###########################
#For laptops running Linux
###########################
1. Make sure that the authorized_keys file exists in the machine you want to connect to.
If the authorized_keys file does not exist; create it.

hezron@cybersec:~$ ls -alh /home/hezron/
total 32K
drwxr-xr-x 3 hezron hezron 4.0K Mar 11 15:02 .
drwxr-xr-x 3 root   root   4.0K Mar 11 14:13 ..
-rw------- 1 hezron hezron  219 Mar 11 14:45 .bash_history
-rw-r--r-- 1 hezron hezron  220 Mar 11 14:13 .bash_logout
-rw-r--r-- 1 hezron hezron 3.5K Mar 11 14:13 .bashrc
drwx------ 2 hezron hezron 4.0K Mar 11 14:16 .cache
-rw-r--r-- 1 hezron hezron  675 Mar 11 14:13 .profile
-rw------- 1 hezron hezron 1.5K Mar 11 15:02 .viminfo
hezron@cybersec:~$ mkdir /home/hezron/.ssh
hezron@cybersec:~$ touch /home/hezron/.ssh/authorized_keys
hezron@cybersec:~$ ls -alh /home/hezron/
total 36K
drwxr-xr-x 4 hezron hezron 4.0K Mar 11 17:43 .
drwxr-xr-x 3 root   root   4.0K Mar 11 14:13 ..
-rw------- 1 hezron hezron  219 Mar 11 14:45 .bash_history
-rw-r--r-- 1 hezron hezron  220 Mar 11 14:13 .bash_logout
-rw-r--r-- 1 hezron hezron 3.5K Mar 11 14:13 .bashrc
drwx------ 2 hezron hezron 4.0K Mar 11 14:16 .cache
-rw-r--r-- 1 hezron hezron  675 Mar 11 14:13 .profile
drwxrwxr-x 2 hezron hezron 4.0K Mar 11 17:43 .ssh
-rw------- 1 hezron hezron 1.5K Mar 11 15:02 .viminfo
hezron@cybersec:~$ 

2. Ensure you have the correct permissions set up.

hezron@cybersec:~$ sudo chmod -R 0500 /home/hezron/.ssh
hezron@cybersec:~$ sudo chmod 0400 /home/hezron/.ssh/authorized_keys 
hezron@cybersec:~$ ls -alh /home/hezron/
total 36K
drwxr-xr-x 4 hezron hezron 4.0K Mar 11 17:43 .
drwxr-xr-x 3 root   root   4.0K Mar 11 14:13 ..
-rw------- 1 hezron hezron  219 Mar 11 14:45 .bash_history
-rw-r--r-- 1 hezron hezron  220 Mar 11 14:13 .bash_logout
-rw-r--r-- 1 hezron hezron 3.5K Mar 11 14:13 .bashrc
drwx------ 2 hezron hezron 4.0K Mar 11 14:16 .cache
-rw-r--r-- 1 hezron hezron  675 Mar 11 14:13 .profile
dr-x------ 2 hezron hezron 4.0K Mar 11 17:43 .ssh
-rw------- 1 hezron hezron 1.5K Mar 11 15:02 .viminfo
hezron@cybersec:~$ ls -alh /home/hezron/.ssh/
total 12K
dr-x------ 2 hezron hezron 4.0K Mar 11 17:43 .
drwxr-xr-x 4 hezron hezron 4.0K Mar 11 17:43 ..
-r-------- 1 hezron hezron  408 Mar 11 17:46 authorized_keys
hezron@cybersec:~$ ls -alh /home/hezron/.ssh/

3. Generate an ssh public/private key pair in the client machine.

[fhuogho@rocker /]$ ssh-keygen -t rsa -b 2048
Generating public/private rsa key pair.
Enter file in which to save the key (/home/fhuogho/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/fhuogho/.ssh/id_rsa.
Your public key has been saved in /home/fhuogho/.ssh/id_rsa.pub.
The key fingerprint is:
82:8c:e8:1b:68:9f:8b:a6:e5:a1:c5:e0:bd:a3:2e:42 fhuogho@rocker.monky.or.ke
The key's randomart image is:
+--[ RSA 2048]----+
|                 |
|                 |
|                 |
| . o .           |
|o . o . S        |
|+E.    .         |
|o==.             |
|+*=oo            |
|O=o=o            |
+-----------------+
[fhuogho@rocker /]$ ls -lh /home/fhuogho/.ssh/
total 16K
-rw-------. 1 fhuogho fhuogho 1.8K Mar 11 14:34 id_rsa
-rw-r--r--. 1 fhuogho fhuogho  408 Mar 11 14:34 id_rsa.pub
-rw-r--r--. 1 fhuogho fhuogho 4.8K Mar 11 12:55 known_hosts
[fhuogho@rocker /]$ 

The passphrase is used to keep your private key encrypted on disk. It can be pretty much anything you want and as long as you want - including spaces - but if you forget it, your key becomes worthless. For now pick something that you will easily remember. You can change it at any time you want in the future (using ssh-keygen -p)

NOTE: Key generation is a one-off exercise. The more you deploy your public key, the more work it to be if you were to lose it and have to start again with a new one. I suggest you keep a secure backup of it somewhere, e.g. on a CD-ROM that you lock away.

