Secure Registry Operations Course Introduction to Course Architecture Exercises ---------------------------------------------------- Remember, X in the IP address is your group number, 200 - 229 NOC: 10.X.2.1/24 GW: 10.X.2.254/24 VLAN:X2 DNS: 10.X.1.1/24 GW: 10.X.1.254/24 VLAN:X1 e.g. X = 202 NOC: 10.202.2.1/24 GW: 10.202.2.1/24 VLAN:2022 DNS: 10.202.1.1/24 GW: 10.202.1.1/24 VLAN:2021 1. For Windows Users, if you don't have a ssh client installed, download and install Putty 2. Download the tldadmin identity keys from the Wiki and put them in a easily accessible directory For Linux users, you will need to reset the permissions on the key once you've downloaded it $ chmod 600 /path/to/tldadmin/key /path/to/tldadmin/key should be replaced by the path to your tldadmin identity key 3. Connect to your TLD nameserver with SSH From Linux: $ ssh -i /path/to/tldadmin/key tldadmin@10.X.1.1 * /path/to/tldadmin/key should be replaced by the path to your tldadmin identity key * Replace X with your group number (e.g. 10.203.1.1 for X=203) From Windows: Use Putty, create and save a session (see slides). When prompted for a password, enter 'tldadmin!' (without the quotes) While connected, elevate yourself to root: $ sudo -s When prommpted for a password, enter 'tldadmin!' (without the quotes) Type 'exit' to return to your tldadmin account Type 'exit' to disconnect Notes: ** If you see a prompt about being unable to establish authenticity of the host, answer "yes". This warning is generated by the SSH client the first time you connect to a host and is designed to prevent "Man-in-the-Middle" attacks by making sure you verify the server you are connecting to really is the server you think it is. To generate the fingerprint of the server you are connecting to, run "ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key.pub" on the server and compare the fingerprint to the one shown when you log into the server for the first time using ssh. ** If you see a prompt about an unprotected key file, set the permissions to read only for your user acccount $ chmod 600 /path/to/tldadmin/key /path/to/tldadmin/key should be replaced by the path to your tldadmin identity key 4. Connect to your TLD NOC with SSH From Linux: > ssh -i /path/to/tldadmin/key tldadmin@10.X.2.1 * /path/to/tldadmin/key should be replaced by the path to your tldadmin identity key * Replace X with your group number (e.g. 10.203.2.1 for X=203) From Windows: Use Putty, create and save a session (see slides). When prompted for a password, enter 'tldadmin!' (without the quotes) While connected, elevate yourself to root: > sudo -s When prommpted for a password, enter 'tldadmin!' (without the quotes) Type 'exit' to return to your tldadmin account Type 'exit' to disconnect Notes: ** If you see a prompt about being unable to establish authenticity of the host, answer "yes". This warning is generated by the SSH client the first time you connect to a host and is designed to prevent "Man-in-the-Middle" attacks by making sure you verify the server you are connecting to really is the server you think it is. To generate the fingerprint of the server you are connecting to, run "ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key.pub" on the server and compare the fingerprint to the one shown when you log into the server for the first time using ssh. ** If you see a prompt about an unprotected key file, set the permissions to read only for your user acccount > chmod 600 /path/to/tldadmin/key /path/to/tldadmin/key should be replaced by the path to your tldadmin identity key 5. What else might you do to secure the connection? What about disabling password login in /etc/ssh/sshd_config (PasswordAuthentication)?