Difference between revisions of "Linux Tutorial"

From CAC Documentation wiki
Jump to navigation Jump to search
m (→‎SSH Key Pairs: Slight rephrasing and added links to lower section)
Line 128: Line 128:
 
==== Enabling SSH logins with passwords ====
 
==== Enabling SSH logins with passwords ====
  
If you are intending to allow users to connect to the instance with only a password, then you will have to edit the <code>/etc/ssh/sshd_config</code> file with your preferred text editor, and change the line that says <code>PasswordAuthentication no</code> to <code>yes</code>.  If you do not change this, password authentication will fail for all users, even with the correct password.
+
If you are intending to allow users to connect to the instance with only a password, then you will have to edit the <code>/etc/ssh/sshd_config</code> file with your preferred text editor, and change the line that says <code>PasswordAuthentication no</code> to <code>yes</code>.  If this is set to <code>no</code>, password authentication will fail for all users, even with the correct password.
  
 
'''Note:''' It is a good idea to check that you can connect to the new user's account via ssh, even if the account is not for you, to ensure it was set up correctly.
 
'''Note:''' It is a good idea to check that you can connect to the new user's account via ssh, even if the account is not for you, to ensure it was set up correctly.

Revision as of 15:04, 23 May 2018

This tutorial is intended as a basic introduction to Linux for users who are managing Red Cloud services and are creating or using a Linux Instance. There are two Linux distributions (AKA distros) available for images on Red Cloud: Ubuntu and CentOS. In this tutorial, you will learn how to add a user, install software using the distribution's package manager, how to enable remote password logins, and several related tips. There are some common commands between both distributions, and a section for the specific commands on Ubuntu and CentOS. While many commands are similar across Linux systems, package management, service control, and to a lesser extent, user management, are some of the areas that will differ from distribution to distribution. For another useful tutorial, please see the Cornell Virtual Workshop.

Definitions

This section contains some basic working definitions to help you through this tutorial if you have never used Linux before. This list and the definitions in it should not be considered authoritative.

directory - folder

path - the sequence of directories leading to a particular subdirectory or file

shell (A.K.A. console or terminal) - a text-only user interface for interacting with an operating system's programs and services. This is where commands are entered.

command - a task for the computer to execute that is entered via the shell

environment - the set of all variables defined in the current shell. The special environment variable PATH shows the sequence of paths that will be searched to find the commands that you enter.

package - an archive of software and metadata that can be downloaded, installed, and removed via a package manager

root - the system administrative account with all the highest privileges, also known as the superuser. By default, most Linux distros have a single root account when installed, and no user accounts.

sudo - a program that allows a user to run commands with the privileges of another user, most often the root or superuser account. This is typically used by typing sudo before a command.

root directory - the top-level directory of the system, denoted / (forward slash). It is the start of most paths. This is not the same as the root user.

Basic Useful Commands

This list is not comprehensive, but rather a starting point.

pwd
print working directory - specifically, print the full path to the current working directory
ls
list directory contents
cd
change directory

Example: cd ~ will take you to your home directory

mkdir <name>
make a directory with the specified name
man <command>
display a manual pages for the specified command
which <command>
show the full path to the given command, as found from the paths in the PATH environment variable
history
display a list of commands that have been executed via the terminal
cat <file>
output (concatenate) the contents of a file to the terminal, with many other options available (check out man cat for more info)
grep <pattern>
print lines matching a specified pattern. This is usually used with a | (pronounced "pipe") so that you can "pipe" the output from one command into grep to effectively search it.

Example: history | grep mkdir would search the history output for each time the mkdir command was executed, thus determining all the directories you had created.

export VAR=value
set an environment variable (VAR in this example) to have a certain value
ssh
If you have not already, it would also be good to familiarize yourself with how to connect to Linux machines remotely.

Text Editors

Since the default interaction with a Linux Instance is through a terminal, it may be useful to familiarize yourself with at least one text editor that can be used in the terminal. Here are a few, with links to get more information about them, but there are more.

vim
Vim is often already installed with many Linux distros, and is therefore useful to learn. There are many online tutorials, but you can also simply type vimtutor in the terminal to learn how to use vim.
emacs
Emacs is a family of text editors including the very popular GNU Emacs. If you want to use it, it may be helpful to take a guided tour or to consult the manual.
nano
GNU nano is a simpler text editor than something like vim because it doesn't have modes, you simply type when it opens. If you'd like more information, consult the documentation.

