LAB 5.2

beekay.verma

Hey guys,

I tried the lab Exercise 5.2: Make OpenSSH client config changes exactly how it was mentioned but somehow it doesnt connect to **garply ** via ssh and gives this error:

cloud-engineer-student@ubuntu:~$ ssh garply
ssh: Could not resolve hostname garply: Temporary failure in name resolution

what is it that I'm doing wrong? Could someone guide me to right way please.

Thanks in advance!

lee42x

Hi beekay.verma,
In exercise 5.2.1 you created a configuration file called $HOME/.ssh/config where $HOME is your home directory. The configuration has the line "host garply" which should be the config parameters to be used for for the connection. The ssh command shoud read the configuration file and discover the garply entry then use the hostname and user specified in the config file.

Please post your $HOME/.ssh/config file.

Lee

lee42x

Please confirm the file location/name and the permissions.

lee42x

There is the issue. Must be owned by the user not root.

beekay.verma

@lee42x Thanks for your help!!
here is the file:

host garply
hostname localhost
user root

host *
ForwardX11 yes
~
~

beekay.verma

@lee42x

Thanks for reply. here it is:

cloud-engineer-student@ubuntu:~$ ls -la $HOME/.ssh/config
-rw------- 1 root root 64 Jan 15 00:47 /home/cloud-engineer-student/.ssh/config

beekay.verma

@lee42x ahh... such a newbie mistake. thanks for pointing out.

beekay.verma

@lee42x however I now ran into another issue...

cloud-engineer-student@ubuntu:~$ ssh garply
root@localhost's password:
Permission denied, please try again.
root@localhost's password:
Permission denied, please try again.
root@localhost's password:
root@localhost: Permission denied (publickey,password).

Should I set root password? I recon I never set any root password during or after installation.

beekay.verma

Looks like I was able to do it once update the /etc/ssh/sshd_config file.

cloud-engineer-student@ubuntu:~$ ssh garply
root@localhost's password:
Welcome to Ubuntu 20.04.1 LTS (GNU/Linux 5.8.0-38-generic x86_64)

• Documentation: https://help.ubuntu.com
• Management: https://landscape.canonical.com
• Support: https://ubuntu.com/advantage

14 updates can be installed immediately.
0 of these updates are security updates.
To see these additional updates run: apt list --upgradable

Your Hardware Enablement Stack (HWE) is supported until April 2025.

The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

/usr/bin/xauth: file /root/.Xauthority does not exist
root@ubuntu:~# hostname
ubuntu
root@ubuntu:~# id
uid=0(root) gid=0(root) groups=0(root)
root@ubuntu:~# exit
logout
Connection to localhost closed.

@lee42x Thanks for your help!!

beekay.verma

please ignore.

beekay.verma

please ignore

beekay.verma

2. Setup ssh keys and fingerprints. If not already done, create a key pair on the local machine:$ ssh-keygenCopy the key to the remote and save the fingerprint$ ssh-copy-id localhost3. Test the password-less connection, if you are prompted for a password fix it now:$ ssh localhostRepeat for all the local interfaces or some remotes$ ssh-copy-id 127.0.0.1

I tried the lab 5.5 with the steps and getting error on first part somehow saying this from step 1 of ssh-keygen:

cloud-engineer-student@ubuntu:~$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/cloud-engineer-student/.ssh/id_rsa):
/home/cloud-engineer-student/.ssh/id_rsa already exists.
Overwrite (y/n)? y
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/cloud-engineer-student/.ssh/id_rsa
Your public key has been saved in /home/cloud-engineer-student/.ssh/id_rsa.pub
The key fingerprint is:
SHA256:v#####################XVeno cloud-engineer-student@ubuntu
The key's randomart image is:
+---[RSA 3072]----+
| .... |
| . . . |
| .. o |
| . o o.=+|
| +. * . .=+|
| .+.o+ =XB|
+----[SHA256]-----+
cloud-engineer-student@ubuntu:~$ ssh-copy-id localhost
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
cloud-engineer-student@localhost's password:
sh: 1: cannot create .ssh/authorized_keys: Permission denied