4. Copy the public key from your client machine to your server.

[fhuogho@rocker /]$ scp /home/fhuogho/.ssh/id_rsa.pub hezron@192.168.236.128:/home/hezron/.ssh/authorized_keys
hezron@192.168.236.128's password:
id_rsa.pub                                                                                                          100%  408     0.4KB/s   00:00    
[fhuogho@rocker /]$

Note that .ssh/authorized_keys can contain multiple keys, one per line, so on a shared system you might want to append your key instead:

[fhuogho@rocker /]$ cat /home/fhuogho/.ssh/id_rsa.pub | ssh hezron@192.168.236.128 'cat >> /home/hezron/.ssh/authorized_keys'
[fhuogho@rocker /]$

5. Login using your private key
Open an ssh connection to your server as normal:

[fhuogho@rocker /]$ ssh hezron@192.168.236.128

This time, instead of being prompted for your password, you should be prompted for the passphrase on your private key. Enter it. You should be logged in.

6. Use a passphrase agent
Entering a passphrase every time you connect would be painful, but this isn’t necessary if you have an agent which decrypts the private key and keeps it in memory. If you are running under a modern graphical environment like Gnome, you probably already got a dialog box prompting you for a passphrase, and this means you’re already running an agent. You should be able to logout and login to the remote server, without being prompted for your passphrase again. To see what identities (decrypted private keys) your agent has in memory:


[fhuogho@rocker /]$ ssh-add -l
2048 82:8c:e8:1b:68:9f:8b:a6:e5:a1:c5:e0:bd:a3:2e:42 fhuogho@rocker.monky.or.ke (RSA)
[fhuogho@rocker /]$

To forget all identities:

[fhuogho@rocker /]$ ssh-add -d
Identity removed: /home/fhuogho/.ssh/id_rsa ( fhuogho@rocker.monky.or.ke)
[fhuogho@rocker /]$

If you don’t have an agent, then you can start a new subshell with ssh-agent as
its parent:
[fhuogho@rocker /]$ ssh-agent bash
[fhuogho@rocker /]$ ssh-add
... prompted for your passphrase
[fhuogho@rocker /]$

Now the agent will handle future connections for you.
If you are running an older graphical environment, and you normally start X using startx, then start it using ssh-agent startx instead. Then type ‘ssh-add’ in an xterm.

7. Disable Password Access to your Server

Connect Only With SSH Keys

Only do this exercise if you have successfully copied your public key to your machine and you are being prompted for your ssh private key passphrase when you log in and not your password.
Log in on your machine. Once logged in become the root user:

hezron@cybersec:~$ sudo su
[sudo] password for hezron: 
root@cybersec:/home/hezron# cd /
root@cybersec:/# ls -alh /root/
total 20K
drwx------  2 root root 4.0K Mar 11 14:17 .
drwxr-xr-x 23 root root 4.0K Mar 11 14:09 ..
-rw-------  1 root root   79 Mar 11 17:55 .bash_history
-rw-r--r--  1 root root 3.1K Apr 19  2012 .bashrc
-rw-r--r--  1 root root  140 Apr 19  2012 .profile
root@cybersec:/#

As the root user copy authorized_keys file to the directory /root/.ssh.

root@cybersec:/# mkdir /root/.ssh
root@cybersec:/# chmod 700 /root/.ssh
root@cybersec:/# cp /home/hezron/.ssh/authorized_keys /root/.ssh/.
root@cybersec:/# chown root:root /root/.ssh/authorized_keys
root@cybersec:/# chmod 644 /root/.ssh/authorized_keys
root@cybersec:/# ls -alh /root/
total 24K
drwx------  3 root root 4.0K Mar 11 18:36 .
drwxr-xr-x 23 root root 4.0K Mar 11 14:09 ..
-rw-------  1 root root   79 Mar 11 17:55 .bash_history
-rw-r--r--  1 root root 3.1K Apr 19  2012 .bashrc
-rw-r--r--  1 root root  140 Apr 19  2012 .profile
drwx------  2 root root 4.0K Mar 11 18:36 .ssh
root@cybersec:/# ls -alh /root/.ssh/
total 12K
drwx------ 2 root root 4.0K Mar 11 18:36 .
drwx------ 3 root root 4.0K Mar 11 18:36 ..
-rw-r--r-- 1 root root  816 Mar 11 18:36 authorized_keys
root@cybersec:~#

Now log out of your machine and try to log back in, but this time as the “root” user, not as the “hezron” user. If you are prompted for your ssh private key passphrase and not a password, then you are ready to disable password access to your machine.
Log in on your machine as the root user. Now edit the file /etc/ssh/sshd_config.

