint18-M02 ~ $ ssh-keygen 
    Generating public/private rsa key pair.
    Enter file in which to save the key (/home/bob/.ssh/id_rsa): 
    Created directory '/home/bob/.ssh'.
    Enter passphrase (empty for no passphrase): 
    Enter same passphrase again: 
    Your identification has been saved in /home/bob/.ssh/id_rsa.
    Your public key has been saved in /home/bob/.ssh/id_rsa.pub.
    The key fingerprint is:
    SHA256:M2dDQcKXrIVWuD7Oc0AoqWgM1RjhTRImNolqx1H0mmc bob@mint18-M02
    The key's randomart image is:
    +---[RSA 2048]----+
    |ooB*+o ..*+.     |
    |o=+=. . =.=.     |
    |..o o. + =.      |
    |o. oo + +.       |
    |+... + ES +      |
    |.o.   o += .     |
    |.      o o       |
    |        + .      |
    |         o       |
    +----[SHA256]-----+
  5. put the key on centOS
    bob@mint18-M02 ~ $ ssh-copy-id 10.104.198.106
    /usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/home/bob/.ssh/id_rsa.pub"
    The authenticity of host '10.104.198.106 (10.104.198.106)' can't be established.
    ECDSA key fingerprint is SHA256:OFUuD0gVNHojUseVGgrDfq6F4nzPNokpZ2p98aUbzBg.
    Are you sure you want to continue connecting (yes/no)? yes
    /usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
    /usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
    bob@10.104.198.106's password: 
     
    Number of key(s) added: 1
     
    Now try logging into the machine, with:   "ssh '10.104.198.106'"
    and check to make sure that only the key(s) you wanted were added.
  6. check whether keys are needed to logon
    bob@mint18-M02 ~ $ ssh 10.104.198.106
    bob@10.104.198.106's password: 
    Last login: Fri Mar 16 11:42:31 2018
    [bob@cOS74-T06-2 ~]$ exit
    logout

    the machine is playing with our brain ...
    since this worked for the sysadmin user, there is a problem with the position of the home directory ... and then we think about SElinux ...
     

  7. solution
     
    To cut a long story short we have to give ssh on centOS access to /www-homes/.ssh
     
    this worked ....
    [student@cOS74-T06-2 ~]$ sudo semanage fcontext --add --type ssh_home_t "/www-homes/.*/\.ssh(/.*)?"
    [student@cOS74-T06-2 ~]$ sudo restorecon -Rv /www-homes

     

  8. convert private key to filezilla ppk format
     
    • install filezilla and putty-tools on bob's linux mint machine (bob and dylan share one machine for testing)
    • convert bob's private key into a ppk key for filezilla:
      cd $HOME/.ssh
      puttygen .ssh/id_rsa -o bobs-privates.ppk

       

  9. configure filezilla
     
    filezillas-key

     

  10. disable password for bob and dylan
     
    [student@cOS74-T06-2 ~]$ sudo passwd -l bob
     
  11. problem: user bob sees the entire filesystem
     
    this was not asked in the assignment, so this is not obligatory ...
     
    we have to chroot the sftp users as explained in
    http://linux800.be/services/services-adv-2/oef-sftp-ub16-04/sshd-config