Computer System Administration

(ECC 4209)

Lecture 4
(Remote Connectivity)

sjh@upm.edu.my
1
 Contents
1. Encryption and secure remote connections
2. Extra secure and convenient password-free SSH
access
3. Safely copying files between remote locations with
SCP
4. Using remote graphic programs over SSH
connections
5. Linux system process management with systemd

2
 Encryption
• In the beginning, there was Telnet for remote login
connections over a network but everything sent in plain-text
without encryption
• As shown in Figure 3.1, at the sender the key is applied as
part of an encryption algorithm to convert plain-text,
readable data into what amounts to total gibberish
• At the receiver the same key is applied through a reverse
application of the same algorithm file converts the gibberish
back to its original form
• As long as you and your trusted friends are the only people
in possession of the key, no one else should be able to
make any sense of the data, even if it’s intercepted
3
Original message: Encrypted version: Unencrypted version:

Here’s my Here’s my
Sj4%9Lfse9
password: password:
9*^
BigSecret Encryption BigSecret

Decryption
Encryption key Encryption key

Figure 3.2: A symmetric key pair to encrypt and

decrypt the contents of a plain-text message
4
 Secure remote connections with
SSH
• During remote connection data packets containing session
information to be sent back and forth between two computers
• As shown in Figure 3.2, when you log in to a remote
computer, your local PC is acting as a client of the remote
server, so you’d use the openssh-client package
• OS on the remote server acting as a host for the shell
session is running the openssh-server package
• Run dpkg -s openssh-client or dpkg -s
openssh-server to confirm the right package installed
• To check the status of installed SSH
– $systemctl status ssh
– #systemctl stop ssh
– #systemctl enable ssh
5
 VM user: osboxes.org Container user: ubuntu
Passwd: osboxes.org Passwd: ubuntu
IP address: 10.0.2.15 IP address: 10.0.3.49

Encrypted connection

Client PC Server
uses openssh-client package to uses openssh-server package to
login on remote server host login session

Figure 3.2: Logging in to a remote server through an encrypted

SSH connection (Password based authentication with SSH)
Logging in to a remote server with
SSH
• If you’re using an LXC container list the IP address
– $lxc-ls –fancy
• If logged inside server, list IP address ip addr
– $ip addr
• For the first time accessing the server from your PC, need to
confirm the authenticity of the information your server’s
OpenSSH program sent back by typing yes
– $ssh ubuntu@10.0.3.144
– Enter password for server when prompted
• If cannot connect to remote server
– $ping 10.0.3.144

7
 Password-free SSH access
• Most cloud providers (e.g. AWS) disable password based
remote login with SSH due to its inherent insecurity
• Contents of OpenSSH server config /etc/ssh/sshd_config
– # EC2 uses keys for remote access
– PasswordAuthentication no
• For client the configuration file /etc/ssh/ssh_config
• The alternative to SSH password authentication is to create a
special key pair and then copy the public half of the pair to the
remote host
• With encryption keys available at both ends of the connection,
can remote login using OpenSSH without password
• Ideally, can use passphrase to authenticate locally before
using key pair
8
 Key pair generation
• creating a new public/private key pair on the client
computer using the ssh-keygen program
• When asked for key pair name, press Enter for default
• Then create a passphrase when prompted
– Will be prompted to enter it each time you use the key
• ubuntu@base:~$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key
(/home/ubuntu/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in
/home/ubuntu/.ssh/id_rsa
Your public key has been saved in
9
/home/ubuntu/.ssh/id_rsa.pub
 Copying the public key over a
network
• Passwordless SSH access does not work until public key is
copied over to the remote server host
– private key should be private remain on client PC/laptop host
– See Figure 3.3 for private and public key locations
• Once created, move the public key to the file
.ssh/authorized_keys on the remote server computer
• OpenSSH software running on the host will be able to verify
the authenticity of a cryptographic message created by the
private key on the client
– Once the message is verified, the SSH session will be allowed to begin
• Need to figure out which user account on the host you’ll be
logging in to:
– The key needs to be copied to a directory called .ssh/, which is
beneath /home/ubuntu/
10
– Need to create new .ssh directory if it’s not there already
 VM user: osboxes.org Container user: ubuntu
Passwd: osboxes.org Passwd: ubuntu
IP address: 10.0.2.15 IP address: 10.0.3.49

