Thursday, March 29, 2012

Ubuntu on Lion under VirtualBox (6)

Another thing you'd want for a real server is to allow remote logon using SSH.

I'm going to follow my old post, but try to be little more organized about everything.

The first step is to generate an RSA key pair. We'll use a key length of 1024 bits, although for a real application you'd want something substantially longer.

On OS X:

> ssh-keygen -b 1024 -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/Users/telliott_admin/.ssh/id_rsa): 
Created directory '/Users/telliott_admin/.ssh'.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /Users/telliott_admin/.ssh/id_rsa.
Your public key has been saved in /Users/telliott_admin/.ssh/id_rsa.pub.
The key fingerprint is:
c0:67:0f:f5:08:08:af:33:17:40:e2:c5:80:5a:0a:e5 telliott_admin@Toms-Mac-mini.local
The key's randomart image is:
+--[ RSA 1024]----+
| o++=. .. .      |
|oo.o.+.  o o     |
|ooE   = + . .    |
|o    . = o       |
|    + . S .      |
|     +           |
|                 |
|                 |
|                 |
+-----------------+
> 

passphrase: xxxxxxx

The purpose of the passphrase is to protect the private key on my machine (I think). The key files are in:

.ssh/id_rsa
.ssh/id_rsa.pub


At a later point there will be other files here like:

.ssh/known_hosts

It's convenient to refer to a key by its digest

> ssh-keygen -l -f ~/.ssh/id_rsa.pub
1024 c0:67:0f:f5:08:08:af:33:17:40:e2:c5:80:5a:0a:e5 
/Users/telliott_admin/.ssh/id_rsa.pub (RSA)

(I wrapped the output line).

On U32 (I already did this)

sudo apt-get install openssh-server

We need to edit /etc/ssh/sshd_config. Make sure Port22 is uncommented and make the following changes:

PermitRootLogin no
ChallengeResponseAuthentication yes
PasswordAuthentication yes   # we'll set it to no eventually

telliott@U32:/etc/ssh$ diff sshd_config sshd_config.orig
27c27
< PermitRootLogin no
---
> PermitRootLogin yes
48c48
< ChallengeResponseAuthentication yes
---
> ChallengeResponseAuthentication no
51c51
< PasswordAuthentication yes
---
> #PasswordAuthentication yes

The ssh keys are also in the /etc/ssh directory:

/etc/ssh/ssh_host_rsa_key.pub

and so on. For example:

telliott@U32:/etc/ssh$ ssh-keygen -l -f ssh_host_rsa_key.pub
2048 9c:a3:65:70:81:1e:d9:47:75:de:09:87:88:4e:cd:8f 
ssh_host_rsa_key.pub (RSA)

restart the server

on OS X:

> ssh telliott@10.0.1.2
The authenticity of host '10.0.1.2 (10.0.1.2)' can't be established.
RSA key fingerprint is 9c:a3:65:70:81:1e:d9:47:75:de:09:87:88:4e:cd:8f.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.0.1.2' (RSA) to the list of known hosts.
telliott@10.0.1.2's password: 
Welcome to Ubuntu 11.10 (GNU/Linux 3.0.0-17-generic i686)
..
telliott@U32:~$ 

Be sure to check that the fingerprint the "host" 10.0.1.2 gives us is the same as we get in Ubuntu for ssh_host_rsa_key.pub before you answer "yes" above.

In a new Terminal window or tab:

> ssh-keygen -lvf ~/.ssh/known_hosts
2048 9c:a3:65:70:81:1e:d9:47:75:de:09:87:88:4e:cd:8f 10.0.1.2 (RSA)
+--[ RSA 2048]----+
|       +..=.o.o. |
|      + .+.+ +o..|
|     ...+.  o ...|
|      .+ o E .   |
|        S        |
|       + .       |
|      .          |
|                 |
|                 |
+-----------------+


At this point we want to copy our public key over to the server.

The way I did this is:

> scp ~/.ssh/id_rsa.pub telliott@10.0.1.2:~/.ssh/authorized_keys
telliott@10.0.1.2's password: 
id_rsa.pub                                      100%  248     0.2KB/s   00:00    

Note: the docs say to do:

ssh-copy-id username@remotehost
chmod 600 .ssh/authorized_keys

Having done this, my home directory in Ubuntu should have a file of authorized keys:

telliott@U32:~$ cd .ssh
telliott@U32:~/.ssh$ ls
authorized_keys  known_hosts
telliott@U32:~/.ssh$ ssh-keygen -l -f ~/.ssh/authorized_keys
1024 c0:67:0f:f5:08:08:af:33:17:40:e2:c5:80:5a:0a:e5 
/home/telliott/.ssh/authorized_keys (RSA)

The fingerprint matches my public key generated on OS X.

Change the config file to PasswordAuthentication no.

telliott@U32:~/.ssh$ cd /etc/ssh
telliott@U32:/etc/ssh$ sudo nano sshd_config
telliott@U32:/etc/ssh$ diff sshd_config sshd_config.orig 
27c27
< PermitRootLogin no
---
> PermitRootLogin yes
48c48
< ChallengeResponseAuthentication yes
---
> ChallengeResponseAuthentication no
51c51
< PasswordAuthentication no
---
> #PasswordAuthentication yes


Finally, from OS X

> ssh telliott@10.0.1.2


Identity added: /Users/telliott_admin/.ssh/id_rsa (/Users/telliott_admin/.ssh/id_rsa)
Welcome to Ubuntu 11.10 (GNU/Linux 3.0.0-17-generic i686)

 * Documentation:  https://help.ubuntu.com/

Last login: Thu Mar 29 13:20:00 2012 from toms-mac-mini.local
telliott@U32:~$ 

Logout and re-try does not require passphrase again.. nor does quitting Terminal and starting again. I did not save to the Keychain, so what's the deal? Maybe it has something to do with Lion apps remembering their state between runs.

A re-boot of the machine does force the prompt for the passphrase.