1
00:00:00,000 --> 00:00:18,480
Hey everyone and welcome back. So in the previous nugget we had just recapped the general outline

2
00:00:18,480 --> 00:00:24,879
of the SSH protocol. Now what we want to do is to get a little bit more hands-on and begin

3
00:00:24,879 --> 00:00:30,799
looking at some SSH configuration files. Now before we actually do this what I want to do is I

4
00:00:30,799 --> 00:00:39,280
actually want to begin by installing the open SSH server utility. That is the installation that

5
00:00:39,280 --> 00:00:47,519
is going to allow our server to act as an SSH server capable of accepting these SSH connections.

6
00:00:47,519 --> 00:00:53,679
Now what I've actually done here if I just show you, I actually have these two windows open. Now

7
00:00:53,679 --> 00:00:59,600
these two windows may look identical at first glance but they actually happen to be two different

8
00:00:59,600 --> 00:01:06,159
SSH connections to two different servers. I'm logging in to manage these so as it stands right now

9
00:01:06,159 --> 00:01:14,159
I have the server on the left which has an IP address of 192.1684.26 and the one on the right

10
00:01:14,159 --> 00:01:23,599
we can see is quite similar. It's 192.1684.28 so we have .28 here and we have .26 here. Now

11
00:01:23,679 --> 00:01:31,039
obviously by virtue of me logging into these servers using SSH they already have SSH installed so

12
00:01:31,039 --> 00:01:36,879
that they can act as an SSH server but just for posterity what I would do is if I wanted to install

13
00:01:36,879 --> 00:01:43,359
this I would go onto the command line I would say sudo apt install open ssh-server and I would hit

14
00:01:43,359 --> 00:01:50,239
enter. I would type in my password as you see hit enter again and as we can see here no surprises

15
00:01:50,239 --> 00:01:55,519
I already have that installed so again I would do the same thing on this machine here. Cool so we

16
00:01:55,519 --> 00:02:01,519
can see here we obviously have SSH installed. Now these are two machines which I have created earlier

17
00:02:01,519 --> 00:02:08,079
as it transpires they both happen to have the same hostname with the same user both are ipv0 at

18
00:02:08,079 --> 00:02:13,599
ubuntu so I've just noticed this. What I'm going to do to make this a little bit clearer for you

19
00:02:13,599 --> 00:02:18,560
is to actually just change the hostname so I'll clear the screen here I will say sudo

20
00:02:19,199 --> 00:02:28,479
hostnamectl and I will say set hostname and I'll just call this one server1 okay so now if I say

21
00:02:28,479 --> 00:02:34,879
hostname we can see that is the hostname as it transpires right now you cannot see it on my shell

22
00:02:34,879 --> 00:02:40,400
prompt so what I'm going to do is I'm going to escape my SSH connection and I'll log back in now

23
00:02:40,400 --> 00:02:45,680
when I log in here we can actually see in the prompt this one here on the left is server1 so I'll

24
00:02:45,680 --> 00:02:52,560
just do the same thing here on the one on the right so I'll say sudo hostnamectl set hostname

25
00:02:52,560 --> 00:02:58,400
and I'll just call this one server2 so again I will exit the connection I will re-establish the

26
00:02:58,400 --> 00:03:03,439
connection so now we can see here in the prompt keeping it clear we have one server here which is

27
00:03:03,439 --> 00:03:09,040
server1 and we have another one here which is server2 ipv0 happens to be the username on both

28
00:03:09,040 --> 00:03:14,800
but that does not have to be the case now like I say here we have our ip addresses this one here on

29
00:03:14,800 --> 00:03:22,320
the right is 192 1681.28 let me just make sure I have connectivity and that should be 4.28 not 1.28

30
00:03:22,320 --> 00:03:27,360
my mistake let's hit enter we can see we have connectivity this way and we'll check that we can

31
00:03:27,360 --> 00:03:36,640
ping the other direction which should be 192 1684.26 and as we can see here indeed we can ping that

32
00:03:36,640 --> 00:03:41,120
device so what we'll do here is I'll just stop this and I'll clear the screen cool so what I'm going

33
00:03:41,120 --> 00:03:50,159
to do is I am going to try to establish a connection from this server here which is server1 all the way

34
00:03:50,159 --> 00:03:59,040
to server2 using ssh so right now we can see we have basic connectivity using icmp ping messages

35
00:03:59,040 --> 00:04:06,719
let's try that ssh connection now the user here which I have is ipv0 so I'm going to use that