Host PC
Client PC

1. Generate key pair

2. Transfer public key to host

Private key Public key Public key

5. Message authenticity verified using public key and access is granted
3. Private key used to sign a challenge and generate a message

Chall 4. Message transferred to host PC

enge Chall
mess enge
age mess
age

Figure 3.3: The public key of a key pair must be moved to the host PC, while
11
the private key remains on the client (Passwordless authentication with SSH)
 Copying the public key over a
network (continue)
• To make it easier for you to read, I split this next command
into three lines using the backslash character (\), which tells
Bash to read the next line as part of the current line
• Make sure there are no characters (or space) after backslash

• That single, multi line command will use cat to read all the text
in the id_rsa.pub file and store it in memory
– then pipe that text via an SSH logon on the remote host computer
• Finally, it reads the text once again, this time on the host
computer, and appends it to a file called authorized_keys
– If the file doesn’t yet exist, >> (the append tool) creates it
– If the file already exists, the text will be added to any content in the 12
file
 Working with multiple encryption
keys
• After copying the public key, when running the ssh command,
the login proceeds without a password request
– ubuntu@base:~$ ssh ubuntu@10.0.3.142
• There are cases where key pair need to be specified for a given session
– e.g. log in to a virtual machine instance running on Amazon’s EC2 service
• To tell OpenSSH which key to use, you add the -i flag, followed by the full
name and location of the private key file:
– ssh -i .ssh/mykey.pem ubuntu@10.0.3.142
• The .pem file extension in that example meaning that the key is saved with
a format that’s commonly used to access all kinds of VMs, including
Amazon EC2 instances

13
 Safely copying files with SCP
• scp program copies files using the SSH protocol for file
transfer, using the same keys, passwords, passphrases
• Using scp to transfer public key (id_rsa.pub) to the remote
host, renaming it authorized_keys:
– ubuntu@base:~$ scp .ssh/id_rsa.pub \
ubuntu@10.0.3.142:/home/ubuntu/.ssh/authorized_keys
• Copy remote files to your local machine, this example copies
a file from an AWS EC2 instance to the local directory:
• $ scp -i mykey.pem
mylogin@54.7.61.201:/home/mylogin/backup-file.tar.gz \
./backups/january/AGFAG
• Official way to safely copy your key over to a remote host using the
purpose-built program called ssh-copy-id:
– $ ssh-copy-id -i .ssh/id_rsa.pub ubuntu@10.0.3.142
14
 Using remote graphic programs
over SSH connections
• On an Ubuntu machine to install desktop GUI:
– $sudo apt update
– $sudo apt install ubuntu-desktop
• Make sure that the X11Forwarding line has the value yes
– $sudo nano /etc/ssh/sshd_config
X11Forwarding yes
• There’s a similar line in the ssh_config file on the client
machine that will also need to be set correctly:
– $sudo nano /etc/ssh/ssh_config
– ForwardX11 yes

15
 Using remote graphic programs
over SSH connections (continue)
• After edited the configuration files, need to restart SSH on
both machines to make sure that your changes are live:
– $sudo systemctl restart ssh
• To start a session that’s graphic-enabled, add the -X flag to
your ssh command:
– $ssh -X ubuntu@10.0.3.142
• Will see the regular command prompt, but now be able to run
a command that will launch a graphic program.
• Try something small and this should work on an Ubuntu
system:
– $ gnome-mines

16
Linux system process management
with systemd
• Software, is programming code containing instructions to
control computer hardware on behalf of human users.
• A process is an instance of a running software program.
• An operating system (OS) is a tool for organizing and
managing those instances/processes to effectively use a
computer’s hardware resources
• Organizing and managing processes for a complex
multi-process, multi-user operating environment is no simple
task
• To make it work, you’ll need some kind of traffic cop to tightly
control the many moving parts as shown in Figure 3.4
– systemctl
17
 Requests for access to
system resources

Backup Deskto
Remote Media
operati p
clients players
ons tools

Operating system (Linux) systemctl

Request management

System Services Data Web Devi Net

base server
Logs SSH
ces work

Figure 3.4: The availability and responsiveness of many system services are
managed by systemd’s systemctl process manager

18
 Viewing processes with the ps
command
• Type the following command into a terminal.
• It will do nothing (sleep) in the background (&) for 10 seconds
and then stop. While it’s running, though, type ps:

• Record of the two running processes spawned by that

command, along with their PIDs: 19829 and 19832
• Run ps once again after waiting 10 seconds, you’ll see those
two processes are no longer running.