beekay.verma

I recognized the issue here for the above - ownership:

ls -ld .ssh
drwx------ 2 cloud-engineer-student cloud-engineer-student 4096 Jan 19 01:37 .ssh
cloud-engineer-student@ubuntu:~$ ls -ld .ssh/authorized_keys
-rw------- 1 root root 1429 Jan 19 00:33 .ssh/authorized_keys
cloud-engineer-student@ubuntu:~$ sudo chown cloud-engineer-student:cloud-engineer-student .ssh/authorized_keys
cloud-engineer-student@ubuntu:~$ ssh-copy-id localhost
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed

/usr/bin/ssh-copy-id: WARNING: All keys were skipped because they already exist on the remote system.
(if you think this is a mistake, you may want to use -f option)

cloud-engineer-student@ubuntu:~$ ssh localhost
Welcome to Ubuntu 20.04.1 LTS (GNU/Linux 5.8.0-38-generic x86_64)

lee42x

Great ! Be carful using root to change/configure user's home directory components. You can get extra information using the "-v" flag on the ssh command.

ziggysdomain

@beekay.verma said:
Looks like I was able to do it once update the /etc/ssh/sshd_config file.

I'm stuck at this stage. I had initially created $HOME/.ssh/config file as root and then realised my mistake - it should nave been created without sudo, as in 'nano' and not 'sudo nano'. Like beekay I had not generated a root password, so I did this, but am still getting the permission denied error (I did logout and back in). I don't know what beekay means by updating the /etc/ssh/sshd_config file. What do I put in there? Same as $HOME/.ssh/config file?

lee42x

In this exercise we check the /etc/sshd/sshd_config file allows the root user to login via ssh. This has been the default setting for many releases. This exercise will change the root access to be key based eliminating
the option of using root's password.

The steps adding an authorized key to root for access to local host are documented a being executed as root, this may not be clear. Here are the steps in question using "sudo".

[student@main ~]$ sudo su -c 'cat /home/student/.ssh/authorized_keys >> /root/.ssh/authorized_keys '
[student@main ~]$ sudo chown root.root /root/.ssh/authorized_keys
[student@main ~]$ sudo chmod 600 /root/.ssh/authorized_keys
[student@main ~]$ ssh garply

Things to watch for:
The "sudo su -c " command is required to use the redirection with sudo.
Make sure there is only one iteration of "PermitRootLogin" in the /etc/ssh/sshd_config file.

Let us know if this helps.
Thank you, Lee

lee42x

The option we are looking for in /etc/ssh/sshd_config file is the "PermitRootLogin".
Initially we assume , and check, that PermitRootLogin is set to YES.
We change "PermitRootLogin" so only ssh keys will allow root to login later in the exercise.

lee42x

Step 5.4 you may need to install "xeyes", some distros no longer install xeyes by default.

ziggysdomain

@lee42x said:
In this exercise we check the /etc/sshd/sshd_config file allows the root user to login via ssh. This has been the default setting for many releases. This exercise will change the root access to be key based eliminating
the option of using root's password.


The steps adding an authorized key to root for access to local host are documented a being executed as root, this may not be clear. Here are the steps in question using "sudo".

[student@main ~]$ sudo su -c 'cat /home/student/.ssh/authorized_keys >> /root/.ssh/authorized_keys '
[student@main ~]$ sudo chown root.root /root/.ssh/authorized_keys
[student@main ~]$ sudo chmod 600 /root/.ssh/authorized_keys
[student@main ~]$ ssh garply

Things to watch for:
The "sudo su -c " command is required to use the redirection with sudo.
Make sure there is only one iteration of "PermitRootLogin" in the /etc/ssh/sshd_config file.

Let us know if this helps.
Thank you, Lee

Thanks. I have repeated the first part of exercise 5.1.1 (including checking the permit root login part in sshd_config file). Now do I replace 5.1.2 with your instructions above?