36
00:04:06,800 --> 00:04:12,159
credential here again you don't have to match but just as it happens in my occasion both happen to

37
00:04:12,159 --> 00:04:18,079
have the same username so I'll type in the username and I will type in the ip address of the remote

38
00:04:18,079 --> 00:04:24,879
server which is server2 I'll hit enter and of course I totally forgot I've got to say ssh at the

39
00:04:24,879 --> 00:04:31,439
beginning so I will try this again with the ssh command notice the very first thing here we're

40
00:04:31,439 --> 00:04:39,759
actually seeing the ecdsa key fingerprint so this really is the fingerprint for this particular

41
00:04:39,759 --> 00:04:48,800
server that is server2 relating to its cryptographic public key okay so do we want to accept this key

42
00:04:48,800 --> 00:04:53,600
and in fact before I actually do this let me just quit this what I want to do is I want to show you

43
00:04:53,600 --> 00:05:01,600
within my home directory if I do a cd and I do a pwd if I do an ls-la and let me just full screen

44
00:05:01,600 --> 00:05:07,760
this right now we can see here we have this directory here this .ssh this is the hidden

45
00:05:07,760 --> 00:05:16,400
directory because we see the dot hence why I did the a switch if I go into this .ssh and I do an ls

46
00:05:16,400 --> 00:05:21,280
right now I don't actually have anything within this folder but watch what happens okay see if I go

47
00:05:21,279 --> 00:05:30,159
back and I reissue that command and I say yes to accept the fingerprints now it's going to permanently

48
00:05:30,159 --> 00:05:35,919
add this to a list of known hosts now remember that thing known hosts what I'll now do is I'll type in

49
00:05:35,919 --> 00:05:41,839
the password for that remote server to successfully log in and now we can see the prompt I happen to

50
00:05:41,839 --> 00:05:51,199
be within server2 but crucially if I disconnect and go back to server1 I do an ls-la within .ssh

51
00:05:52,079 --> 00:05:58,719
and I do an ls once more now we have this new file called known hosts so if I just happen to

52
00:05:58,719 --> 00:06:05,839
cat the known hosts file this is the fingerprint for that particular device so the cool thing is

53
00:06:05,839 --> 00:06:13,679
if I try and go back let me re-establish that connection to server2 once again if I hit enter

54
00:06:13,679 --> 00:06:20,719
now notice is just asking me for the password it is not going to try to ask me to accept or deny the

55
00:06:20,800 --> 00:06:26,240
fingerprint the fingerprint is already being accepted and is now stored within that .ssh

56
00:06:26,240 --> 00:06:32,720
directory that hidden directory within that known hosts file so again I'll just type in the password

57
00:06:32,720 --> 00:06:41,280
I log in no problem at all and if I happen to delete that directory and hit enter I do an ls-la

58
00:06:41,920 --> 00:06:48,000
suddenly that directory has gone if I try to re-establish my connection one more time it's

59
00:06:48,000 --> 00:06:54,160
now going to prompt me to accept that key once again because we just deleted that known host

60
00:06:54,160 --> 00:07:00,480
file where it is stored I'll say yes once again we type in the password we log in successfully I go

61
00:07:00,480 --> 00:07:07,839
back once again I do an ls-la and we can see here automatically this directory has been regenerated

62
00:07:07,839 --> 00:07:13,680
if I go in the known host file is back again now you may notice that the directory in which I am

63
00:07:13,680 --> 00:07:22,879
operating is in my home directory that is dollar sign home then .ssh and then it is the known host

64
00:07:22,879 --> 00:07:29,680
file now if I want to have known hosts for system-wide configuration i.e for all users

65
00:07:29,680 --> 00:07:36,480
and not unique to a single user I can actually have a known host file within the etsy directory

66
00:07:36,480 --> 00:07:43,199
within an ssh folder and then we can have a known host right here so that is something to be aware of

67
00:07:43,199 --> 00:07:50,879
that we do have the ability for user specific known hosts as well as system-wide known hosts

68
00:07:50,879 --> 00:07:59,439
now on this topic of system-wide configurations let's actually take a look at this ssh configuration

69
00:07:59,439 --> 00:08:04,480
file then so what we'll do here is that again we'll go back and full screen right now I'll just

70
00:08:04,480 --> 00:08:10,800
clear this okay so let me go into the etsy directory and I will go into the ssh directory

71
00:08:10,800 --> 00:08:15,439
and within here if I do an ls we're going to see a whole bunch of particular files we'll get to