19
 Viewing processes with the ps
command (continue)
• On Ubuntu machine, the first process to wake up and get
everything else going when computer boots is called init

• The rightmost column of the output (/sbin/init)represents

the location and name of the file behind the process
– file called init that lives in the /sbin/ directory
• The leftmost column on this first line contains the word root and
tells you that the owner of this process is the root user
– PID of the init process is 1
• ps command displays information about active processes
– Important to have access to process related information so you can
properly plan and troubleshoot system behavior
• ps -e returns not only the processes running in your current
20
 Viewing processes with the ps
command (continue)
• Run pstree command to visualize parent and child processes
– adding the –p argument to display the PIDs for each process
– Note how the first process (assigned PID 1) is systemd
– On older versions of Linux this would have been called init instead

21
 Working with systemd
• There’s something interesting about that /sbin/init file you just
saw: file is a venerable UNIX program that gives you insider
information about a file.
• If you run file with /sbin/init as its argument, you’ll see that the
init file is not actually a program, but a symbolic link to a
program called systemd
• We’ll talk more about symbolic links in chapter 12, but here’s
where you get to meet systemd:
– $ file /sbin/init
– /sbin/init: symbolic link to /lib/systemd/systemd
• It took years of fragmentation and some vigorous political
infighting, but nearly all Linux distributions now use the same
process manager: systemd
• It’s a drop-in replacement for a process called init, which has
long been the very first process started during 22
 Summary
• Encrypted connections are a critical part of all networked
communications, and SSH is pretty much the industry standard
for remote login
• You can enable password-free SSH access by sharing the
public key of a key pair
• The OpenSSH package also allows for secure file copying and
remote graphic sessions
• On most modern Linux distributions, processes are managed by
system through the systemctl tool
• You can pipe data between commands using the | (pipe)
character and filter streaming data with grep

23
 Key Terms
• A password is a string of regular characters, while a passphrase
can include spaces and punctuation
• AES is a popular symmetric (secret key) algorithm and RSA is a
popular asymmetric (public key) encryption algorithm
• X11 forwarding allows graphic programs to be run over a remote
connection
• A Linux process is all the ongoing activity that’s associated with
a single running program
• A shell is a terminal environment that provides a command-line
interpreter (like Bash) to allow a user to execute commands.
• A parent shell is an initial environment, from within which new
child shells can subsequently be launched and through which
programs run. A shell is, for all intents and purposes, also a
process. 24
 Command-line review
• dpkg -s openssh-client checks the status of an software package
• systemctl status ssh checks the status of a system process (systemd)
• systemctl start ssh starts a service
• ip addr lists all the network interfaces on a computer
• ssh-keygen generates a new pair of SSH keys
• cat .ssh/id_rsa.pub|ssh ubuntu@10.0.3.142 "cat >>
.ssh/authorized_keys” copies local key and pastes on remote machine
• ssh-copy-id -i .ssh/id_rsa.pub ubuntu@10.0.3.142 safely copies
encryption keys (recommended and standard)
• ssh -i .ssh/mykey.pem ubuntu@10.0.3.142 specifies a particular
key pair
• scp myfile ubuntu@10.0.3.142:/home/ubuntu/myfile safely
copies a local file to a remote computer
• ssh -X ubuntu@10.0.3.142 allows log in to a remote host for a graphics
enabled session
• ps -ef | grep init displays all currently running system processes and
filters results using the string init 25
• pstree -p displays all currently running system processes in a visual tree
 References
• Linux in Action, David Clinton:
– https://www.manning.com/books/linux-in-action
• Learning Modern Linux, Michael Hausenblas:
– https://www.oreilly.com/library/view/learning-modern-linux/978109810893
9/
• Linux Administration Best Practices, Scott Alan Miller:
– https://www.packtpub.com/product/linux-administration-best-practices/97
81800568792
• SSH Mastery: OpenSSH, PuTTY, Tunnels and Keys (2nd
Edition), Michael W. Lucas
– https://mwl.io/nonfiction/tools#ssh
• Linux Cookbook: Essential Skills for Linux Users and System &
Network Administrators (2nd Edition)
– https://www.oreilly.com/library/view/linux-cookbook-2nd/9781492087151/

26