Accessing your virtual machine
This lecture requires practical exercises. Each group will have access to two virtual machines for mimicking client-provider and replication scenarios.
If you do not yet have a public/private ssh key
pair the ssh-keygen command is your friend. It allows
for generating a pair inside your ~/.ssh
subdirectory. Working on a network drive your first problem may be
inappropriate file permissions of and inside your ~/.ssh directory:
~/.ssh$ pwd /stud/student/.ssh mistudent@w10m:~/.ssh$ ls -al total 24 drwxrwx---+ 2 student mi 0 Okt 17 17:45 . drwx------+ 32 student mi 0 Okt 17 17:44 .. -rwxrwx---+ 1 student mi 396 Okt 17 17:45 authorized_keys ❶ -rwxrwx---+ 1 student mi 1675 Okt 17 17:38 id_rsa ❷ -rwxrwx---+ 1 student mi 396 Okt 17 17:38 id_rsa.pub ❸ |
The permissions of the directory itself and the files within are too open . The sshd daemon will deny remote access due to possible security implications. Unfortunately the standard chmod command from UNIX does not suffice on modern cifs based network file systems using extended ACLs. The getfacl command reveals details:
mistudent@w10m:~/.ssh$ getfacl authorized_keys # file: authorized_keys # owner: mistudent # group: mi user::rwx user:mistudent:rwx group::--- group:users:--- mask::rwx other::---
The counterpart setfacl allows for revoking
permissions e.g. on
authorized_keys
:
mistudent@w10m:~/.ssh$ setfacl -m user:mistudent:--- authorized_keys mistudent@w10m:~/.ssh$ setfacl -m user::rw- authorized_keys mistudent@w10m:~/.ssh$ getfacl authorized_keys ... user::rw- user:mistudent:--- group::--- group:users:--- mask::--- other::--- mistudent@w10m:~/ssh$ ls -al authorized_keys -rw-------+ 1 mistudent mi 396 Okt 17 17:45 authorized_keys
Addressing each file and the directory itself in a similar fashion leads to:
mistudent@w10m:~/.ssh$ ls -al total 32 drwx------+ 2 mistudent mi 0 Okt 17 17:44 . drwx------+ 32 mistudent mi 0 Okt 17 17:44 .. -rw-------+ 1 mistudent mi 1132 Okt 17 17:40 authorized_keys -rw-------+ 1 mistudent mi 1679 Okt 11 14:46 id_rsa -rw-r--r--+ 1 mistudent mi 396 Okt 11 14:46 id_rsa.pub -rw-------+ 1 mistudent mi 442 Okt 11 14:49 known_hosts
You should now be able accessing your virtual machines:
> ssh root@sdi9a.mi.hdm-stuttgart.de Linux sdi9a 4.15.18-18-pve #1 SMP PVE 4.15.18-44 (Wed, 03 Jul 2019 11:19:13 +0200) x86_64 The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Sun May 3 11:53:57 2020 from 192.168.223.34