72
00:08:15,439 --> 00:08:21,360
look at more of these a little bit later but for now what I want to focus in on is this one right

73
00:08:21,360 --> 00:08:29,439
here sshd underscore config so if we go into this particular file this is going to be the file that

74
00:08:29,439 --> 00:08:35,360
we can use for ssh server configuration if we go in here with the sudo command of course because it

75
00:08:35,360 --> 00:08:43,120
is in the etsy directory so it's system-wide if I hit enter here these are all the ssh server

76
00:08:43,120 --> 00:08:49,840
system-wide configurations here so if I go on down we can see some basic configurations we can see the

77
00:08:49,840 --> 00:08:56,240
port here I can uncomment this by default ssh is going to use port 22 but we can change this to

78
00:08:56,240 --> 00:09:03,600
whatever we wish we could do 2277 if we wanted we can specify the listen address right now by

79
00:09:03,600 --> 00:09:09,759
uncommenting this would listen to any interface which has an ip address configured on this server

80
00:09:09,759 --> 00:09:16,159
we could however be more specific and just say you know what only listen on the ip address of our

81
00:09:16,159 --> 00:09:23,600
ethernet which is 192.1684.26 in this case here but for now I will just leave things as they are

82
00:09:23,600 --> 00:09:30,320
put it back and in fact I will just comment this back we also have a listen address below this is

83
00:09:30,320 --> 00:09:38,000
for ipv6 addressing so colon colon right here is ultimately the same thing listen on all ipv6

84
00:09:38,000 --> 00:09:43,920
addresses we see some information relating to our host keys and ciphers and below this we can actually

85
00:09:43,920 --> 00:09:51,600
see our logging configuration so right here what we can do is specify however both we want our log

86
00:09:51,600 --> 00:09:58,640
messages to be so the different values that we can actually specify here is we can specify quiet

87
00:09:58,639 --> 00:10:06,960
we can specify logging only fatal log messages we can have error we can have info for informational

88
00:10:06,960 --> 00:10:14,639
which is actually what we can see here we can have verbose and we can have debug one debug two

89
00:10:14,639 --> 00:10:22,159
as well as debug three now one thing to note is that when you happen to log with the debug levels

90
00:10:22,159 --> 00:10:27,840
this actually really does log a ton of information some of that information might actually be a

91
00:10:27,840 --> 00:10:34,080
security concern you may be logging private information about users so for this purpose

92
00:10:34,080 --> 00:10:40,560
you should really take care if you happen to be using these debug logging levels really only use

93
00:10:40,560 --> 00:10:46,879
them sparingly and I would say in test environments as a general production grade environment these

94
00:10:46,879 --> 00:10:54,480
levels really are not suitable now we can see here below with respect to our authentication down here

95
00:10:54,560 --> 00:11:01,920
we can see the login grace time is two minutes we can see the permit root login this is at

96
00:11:01,920 --> 00:11:08,960
prohibit password basically what we're saying is that right now by default root cannot log into

97
00:11:08,960 --> 00:11:15,680
the server via ssh the reason why is this is a security concern if someone would happen to

98
00:11:15,680 --> 00:11:21,120
try a brute force attack by just keep sending the credentials for the root account with

99
00:11:21,120 --> 00:11:27,519
different variations of passwords if they happen to get the correct hits and the ssh channel

100
00:11:27,519 --> 00:11:33,919
allowed that connection suddenly the remote user which could be a hacker they would have the keys

101
00:11:33,919 --> 00:11:38,560
to the kingdom so to speak they would have access to everything that the root account can do which

102
00:11:38,560 --> 00:11:44,080
as you know pretty much controls absolutely everything on the system so by default the

103
00:11:44,080 --> 00:11:49,600
password is prohibited i.e we're not going to allow the root login in fact I could just quickly

104
00:11:49,600 --> 00:11:56,000
show you this right now if I escape back out this is the default configuration even on server 2 so

105
00:11:56,000 --> 00:12:04,960
again so don't nano ssh sshd config if we go into here type in the password if I scroll on down we

106
00:12:04,960 --> 00:12:11,519
can see here that the permit root login is prohibit password if I just escape out now if I try to

107
00:12:11,519 --> 00:12:19,440
log in again we can log in with ipv0 which is not the root account and type in the password

108
00:12:19,440 --> 00:12:24,240
we can log in as ipv0 and then once we're in we can actually substitute the user

109
00:12:25,040 --> 00:12:29,840
and become the root if we know the root account like so so now we actually happen to be within

