{"id":2857,"date":"2017-05-01T00:00:17","date_gmt":"2017-05-01T07:00:17","guid":{"rendered":"http:\/\/192.168.3.4\/?p=2857"},"modified":"2018-01-09T06:51:26","modified_gmt":"2018-01-09T14:51:26","slug":"automation-with-ssh-tunneling","status":"publish","type":"post","link":"https:\/\/www.cloudacm.com\/?p=2857","title":{"rendered":"Automation with SSH tunneling"},"content":{"rendered":"<p>In the last post I covered how SSH key pairs can be used as a form of two factor authentication, commonly known as 2FA.\u00a0 In this post I&#8217;ll be covering SSH as a means to establish secure communications between systems.\u00a0 Using SSH will provide a way to run commands on remote hosts, whether they be on node on a local network or accross the globe.\u00a0 The key pair security is a way to set the remote host to only allow entry if the connecting client has the correct key.<\/p>\n<p><iframe loading=\"lazy\" title=\"Hak5 - Setup SSH Key Pairs in Linux, Hak5 1110 part3\" width=\"640\" height=\"360\" src=\"https:\/\/www.youtube.com\/embed\/ougAC38QCTY?feature=oembed\" frameborder=\"0\" allow=\"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share\" referrerpolicy=\"strict-origin-when-cross-origin\" allowfullscreen><\/iframe><\/p>\n<p>First we&#8217;ll start by generating the key pairs.\u00a0 This will create a public key which will be place on the remote host.\u00a0 The second is a private key which will remain on the client.\u00a0 Typically, I create the key pairs on the client.\u00a0 It is much more secure to send a public key to a host than send a private key.\u00a0 I&#8217;m using linux, so this command will start the process of key pair generation.\u00a0 Again, I run this from my client that will be establishing a SSH connection to the host.<\/p>\n<p>ssh-keygen -t rsa -b 2048 -C &#8220;Clientname to Hostname created yyyymmdd&#8221;<\/p>\n<p>I like to add comments to the public key so I can tell who it applies to and when the key pair was created.\u00a0 Keys should be changed periodicly.\u00a0 Having the timestamp helps in key management.\u00a0 Now that the key pair has been created, we need to copy the public key to our remote host.<\/p>\n<p>On the remote host, I will want to paste the public key text into the &#8220;%h\/.ssh\/authorized_keys&#8221; file.\u00a0 The authorized_keys file is located in the hidden folder named .ssh that resides in the user&#8217;s home directory.\u00a0 The public key should look something like this, I have several lines in my authorized_keys file so multiple clients can link up.<\/p>\n<p>ssh-rsa AAAAB3NzaC1yc2EAAAADAQA6&#8230;M1g9MUCk9BKNA SeattleClient to DallasHost created 20170214<\/p>\n<p>Next, we&#8217;ll need to set the options on the host&#8217;s SSH service configuration.\u00a0 It&#8217;s good practice to make a backup of your configuration before starting, just in case.<\/p>\n<p>sudo cp \/etc\/ssh\/sshd_config{,.bak}<\/p>\n<p>Now we can edit the sshd_config file for the options we&#8217;ll need.\u00a0 You&#8217;ll need to modify the file so that these entries are set.<\/p>\n<p>PermitEmptyPasswords yes<br \/>\nPasswordAuthentication no<\/p>\n<p>Restart your host when done.\u00a0 Now from your client system you should be able to establish a SSH tunnel to the host using nothing more than the key pair.\u00a0 Try and connect from another client that does not have a key pair with the host.\u00a0 You should get this message.<\/p>\n<p>Permission denied (publickey).<\/p>\n<p>Having the ablity to seamlessly establish a secure connection to the shell allows us to use systems to automate processes.\u00a0 Here we can schedule scripts to run on our client that will connect and execute on the remote host.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>In the last post I covered how SSH key pairs can be used as a form of two factor authentication, commonly known as 2FA.\u00a0 In this post I&#8217;ll be covering SSH as a means to establish secure communications between systems.\u00a0 Using SSH will provide a way to run commands on remote hosts, whether they be on node on a local network or accross the globe.\u00a0 The key pair security is a way to set the remote host to only allow&#8230;<\/p>\n<p class=\"read-more\"><a class=\"btn btn-default\" href=\"https:\/\/www.cloudacm.com\/?p=2857\"> Read More<span class=\"screen-reader-text\">  Read More<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6],"tags":[],"class_list":["post-2857","post","type-post","status-publish","format-standard","hentry","category-raspberry-pi"],"_links":{"self":[{"href":"https:\/\/www.cloudacm.com\/index.php?rest_route=\/wp\/v2\/posts\/2857","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.cloudacm.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.cloudacm.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.cloudacm.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.cloudacm.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2857"}],"version-history":[{"count":5,"href":"https:\/\/www.cloudacm.com\/index.php?rest_route=\/wp\/v2\/posts\/2857\/revisions"}],"predecessor-version":[{"id":2862,"href":"https:\/\/www.cloudacm.com\/index.php?rest_route=\/wp\/v2\/posts\/2857\/revisions\/2862"}],"wp:attachment":[{"href":"https:\/\/www.cloudacm.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2857"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.cloudacm.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2857"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.cloudacm.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2857"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}