Inside the file look for the following line:
#PasswordAuthentication yes
Just after this line add a line that says:
PasswordAuthentication no
Save and exit from the file. The reload the ssh server:

root@cybersec:~# exit
logout
Connection to 192.168.236.128 closed.
[fhuogho@rocker /]$

[fhuogho@rocker /]$ ssh root@192.168.236.128
Welcome to Ubuntu 12.04.4 LTS (GNU/Linux 3.11.0-15-generic x86_64)

 * Documentation:  https://help.ubuntu.com/

  System information as of Tue Mar 11 18:37:12 EAT 2014

  System load:  0.08              Processes:           239
  Usage of /:   4.3% of 17.29GB   Users logged in:     1
  Memory usage: 9%                IP address for eth0: 192.168.236.128
  Swap usage:   0%

  Graph this data and manage this system at:
    https://landscape.canonical.com/

0 packages can be updated.
0 updates are security updates.


The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

root@cybersec:~# vi /etc/ssh/sshd_config

ADD:
# Change to no to disable tunnelled clear text passwords
#PasswordAuthentication yes
PasswordAuthentication no

root@cybersec:~# service ssh reload

Before logging out we recommend you leave your current session open in case there are problems. You could lock yourself out of your machine. If you do let your instructor know. Now use ssh or putty on your laptop and try connecting to your server. You should get prompted for your ssh private key’s passphrase and be able to log in.

If you did, everthing is working. At this point all new users on your machine must use ssh keys to connect and not passwords. If you wish to verify this you can do the following:

# adduser testuser

root@cybersec:~# exit
logout
Connection to 192.168.236.128 closed.
[fhuogho@rocker /]$ ssh root@192.168.236.128
Welcome to Ubuntu 12.04.4 LTS (GNU/Linux 3.11.0-15-generic x86_64)

 * Documentation:  https://help.ubuntu.com/

  System information as of Tue Mar 11 18:43:34 EAT 2014

  System load:  0.0               Processes:           239
  Usage of /:   4.3% of 17.29GB   Users logged in:     1
  Memory usage: 9%                IP address for eth0: 192.168.236.128
  Swap usage:   0%

  Graph this data and manage this system at:
    https://landscape.canonical.com/

0 packages can be updated.
0 updates are security updates.

Last login: Tue Mar 11 18:37:12 2014 from 192.168.236.1
root@cybersec:~# adduser testuser
Adding user `testuser' ...
Adding new group `testuser' (1001) ...
Adding new user `testuser' (1001) with group `testuser' ...
Creating home directory `/home/testuser' ...
Copying files from `/etc/skel' ...
Enter new UNIX password: 
Retype new UNIX password: 
passwd: password updated successfully
Changing the user information for testuser
Enter the new value, or press ENTER for the default
	Full Name []: Test User
	Room Number []: 
	Work Phone []: 
	Home Phone []: 
	Other []: 
Is the information correct? [Y/n] Y
root@cybersec:~# exit
logout
Connection to 192.168.236.128 closed.
[fhuogho@rocker /]$ 

Answer the on-screen prompts. Once the user has been created and you have given it a new password of your choosing, try to open a new ssh session to your machine as that user. You should either be rejected or your password attempts will have not affect (depends on the ssh server version).

To log in as this user you would need to copy your public ssh key to their account as we did for your hezron user. This greatly enhances the security of your system.

[fhuogho@rocker /]$ ssh testuser@192.168.236.128
Permission denied (publickey).
[fhuogho@rocker /]$ ssh root@192.168.236.128
Welcome to Ubuntu 12.04.4 LTS (GNU/Linux 3.11.0-15-generic x86_64)

 * Documentation:  https://help.ubuntu.com/

  System information as of Tue Mar 11 18:48:33 EAT 2014

  System load:  0.0               Processes:           239
  Usage of /:   4.3% of 17.29GB   Users logged in:     1
  Memory usage: 9%                IP address for eth0: 192.168.236.128
  Swap usage:   0%

  Graph this data and manage this system at:
    https://landscape.canonical.com/

0 packages can be updated.
0 updates are security updates.

Last login: Tue Mar 11 18:43:34 2014 from 192.168.236.1
root@cybersec:~# mkdir /home/testuser/.ssh
root@cybersec:~# chmod 700 /home/testuser/.ssh
root@cybersec:~# cp /home/hezron/.ssh/authorized_keys /home/testuser/.ssh/.
root@cybersec:~# chown -R testuser:testuser /home/testuser/
root@cybersec:~# chmod 644 /home/testuser/.ssh/authorized_keys
root@cybersec:~# exit
logout
Connection to 192.168.236.128 closed.
[fhuogho@rocker /]$ ssh testuser@192.168.236.128
Welcome to Ubuntu 12.04.4 LTS (GNU/Linux 3.11.0-15-generic x86_64)

 * Documentation:  https://help.ubuntu.com/

  System information as of Tue Mar 11 19:15:03 EAT 2014

  System load:  0.0               Processes:           239
  Usage of /:   4.3% of 17.29GB   Users logged in:     1
  Memory usage: 9%                IP address for eth0: 192.168.236.128
  Swap usage:   0%

  Graph this data and manage this system at:
    https://landscape.canonical.com/

0 packages can be updated.
0 updates are security updates.

Last login: Tue Mar 11 19:14:57 2014 from 192.168.236.1
testuser@cybersec:~$

##################
### IS FINISHED!!!
##################