110
00:12:29,840 --> 00:12:35,120
the server as the roots but the crucial difference is is that remotely if I go back from the vantage

111
00:12:35,120 --> 00:12:41,120
point of server one clear the screen I arrow up and I try to log in directly as root that's what

112
00:12:41,120 --> 00:12:46,640
we're talking about if I do this right here and hit enter type in the root accounts passwords

113
00:12:47,199 --> 00:12:53,120
permission is denied try the count again same password permission denied so what I'll do is

114
00:12:53,120 --> 00:12:58,960
I'll just stop this so if I go into the ssh configuration file again I actually now change

115
00:12:58,960 --> 00:13:06,159
this to the value yes and I have to uncomment this so the effects actually happen I will write this

116
00:13:06,159 --> 00:13:12,559
out save you escape what I have to do is to restart my service so that the new configuration settings

117
00:13:12,559 --> 00:13:19,919
are loaded in so I'll say to the service sshd and I will restart now that should take effect

118
00:13:19,919 --> 00:13:26,639
if I try to log in now as the root directly and hit enter I will type in the root password and hit

119
00:13:26,639 --> 00:13:33,199
enter now suddenly we can see we can directly log in as the root account again this is dangerous

120
00:13:33,199 --> 00:13:38,239
we have to be very careful doing such things what we'll do is I'll just exit back out go back to

121
00:13:38,240 --> 00:13:44,799
server one let's look again at the configuration file okay so let's scroll on down we can also see

122
00:13:44,799 --> 00:13:50,799
the max of tries these are the maximum amount of tries that we can allow a user to try to log in

123
00:13:50,799 --> 00:13:57,519
before ultimately locking them out of the server this is to prevent these type of brute force attacks

124
00:13:57,519 --> 00:14:04,639
we can also add if we so wish the option to allow users which would have a list of allowed users who

125
00:14:04,639 --> 00:14:11,039
are able to log in so I could say allow users ipv0 that would mean that anyone trying to log in to

126
00:14:11,039 --> 00:14:17,919
server one with the credential username ipv0 would be allowed or alternatively I could actually

127
00:14:17,919 --> 00:14:25,759
explicitly deny that user if I so wish I could say deny users and say ipv0 and if I wished I could

128
00:14:25,759 --> 00:14:30,720
add another account let's say we had an account called john an account called trevor in fact it

129
00:14:30,720 --> 00:14:36,639
should help if I was spelled deny correctly with this setting these three users would now be disallowed

130
00:14:36,639 --> 00:14:43,920
from logging in via ssh but again let's just take those settings back out if we scroll on down

131
00:14:43,920 --> 00:14:50,000
we can see this one here permit empty passwords this is set to no again by default if we wanted to

132
00:14:50,000 --> 00:14:55,920
change this we could change it to yes the warning here is that this definitely is not something I

133
00:14:55,919 --> 00:15:02,719
would ever recommend doing the reason being is that let's say that the root user on this account

134
00:15:02,719 --> 00:15:09,199
happened to create a new username for a new account let's just say they created an account called

135
00:15:09,199 --> 00:15:15,759
user one but they didn't actually set a password for that user they just created the account and

136
00:15:15,759 --> 00:15:20,959
left it alone that would mean that if someone happened to try to log in using this account

137
00:15:20,960 --> 00:15:26,480
name user one which does not have an actual password associated with it it would still

138
00:15:26,480 --> 00:15:32,000
actually allow the login because we're going to permit empty passwords but like I say by default

139
00:15:32,000 --> 00:15:37,440
this is set to no and this really is the type of setting you want to leave alone so just be aware

140
00:15:37,440 --> 00:15:42,639
of that now we're also going to see password authentication set to yes this is the default

141
00:15:42,639 --> 00:15:48,400
this means you're going to use passwords to authenticate your ssh session as we have seen

142
00:15:48,399 --> 00:15:53,360
but we also can have other ways to actually authenticate with servers we'll get to see

143
00:15:53,360 --> 00:15:59,840
what that looks like a little bit later on within this skill now further down if we continue on

144
00:15:59,840 --> 00:16:06,399
we can see prints motd this is set to the value no this is ultimately a banner configuration

145
00:16:06,399 --> 00:16:13,120
motd stands for message of the day now what this means is that when someone logs in

146
00:16:13,759 --> 00:16:19,519
after they successfully log in and again I stress after they do so they will see the message that you

