Accessing your virtual machine

This lecture requires practical exercises. Each group will have access to two virtual machines for mimicking client-provider and replication scenarios.

If you do not yet have a public/private ssh key pair the ssh-keygen command is your friend. It allows for generating a pair inside your ~/.ssh subdirectory. Working on a network drive your first problem may be inappropriate file permissions of and inside your ~/.ssh directory:

Figure 945. Result of ssh-keygen execution Slide presentation
~/.ssh$ pwd
/stud/student/.ssh

mistudent@w10m:~/.ssh$ ls -al
total 24
drwxrwx---+  2 student mi    0 Okt 17 17:45 .
drwx------+ 32 student mi    0 Okt 17 17:44 ..
-rwxrwx---+  1 student mi  396 Okt 17 17:45 authorized_keys 
-rwxrwx---+  1 student mi 1675 Okt 17 17:38 id_rsa 
-rwxrwx---+  1 student mi  396 Okt 17 17:38 id_rsa.pub 

Allowed keys to log on to current machine. May contain e.g. the content of id_rsa.pub.

Private key

Corresponding public key


The permissions of the directory itself and the files within are too open . The sshd daemon will deny remote access due to possible security implications. Unfortunately the standard chmod command from UNIX does not suffice on modern cifs based network file systems using extended ACLs. The getfacl command reveals details:

Figure 946. Extended ACLs, ways too open Slide presentation
mistudent@w10m:~/.ssh$ getfacl  authorized_keys
# file: authorized_keys
# owner: mistudent
# group: mi
user::rwx
user:mistudent:rwx
group::---
group:users:---
mask::rwx
other::---

The counterpart setfacl allows for revoking permissions e.g. on authorized_keys:

Figure 947. Revoking permissions using setfacl Slide presentation
mistudent@w10m:~/.ssh$ setfacl -m user:mistudent:--- authorized_keys
mistudent@w10m:~/.ssh$ setfacl -m user::rw- authorized_keys
mistudent@w10m:~/.ssh$ getfacl authorized_keys
   ...
user::rw-
user:mistudent:---
group::---
group:users:---
mask::---
other::---

mistudent@w10m:~/ssh$ ls -al authorized_keys
-rw-------+ 1 mistudent mi 396 Okt 17 17:45 authorized_keys

Addressing each file and the directory itself in a similar fashion leads to:

Figure 948. Corrected permissions Slide presentation
mistudent@w10m:~/.ssh$ ls -al
total 32
drwx------+  2 mistudent mi    0 Okt 17 17:44 .
drwx------+ 32 mistudent mi    0 Okt 17 17:44 ..
-rw-------+  1 mistudent mi 1132 Okt 17 17:40 authorized_keys
-rw-------+  1 mistudent mi 1679 Okt 11 14:46 id_rsa
-rw-r--r--+  1 mistudent mi  396 Okt 11 14:46 id_rsa.pub
-rw-------+  1 mistudent mi  442 Okt 11 14:49 known_hosts

You should now be able accessing your virtual machines:

Figure 949. Logging in Slide presentation
> ssh root@sdi9a.mi.hdm-stuttgart.de
Linux sdi9a 4.15.18-18-pve #1 SMP PVE 4.15.18-44 (Wed, 03 Jul 2019 11:19:13 +0200) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sun May  3 11:53:57 2020 from 192.168.223.34