1,234
edits
Changes
→Generating a Public/Private Key Pair & Sharing the Public Key
== OBJECTIVE & PREPARATION==
In OPS235, you learned how to configure a virtual private network for your '''centos1vm1''', '''centos2vm2''' and '''centos3vm3''' virtual machines. You were required to configure a static network connection for your VMs. In OPS335, you will also be setting up a static network connection for all of your VMs (which all VMs will be text-based). All of the services that we install and configure for this course '''require a working network connection'''; therefore, it is very important that you know how to configure a network connection for your VMs, whether via command line for trouble-shooting purposes, or to create a persistent (permanent) network connection that uses static IP address (as opposed to DHCP).
This lab is a <u>review</u> of the material from labs 6 ( [http://zenit.senecac.on.ca/wiki/index.php/OPS235_Lab_6_-_CentOS7#Part_4:_Configuring_VM_Network_Setup_via_Command_Line_.28centos3.29 CLI Network Configuration] ), but will also additional topics.
*[https://www.tty1.net/blog/2010/ifconfig-ip-comparison_en.html ip vs ifconfig]
*[https://www.digitalocean.com/community/tutorials/how-to-use-rsync-to-sync-local-and-remote-directories-on-a-vps rsync Howto]
*[https://help.ubuntu.com/community/CronHowto Cron HowTo]
== INVESTIGATION 1: BASIC NETWORK CONFIGURATION (REVISITED) ==
=== Checking Your Current Network Settings ===
In OPS235, you have used the deprecated '''ifconfig''' and '''route''' commands. In this course we'll use the '''ip''' command instead. You may , so that you'll be familiar with the deprecated ifconfig and route both sets of commands, but you are expected to know the newer ip command as well.
<tr> <td>Obtain Hostname</td><th>uname -n</th><th>uname -n</th></tr>
<tr> <td>See MAC cache</td><th>arp -n</th><th>ip neighbour</th></tr>
</table>
In order to have your network settings become permanent, you need to edit and save the settings changes in a file.
For the IP address, subnet mask, default gateway, and DNS server you edit that file is contained in a directory called: '''network-scripts'''.
'''Perform the following steps:'''
# From Change to the ''network-scripts'' directory (see your ''OPS335''/''OPS235''/''ULI101'' notes, issue a command to provide the full path-name of the directory: ''network-scripts''. If that command or utility does not exist, simply install it).
# The name of the file that contains your persistent network settings has the following name format:<br>'''ifcfg-''interfacename'''''
# Which file-name in your network-scripts directory do you think contains your current network settings?
<ol>
<li value="7">Edit the '''ifcfg-''interfacename''''' (most likely ifcfg-eth0) file for each of your VMs to use a static IP address (refer to previous OPS235 lab on networking: [ [httphttps://zenitwiki.senecaccdot.onsenecacollege.ca/wiki/index.php/OPS235_Lab_6_-_CentOS7OPS235_Lab_6#Part_4Part_3:_Configuring_VM_Network_Setup_via_Command_Line_.28centos328centos3_and_centos2.29 Network Config - CLI] ].<br> You should be configuring the BOOTPROTO ('''static''' instead of dhcp), IPADDR, PREFIX (or NETMASK), GATEWAY, HWADDR, and DNS1 for this file. Note the following information for this setup:<ul><li>Set your IPADDR for each VM with the following rules:<ol type="a"><li>Your IPADDR's third octet will use the last 2 digits in your student number.</li><li> Make certain that the 4th octet for your VMs does not start with '''1''' since that is reserved for the '''GATEWAY''' or '''DNS'''by your host machine.<br>For example, Use the forth recommended fourth octets: '''2 for vm1''', '''3 for vm2''', and '''4 for vm3'''.</li></ol></li><li>Don't forget to set the default gateway and DNS server for your VMs. You can use your host's IP address as a gateway and DNS server<br>(''libvirt'' will proxy the requests to the real DNS server).</li><li> You can refer to your previous lab to obtain information for setup of these options: [ [httphttps://zenitwiki.senecaccdot.onsenecacollege.ca/wiki/index.php/OPS335_Installation_Lab#Configuring_a_VM_host Configuring a VM Host] ]<br><br></li></ul><li>Make note of the files used and entries required and note them in your lab log-book.</li><li>Save your editing session, and then restart each VM and run the following command to ensure they still have the network configuration you set:<ul><li>'''ping''' (what is the purpose of this command?). Try to ping matrix and google from your host machine.<br>Try to ping matrix and google from each of your VM's to ensure you can reach the outside world.</li><li>'''ssh''' (into another server, like Matrix) </li></ul></li><li>After setting the network configuration for EACH VM, then either the the ifdown and ifup commands or reboot each VM, to verify that you can connect to the Internet with the new static IP network configuration. If you cannot connect to the Internet, then check the network configuration file and make corrections until you have a workable network connection for each VM from boot-up.</ol>
#Try to temporarily connect to the Internet
#Edit your network settings file to make the changes permanent
#Test your connectivity (including after a reboot of your vm1.)
'''Note:''' You should be able to go through that troubleshooting process pretty quickly. Setting up the network in this course is never a primary task, but it's almost always a prerequisite for anything else we're going to do. You can't have a working web server (or any other kind of server) if you don't have a working network connection.
===Configuring the SSH Service===
A common (if somewhat blatant ) way) to try to hack into a machine is to try to ssh as '''root''' and brute-force root's password. The root user always exists, meaning the attacker doesn't need to try guessing what user names are on your system. If they can get access to root, they can do anything. To prevent this, we will edit the configuration file for the ssh service to prevent root from ssh'ing into your host machine.
