Git

For this lab we used git to sync files across the different systems. Git can be installed on CentOS with sudo yum install git, Ubuntu sudo apt install git -y, or on Windows by going to git's website. Once you have git installed you can run git config --global user.name "USERNAME" and git config --global user.email "EMAIL" to setup your username and email for commit messages. You will need to replace USERNAME and EMAIL with your information. When you go push to a repo or pull from a private repo on Github you will need to authenticate. If you have 2FA enabled you will need to generate a personal access token. That token will replace your password when signing in. Once you are signed in you can do git clone URL where URL is your repo link to clone the repository, note you can clone public repos without being authenticated. You can do git pull to pull the latest files from the repo. git add . will add all the files in the current directory and any sub directories to the repository. You can use git status to see what files have changed and will be updated once you commit. git commit -m "MESSAGE" will commit all added changes to the repo. Change MESSAGE to be your commit message. You can do git push to push your commits to Github or other similar platforms.

SSH Keys

To create a new SSH key pair you will need to run ssh-keygen. This will bring up a few prompts for setting up the key pair. The first prompt will ask where you want to save the keys to. The default location is in ~/.ssh/. The next question is the passphrase for the SSH key, the passphrase will be required to use the SSH key. If you do not want a passphrase leave this section empty and hit enter. The next section will ask you to confirm you passphrase , again enter nothing and hit enter to use no passphrase. Your keys will then be located in the location you chose to save them. Make sure to keep your private key a secret and only share the .pub file. You should never put a private key on Github or any public place.

Bash Scripting

For this lab I wrote the following script.

#!/usr/bin/env bash

# Script: secure-ssh.sh
# Author: Dylan 'Chromosome' Navarro
# Description: This script is designed to automate the process of securing SSH for my SYS265 class.
# The script creates a new user, downloads SSH public key and puts in the users authorized_keys, then disables root SSH.

echo "Creating new user: $1"

useradd -m -d /home/$1 $1

mkdir /home/$1/.ssh
cd /home/$1/.ssh
wget https://raw.githubusercontent.com/Chromosom3/TechNotes/master/SYS-255/id_rsa.pub
mv id_rsa.pub authorized_keys
chmod 700 /home/$1/.ssh
chmod 600 /home/$1/.ssh/authorized_keys
chown -R $1:$1 /home/$1/.ssh

# Copied from my blog setup script from sys-255
function secureSSH(){
	# Disable root ssh
	sed -i 's/#PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config  # Removed the comment character from the sshd_config file to disable root ssh.
	systemctl restart sshd  # Restarts the ssh service.
}

secureSSH

When running the script it should be ran as root to ensure all commands run successfully and there are no permission denied errors. The script takes one parameter that would be the username for example you would run ./secure.sh julia to create a new user named Julia. The script first writes to console saying "Creating new User:" and then the new users username. Then the script makes the .ssh folder in the users home directory and switches into it. The script will then download the public key from Github and rename the .pub file to authorized_keys. The script will the adjust file and folder permissions. Finally the script checks to see if root SSH is allowed and disables it if it is. The secureSSH function is taken from my blog-secup.sh script from sysadmin I.