Password-Less Login and Enforcing Use of PKI (Demo)

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
21 hours 25 minutes
Difficulty
Intermediate
CEU/CPE
21
Video Transcription
00:00
>> Hey there Cyberians,
00:00
and welcome back to the Linux plus course,
00:00
>> here at Cybrary.
00:00
>> I'm your instructor Rob Goelz,
00:00
and in today's lesson we're going to be discussing
00:00
PKI and enforcing password-less login.
00:00
Upon completion of today's lesson,
00:00
you are going to be able to understand
00:00
the importance of password-less login via SSH,
00:00
and we're going to see how to modify
00:00
SSH configuration to acquire use of PKI
00:00
>> or the public key infrastructure
00:00
>> during our demo in this lesson.
00:00
We covered authentication protocols
00:00
>> and moving away from password-based authentication,
00:00
>> so that begs the question if we're moving away from
00:00
password-based authentication
00:00
>> why are we still using passwords with SSH
00:00
>> and is there a better way to authenticate via SSH?
00:00
>> Yes, there is, and this is where
00:00
the password-less SSH login comes in.
00:00
It uses an SSH key pair
00:00
rather than a password and then it
00:00
forces the use of the public key infrastructure
00:00
because passwords are not accepted,
00:00
instead we have to use the SSH
00:00
>> and it's part of the PKI.
00:00
>> Let's have a look at this with some demo time.
00:00
Here we are in our demo environment
00:00
>> and today we're going to be bouncing
00:00
>> back and forth with Ubuntu,
00:00
>> so if you see the screen move
00:00
back and forth a few times
00:00
>> and so that we can move
00:00
>> from our demo CentOS environment
00:00
>> to our demo Ubuntu environment.
00:00
I'll try and make a good transition
00:00
>> as we go through this,
00:00
>> so it's not too distracting or too disorienting.
00:00
What we've done over here on CentOS
00:00
>> is we've logged in with the user password-less pwless.
00:00
>> This user was created on CentOS
00:00
and Ubuntu with the same password,
00:00
so if we wanted to we can login
00:00
>> from our CentOS system to a Ubuntu with this user.
00:00
>> In fact that's what we'll do.
00:00
>> We're going to log in with ssh pwless on a Ubuntu
00:00
>> and it's going to prompt us for the password,
00:00
>> and now we can get it and land on our Ubuntu system.
00:00
But however, it's prompting us for password,
00:00
and we want to configure things
00:00
>> so that it's password-less.
00:00
>> The first step that we're going to need to do is
00:00
switch over to our Ubuntu environment.
00:00
Here we are in our Ubuntu environment
00:00
>> and in order to do this the first thing
00:00
>> that we need to do is modify
00:00
>> the open SSH server configuration,
00:00
>> and so we're going to do a sudoedit on etc/ssh.
00:00
Remember we covered this last lesson,
00:00
sshd for daemon because it's a server, _config.
00:00
Now, inside of here,
00:00
>> what we're actually going to do is make a change
00:00
>> to what is called password authentication,
00:00
>> so we're going to search for password
00:00
>> and we see our password authentication is set to yes.
00:00
>> We're going to change this to no,
00:00
so we're just going to hit "I" for
00:00
insert and then delete,
00:00
and then a no,
00:00
and I'm going to hit "Escape W".
00:00
Now I'm not going to quit out yet
00:00
because we need to make another change,
00:00
so we're going to look for pubkey.
00:00
Do we see pubkeyAuthentication?
00:00
Yes, I'm going to remove
00:00
this comment by hitting "Delete",
00:00
and now we can see that,
00:00
>> that is enabled and set to yes.
00:00
>> We've disabled password authentication
00:00
and we've enabled pub key authentication,
00:00
so let's hit "Escape" again,
00:00
:wq to save and close out of this file.
00:00
Actually one more thing before we go forward,
00:00
let's go ahead and do a systemctl restart
00:00
on sshd to pick up the change,
00:00
and we're going to need to be to do that.
00:00
Too many ss there, sudo
00:00
systemctl restart sshd and there we go.
00:00
We can check the status,
00:00
make sure that that took,
00:00
>> and we can see that it did.
00:00
>> Now, let's go back to our CentOS system
00:00
and try an SSH to Ubuntu again.
00:00
Here we are back in our CentOS system
00:00
and now if we try and do an SSH;
00:00
the password-less at Ubuntu,
00:00
we can see that the permission is denied public key.
00:00
Now what? How do we get back in?