147
00:16:19,519 --> 00:16:25,919
set out within the banner of the day so right now it's set to no if we change this to yes once

148
00:16:25,919 --> 00:16:31,360
someone logs in they will see the message that you happen to set and this would actually be

149
00:16:31,360 --> 00:16:38,159
specified within the exe directory in a file called motd now if you want to just present a

150
00:16:38,159 --> 00:16:43,360
banner when someone attempts to log in before they successfully authenticate and you can have a

151
00:16:43,360 --> 00:16:49,360
configuration just specifying a banner pointing to a particular configuration file so if I gain

152
00:16:49,360 --> 00:16:56,079
I just escape out of here I'll just say no let's go back to server 2 and change its configurations

153
00:16:56,079 --> 00:17:00,959
so we're going to server 2's configuration file right here let's go down what I'll do is I'll add

154
00:17:00,959 --> 00:17:07,920
in a banner and I will say it's going to be in the exe directory and I'll say ssh banner now this

155
00:17:07,920 --> 00:17:12,480
file doesn't actually exist right now I'm going to have to create it it can be any text file you

156
00:17:12,480 --> 00:17:19,600
wish but I'm just going to call it banner if I happen to save this right here and I escape I go

157
00:17:19,600 --> 00:17:25,920
into the exe directory go into ssh I do an ls we don't actually have this file called banner let's

158
00:17:25,920 --> 00:17:34,160
actually create it so I'll just use the nannobanner and I'll just say this is my server do not enter

159
00:17:34,960 --> 00:17:41,360
unless authorized now this makes sense because this is going to be shown to anyone who attempts to

160
00:17:41,360 --> 00:17:48,000
log in so if I save you and go back I'm going to have to restart my ssh service also the sudo service

161
00:17:48,720 --> 00:17:55,360
sshd and I will restart you now if someone attempts to log into this server so I'll

162
00:17:55,360 --> 00:18:01,360
close the screen I'll go back to server one on the left hand side I will log in as ipv0

163
00:18:02,319 --> 00:18:09,279
notice before I even type the password I have this banner presented to me so I am warned before I

164
00:18:09,279 --> 00:18:14,399
attempt to log in I'm making sure but anyone who does so knows that they're not allowed to

165
00:18:14,399 --> 00:18:19,359
unless authorized now I am authorized so I can log in with my password and I happen to be now

166
00:18:19,359 --> 00:18:25,519
within server two let's exit back out notice when I logged in I didn't actually get a message what I

167
00:18:25,519 --> 00:18:30,399
can do therefore I can go back in on the right hand side we can see here go back and modify this

168
00:18:30,400 --> 00:18:40,800
configuration file if I change print motd to the value yes and I save this escape out if I now go

169
00:18:40,800 --> 00:18:50,320
into the etsy directory rather cd etsy and the sudo nano motd I will just say thanks for stopping by

170
00:18:51,519 --> 00:18:58,080
try not to break anything okay so let's save you write it out and again let's read in this

171
00:18:58,159 --> 00:19:04,159
configuration file one more time by saying sshd and we'll restart the service now again from server

172
00:19:04,159 --> 00:19:10,000
one we shall try the login once again before we log in we see the general banner let's type this

173
00:19:10,000 --> 00:19:18,000
password then and hit enter now once I log in you can actually see here I have this message this is

174
00:19:18,000 --> 00:19:24,079
the message of the day which is appearing after the login okay again let's exit back out as I was

175
00:19:24,079 --> 00:19:29,519
back to server one clear the screen so this configuration file is clearly very very important

176
00:19:29,519 --> 00:19:35,439
it's going to allow us to control many aspects of our ssh server such as which port is going to listen

177
00:19:35,439 --> 00:19:42,720
on which ip address that will listen on both ipv4 and ipv6 we can configure banners we can control

178
00:19:42,720 --> 00:19:48,319
particular logons for root users if we're going to require a password or even if we're going to

179
00:19:48,319 --> 00:19:54,399
allow a user without a password to log in we can control logging information i.e. however both or

180
00:19:54,399 --> 00:20:01,519
how terse we want our logs to actually be all of this is specified within this sshd configuration

181
00:20:01,519 --> 00:20:06,720
file so very very important file that we have to know about but the reality is this is just one

182
00:20:06,720 --> 00:20:11,519
configuration file we have more stuff to look at and that's what we'll be doing in the very next

183
00:20:11,519 --> 00:20:15,359
nuggets I hope it's been informative for you and I'd like to thank you for viewing