Lab 8: SSH and SSL

# Lab 8: SSH and SSL - Roman Soldatov B19-SD-01 - r.soldatov@innopolis.university ## Questions to answer ### 1. Generate ssh key pair with different than in the excercise encryption algorithm. Provide all necessary secure configuration. - Install ssh server on local machine - `sudo apt-get install openssh-server` ![](https://i.imgur.com/yknJeUI.png) - So, to connect to this local server use the following command: `ssh localhost`. - Create ssh directory and limit access rights `mkdir -p ~/.ssh && chmod 700 ~/.ssh` - Create config file and limit access rights to it `touch ~/.ssh/config && chmod 600 ~/.ssh/config` - Create a key pair. I've chosen **Digital Signature Algorithm (DSA)**. `ssh-keygen -t dsa` ![](https://i.imgur.com/F1E2rSZ.png) - Validate that the keys were generated > In **.ssh** direcotry list files via `ls –l` and check their content: `cat id_dsa` and `cat id_dsa.pub` ![](https://i.imgur.com/SG5hLbp.png) - Copy the Public Key to the Server `ssh-copy-id localhost`. So, now we can connect to it without prompting a password. ![](https://i.imgur.com/d9oLQ6r.png) - Configure a file: `sudo nano /etc/ssh/sshd_config` and change the following lines: - `Port 22` - *for listening only this port* - `PasswordAuthentication no` - *disable password-based authentication on the server to avoid brute-force attacks. So, it will disable an ability to log in via SSH using account passwords* - Disable root login: ``` PermitRootLogin no ChallengeResponseAuthentication no UsePAM no ``` - Disable all password-based logins. Allow only public key based logins. ``` AuthenticationMethods publickey PubkeyAuthentication yes ``` ![](https://i.imgur.com/KsxTdyF.png) ![](https://i.imgur.com/vTUm00C.png) - Save `/etc/ssh/sshd_config` file and restart the **sshd service** to apply changes: `sudo systemctl restart ssh` ![](https://i.imgur.com/Saz9HjZ.png) ### 2. Create a certificate - Create Root Key `openssl genrsa -des3 -out rootCA.key 4096` - Create and self sign the Root Certificate `openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 365 -out rootCA.crt` ![](https://i.imgur.com/66Z8zIJ.png) - Create the certificate key `openssl genrsa -out roman.key 2048` - Create the signing (csr) `openssl req -new -key roman.key -out roman.csr` ![](https://i.imgur.com/7LEPyIp.png) - Generate the certificate, set expiration days to 365 `openssl x509 -req -in roman.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out roman.crt -days 365 -sha256` - Show a content of certificate with attributes `openssl x509 -in roman.crt -text -noout` ![](https://i.imgur.com/xTgSZuz.png) - Convert PEM to DER `openssl x509 -in roman.crt -outform der -out roman.der` ![](https://i.imgur.com/5FQdDYV.png) ![](https://i.imgur.com/VQole2s.jpg)