00:00
Well, the first thing that we're going to need to do
00:00
>> is create a key pair for this user.
00:00
>> If we remember from previous lessons,
00:00
the way that we do that is
00:00
>> by using the SSH key gen file
00:00
>> or the SSH key gen command actually,
00:00
>> so we'll type in ssh-keygen.
00:00
We're going to say we want to use the type of rsa
00:00
>> and we can give it a bit of 4096,
00:00
>> so we're going to double the normal bit count.
00:00
Then we'll do as C for comment,
00:00
and we'll say that this is
00:00
>> the password-less user@somedomain.com,
00:00
>> and then we can hit "Enter" and that's created.
00:00
It's going to prompt us for where
00:00
we want to save this file,
00:00
we'll accept the default
00:00
>> and we're going to give it a passphrase
00:00
>> and confirm the passphrase,
00:00
and now that, that has been created.
00:00
Now, what we can do is go ahead
00:00
>> and copy this ID over to Ubuntu.
00:00
>> You do ssh-copy-id,
00:00
because this is how we copy IDs over
00:00
to another system, pwless@ubuntu.
00:00
What happened?
00:00
>> Well, remember,
00:00
>> we disable passwordp-based authentication,
00:00
password login is turned off,
00:00
so we have to put the public key on Ubuntu 20 manually.
00:00
If you're in this situation as a systems administrator,
00:00
you're going to do this for every user moving forward.
00:00
Again, we put our file;
00:00
our public key here in home/passwordless/ssh_rsa.pub,
00:00
so let's get that out of there first of all
00:00
>> and there we go.
00:00
>> There is our public key,
00:00
so we're going to go ahead
00:00
>> and we're going to copy this.
00:00
>> We can copy it to our clipboard,
00:00
and now let's move over
00:00
>> to our Ubuntu system once again.
00:00
>> Here we are over in our Ubuntu
00:00
>> where we were before,
00:00
>> and what we're going to do is
00:00
>> make sure first of all
00:00
>> that we're in the user directory
00:00
>> for password-less and we are,
00:00
>> and then let's go ahead
00:00
>> and navigate to the ssh; our folder.
00:00
>> Inside of here what we're going to need to do
00:00
is create a file called authorized_keys
00:00
>> and it's authorized_ keys.
00:00
>> Now if we just hit "Insert",
00:00
we can paste in what we have in our clipboard.
00:00
We can see that,
00:00
that is a password-less in some domain,
00:00
and we can go ahead and hit "Escape" and wq.
00:00
What we've done is we've just placed
00:00
the public key from our CentOS system
00:00
into the authorized keys file
00:00
for the same user on Ubuntu,
00:00
so now let's go ahead and save and close out of that
00:00
>> and now that is in place.
00:00
>> Now, that the public key from the user on
00:00
CentOS is in place on Ubuntu we can use it,
00:00
so let's go back to CentOS.
00:00
Back here on our CentOS system,
00:00
now we can try and do an ssh to pwless@ubuntu.
00:00
We're getting through;
00:00
>> we're not getting denied anymore,
00:00
>> but it's asking us for a password
00:00
to get in because it's asking us for a password
00:00
to the key for our rsa private key
00:00
>> because we got to establish
00:00
>> a private public key pairing here.
00:00
>> We're going to make sure
00:00
>> that the private key is loaded.
00:00
>> Once you put the password you can get in,
00:00
but this defeats the purpose of password-less login.
00:00
How do we get around that?
00:00
Well, the way that we do that
00:00
>> is we can cache the private key on CentOS,
00:00
>> and we can do that with eval.
00:00
I'm putting a back ticks.
00:00
On a US keyboard that's the key
00:00
immediately to the left of the number 1,
00:00
and so I'm going to do ssh-agent.
00:00
What this is going to do is going to start that agent
00:00
>> in the background and give it the process ID of 3097.
00:00
>> Now, what I can do is I can actually do ssh/id,
00:00
and it's going to prompt me for the password for my
00:00
private key to cache that private key on the system.
00:00
Now that it's been added,
00:00
>> if I do another ssh to pwless@ubuntu.com,
00:00
>> I get through with no password at all.
00:00
We could find the ssh with no password.
00:00
With that, we've reached the end of this lesson.
00:00
In this lesson we covered the importance of
00:00
password-less login via SSH,
00:00
and we also talked about
00:00
>> how to modify SSH configuration
00:00
>> to require use of PKI during our demo.
00:00
>> Thanks so much for being here,
00:00
>> and I look forward to seeing you in the next lesson.
Up Next