Wednesday, August 22, 2012

Lab 1 - Selecting an OS

For the first lab we are going to select a distribution to work with. Some may think selecting a Linux distribution (operating system) would be easy, but in fact there are several hundred to choose from. So which is right for you?

The first question you have to ask yourself is, “what am I going to do with it?” This is a very important question because there are so many to pick from. If you’re just starting out and you’re not sure what you want yet, I would suggest looking at either Fedora or Ubuntu. These are two of the top distributions, and both have plenty of forms for help.

But before you download an iso (CD image file) and wipe Windows off your machine, you may want to play around with a live CD first. What’s a live CD you ask? A live CD is a full operating system on a CD-ROM!! All you have to do is to download an iso image, burn it to a CD, put the CD into your computer, and reboot. Like magic you’re running Linux in no time flat! (P.S. Fedora and Ubuntu come in Live CD’s).

Live CD’s are a great option because they give you a chance to try out different distributions without damaging your Windows operating system. Here is a great list of Linux Live CD’s.

So, for lab one, your task is to research the different Linux distributions you have to choose from and select one (or two, or three, etc). Once you do that, down load the iso files, burn your CD’s and start to explore.

(P.S. For more advanced users, you could also look into using VMware or VirtualBox to run your distribution of choice.)

For the labs we will be doing in this blog, I will be working with Fedora.

Wednesday, August 1, 2012

Multi-Factor Authentication using SSH

While setting up a new Linux server I got the idea to increase the security to multi factor authentication rather then just a simple password. A search of the Tubes didn’t reveal an adequate guide on how to best go about this. This post is due to the lack of guide in the hope it will save you a little time and help increase your security.

Goal:
I wanted to be able to utilize multi factor authentication from multiple workstations running different operating systems (naming Windows & Linux). Also, I will not be the only one using this form of authentication so I needed to make it shareable with team.

To accomplish these goals I selected SSH, using a public / private key along with a passphrase on the key; hence giving me two factors (something I have and something I know).

I know what some people will be saying at this point, “this has been done before and there’s tons of posts..” Well it is true that public / private keys are not new to SSH, generally they are used without a passphrase (for automation) and they are generated from the client side. In this example I will generate the RSA keys on the server and then transport the private key to the client I want to utilize it on.

The Setup:


Steps:
The following commands will do the following (in order)

1) Create an account named ServiceAccount
2) Set password for the ServiceAccount
3) Change user and “become” the user ServiceAccount
4) Generate the RSA keys
- Save the key to the default location
- Set a passphrase that is strong but you can remember
5) Put a copy of the public RSA key into the authorized_keys file
6) Change the security on the authorized_keys file
7) Become root (or another user that has sudo access)
8) Make a backup of the sshd_config file before we modify it
9) Make the following modifications to sshd_config file
10) Restart the sshd demon
11) Copy the private key to your remote client (in my case this was a Linux box)
12) Connect from the remote Linux workstation

Commands:

Useradd ServiceAccount
passwd ServiceAccount
su ServiceAccount
ssh-keygen –t rsa
## Save the keys to the default location (/home/ServiceAccount/.ssh)
## Set a strong passphrase when prompted
cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keys
su -
cp /etc/ssh/sshd_config /etc/ssh/sshd_config.orig
vi /etc/ssh/sshd_config
PermitRootLogin no
PasswordAuthenticaion no
PubKeyAuthentication yes
service sshd restart
scp ~/.ssh/id_rsa UserName@Client:~/ServiceAccount_RSA
ssh –i ~/ServiceAccount_RSA ServiceAccount@Server