It demonstrates how SSH key authentication works. It's not a complete diagram, but it helps see all the parts of ssh key authentication in one place.
[[Image:ssh_connection_explained.png|thumb|center|600px|A diagram explaining how public / Private keys work. Another term to represent this process is called '''PKI''' (Public/Private Key Infrastructure) ]]
<br />
Put this book on your "must-read" list. You can borrow a copy from the Toronto Public Library. I have yet to see a better introduction to encryption. It's not a reqirement for OPS335 - but if you want to not be clueless about security fundamentals online - read that book and understand it.
[[Image:ssh_connection_explainedcrypto.png|thumbjpeg|center|600px|A diagram explaining how public / Private keys work. Another term to represent this process is called '''PKI''' (Public/Private Key Infrastructure) "crypto" by Steven Levy]]<br><br>
=== Generating a Public/Private Key Pair & Sharing the Public Key ===
The public/private key pair needs to be generated on and used on your '''host''' machine (i.e. the user/machine you're connecting '''from'''). The private key is the equivalent of a <u>''password''</u> (that it is why it is considered to be <u>''private''</u> - only to be used by ''<u>one</u>'' owner). That is why the private key is stored in the owner's '''~/.ssh/''' directory.
One very common mistake that students make is to either generate the key pair for the WRONG wrong account, or copy the public key to the WRONG wrong account on the intended remote machine.
'''Perform the following Steps:'''
# You will be creating a '''key-pair on your host machine with no password''' (i.e. when generating keypair press enter for all prompts including the password).
#Make certain you are logged on as '''root''' on your host machine.
# Generate the key-pair by issuing the command:<br><source lang="bash">ssh-keygen -t rsa</source>
'''NOTE:''' When issuing this command, you will end up with the files: '''~/.ssh/id_rsa''' and '''~/.ssssh/id_rsa.pub''' (private and public keys). So far, this topic is generally a repeat of OPS235 lab7. What you may '''<u>not</u>''' know is that by using a '''"trick"''' (the ''magic'' of public key cryptography), you can SSH to a Linux machine without using a password! Learning to perform this trick is <u>'''essential'''</u> in this course and in the industry in general. SSH keys are used everywhere that Linux servers are used.
If you have the private key, you can prove to someone who has your public key that you are indeed the '''actual owner of that public key'''. That is how ssh key authentication works. You are then only required to transfer your public key to a remote server.
'''NOTE:''' Always remember that these keys are '''per-user, <u>not</u> per machine'''. This means that sharing a user's public key will only work for that specific user.
== INVESTIGATION 3: PERFORMING & AUTOMATING BACKUPS ==
# On your '''host machine''', run the following commands:
<source lang=bash>mkdir -p /backup/incremental/vm1
rsync -avz 192.168.x.x:/etc /backup/incremental/vm1/ # where 192.168.x.x is the IPADDR of your vm1</source>
# Refer to the following WIKI to learn how to use cron: [[crontab tutorial]]
# In your host machine as root, edit your crontab and enter the line above. Modify modify the setting so it will run that echo command every minute by creating a crontab (via '''crontab -e''') entry with the following line:<br><source>* * * * * echo "Cron ran this job at: "`date` >> /tmp/cron.log</source>
# Save and exit your crontab edit session.
# Wait for one minute to pass, and check the '''/tmp/cron.log''' file to see if it was created with the expected contents.<br>(You can also check '''/var/log/cron''' file to see what jobs were run).
== COMPLETING THE LAB ==
===Online Submission===
Follow the instructions for lab 1 on blackboard.
<!--===In Class SubmissionAndrew's sections===[[ImageYou may choose to:lab1_signoff.png|thumb|right|300px|Students should be prepared with * Submit screenshots of your work on Blackboard, in which case you don'''all required commands (system information) displayed in a terminal (or multiple terminals) prior t need to come to calling the instructor for signoff'''lab.]]'''Arrange evidence (command output) for each of these items on * Or come to the lab, show me your screenwork, then ask your instructor and talk to me about it. I want to review them hear what you've learned and sign off on answer any questions you have. You'll get the same grade regardless of how you choose to submit your work. Expected results of this lab's completionare:'''
::<span style="color:green;font-size:1.5em;">✓</span> Each of your VMs should now boot to a command prompt (no graphical interface), and should be using a static IP address.
::<span style="color:green;font-size:1.5em;">✓</span> should be able to ssh from your host to each VM as the root user without a password.
::<span style="color:green;font-size:1.5em;">✓</span> Display contents of backup script called: '''/root/bin/fullbackup.bash'''
::<span style="color:green;font-size:1.5em;">✓</span> FULL Full and INCREMENTAL incremental backups of your 3 VMs.
::<span style="color:green;font-size:1.5em;">✓</span> You have notes in your lab-book about what you've learned in this lab.
::<span style="color:green;font-size:1.5em;">✓</span> Run a shell script to submit your lab:<br>:::'''Steps:''' :::Issue the following command to download the bash shell script:<br>'''wget http://matrix.senecac.on.ca/~murray.saul/ops335/labcheck_network_backup.sh'''::::*Assign execute permissions, and run the script to check your work: '''labcheck_network_backup.sh'''::::*When prompted for the network interface, use the '''virtual bridge interface''' with IP 192.168.x.1 (where '''x''' is your last 2 digits of your student number).-->
== EXPLORATION QUESTIONS ==