Network Clients

So now we're ready to start communicating with other systems to share resources and data.

Configuring SSH

 Setting up SSH is fairly simple. It is a default installed package in Fedora and RHEL systems. OpenSSH is available for Windows but I'll leave that in my How-To section that will be added at a later time. The following are commands to configure ssh, start to finish... so that it will automate your ssh authentication process and use a single log in/pass phrase entry. This single sign-on workaround is so that you can log in one time and access every server you've copied your public key to. For those who don't know what PKI is or the basics of PKI. Here's a brief introduction. I will add a security PKI complete overview as I venture towards my CISSP in the near future.

PKI Intro: Scenario: John and Kyle are business partners that are working on a project that they want kept private so no one will steal their plans and come up with a better product.
John and Kyle both register for Email certificates so that they can sign their emails with a digital signature. This digital signature is an encryption from their private key that only their public key can decrypt. The public key is public, so everyone can read the email but they cannot forge his digital signature because only John has his private key... (or only John SHOULD have his private key!) John sends an email to Kyle that he doesn't want read, so he adds his digital signature and sends it. Kyle looks at it and informs him to scrap the idea because he sent it without protecting it. John is confused, because he swore he encrypted his message, and points out he has a digital signature. Kyle reviews, and says, yes... but you did not encrypt the message again with my public key. If John encrypts that message with Kyle's public key, only Kyle can read that message because only Kyle has his private key. So anyone, can send Kyle a message that only Kyle can read. John signs his message and uses Kyle's public key to encrypt the message for future email. This is called a digital envelope. John cannot say he didn't send it and in the security world that is called Non-repudiation. Since only Kyle can read it, this is called Confidentiality. So for SSH, you attempt to authenticate with a private key to the ~/.ssh/authorized_keys file when you use the ssh-copy-id to send the server your public key. So your messages that are encrypted, can be read by the server, and vice-versa.

[user@station ~]$ ssh-keygen -t rsa
press enter for default ~/.ssh/id_rsa
Type your preferred pass phrase
[user@station ~]$ ssh-copy-id -i ~/.ssh/id_rsa.pub user@server{1,2,3,4,5}
[user@station ~]$ ssh-copy-id -i ~/.ssh/id_rsa.pub user@{marmoset,zebra,giraffe}
[user@station ~]$ ssh-agent

The next step is to make sure your pass phrase is taken by the ssh-agent by using ssh-add. To make this seemless to your login... open your gnome menu for System, Preferences, More Preferences, and select Session. This may be slightly different for the latest Fedora, but if you find Sessions in your menu, thats probably what you're looking for. You then change your tab over to the Startup Programs and add both /usr/bin/ssh-agent and ssh-add. If you want to confirm its running properly, log out and log back in. You should receive a prompt for your pass phrase once you've logged into the system.

Try an ssh session after you've performed all the tasks above. You should be happy that you didn't get prompted for a password, nor did you receive a prompt for your passphrase. You have the private key pair that matches your public key, and that authenticates before password authentication is needed. Try regenerating a new RSA key-pair... You will be prompted for your password as your keypair doesn't match anymore and you'll have to re-copy your key to all of the servers. Also... try this command...

[user@station ~]$ ssh -Xv user@server

What you should see is the handshake and authentication processor occur until the resolved authentication by public/private ssh-rsa keys. Go ahead and try running that command for yourself. It's pretty nerdy stuff, but it's good to know how to debug your connections authentication processes in the future.