Ubuntu

This section has specific instructions for Ubuntu images on how to create your first user with sudo privileges, create additional users, and install software. If you are the sole user of your instance, you only need to follow the Initial User Setup steps. If you do want to create Additional Users, be sure to consider what privilege level you would prefer your users to have, and whether you wish to require a key pair for authentication (should be unique per user). If you have not used Ubuntu before, please read this whole section.

The "ubuntu" user

Since the Ubuntu distribution of Linux locks the root account by default, you cannot use that account to ssh when you first setup a new image. Instead, there is a default account with the username ubuntu, with a blank password, that has sudo privileges. Unless you are the sole user of your machine, it is still recommended that you create a new user account, for which the steps are detailed below.

Initial User Setup

These steps create a new sudo user, and must all be completed in order:

  1. ssh -i <keyname>.pem ubuntu@<ip of instance>
  2. sudo adduser <username>
    • You will be prompted to enter & verify a password for the user, as well as some information (i.e. name, phone number, etc.) which is optional. If you do not wish to add information, simply hit "enter".
    • Note that <username> could be e.g. ‘bob’, it doesn’t need to be (and really should not be) a Cornell netid, since you can optionally configure your instances to allow use of netid and netid passwords for project members.
    • This adds a new user with the name <username>.
  3. sudo adduser <username> sudo
    • This will add <username> to the sudo group, which will enable <username> to easily install software and perform other administrative tasks without needing a root (or the ubuntu) login. This has the advantage of making it more difficult to accidentally do something unfortunate to the system.
  4. sudo chown -hR <username> /home/<username>
    • Changes the ownership of the user's home directory to the user.
  5. sudo mkdir ~<username>/.ssh
    • Creates a directory for the user to hold the public encryption key used in ssh.
    • Note: The .ssh folder is hidden to the ls command by default because of the "." at the beginning. You can see all folders by sending the ls -a command.
  6. sudo cp ~/.ssh/authorized_keys ~<username>/.ssh
    • This copies the public key to the correct place for the user to be able to ssh.
    • Only do this if you intend to ssh from the same computer with the private key every time you access the instance. This is recommended, since it is more secure.
  7. sudo chmod 700 -R ~<username>/.ssh/
  8. vim /etc/ssh/sshd_config
    • Verify the line that says Password Authentication has a no next to it (this should be the default).
    • Skip this step if you intend to have multiple users and wish to allow them to connect via ssh with a password, without requiring a key pair.
    • You could also use your preferred text editor
  9. systemctl restart sshd
  10. exit
  11. ssh -i <keyname>.pem <username>@<ip>
    • At this point your user should be set up to connect via ssh.
  12. sudo apt update and sudo apt upgrade

Additional Users

A normal user account on a Ubuntu system does not have sudo privileges, so they cannot install software or perform administrative tasks. These steps create a new user without sudo privileges:

  1. sudo adduser <username>
  2. sudo chown -hR <username> /home/<username>


It is also possible to create new user accounts with sudo privileges, which enables them to easily install software and perform other administrative tasks without needing a root (or the ubuntu) login. These steps create a new user with sudo privileges:

  1. sudo adduser <username>
  2. sudo adduser <username> sudo
  3. sudo chown -hR <username> /home/<username>


It is recommended, for security purposes, to require all users to authenticate with a unique SSH key pair when connecting to Red Cloud instances. However, it can be simpler to allow users to authenticate with a password, particularly for users who are inexperienced with SSH. Below we describe how to set up both types of authentication. Choose what's right for you and your users.

Passwords

It's best to assign a different temporary password to each user. When notifying users of their new passwords, remember to ask them to log in and change their passwords right away with passwd (just the plain command, with no arguments).

  1. sudo passwd <username>
  2. Assign a temporary password like ch@ngeM3!
  3. Retype the temporary password when prompted

SSH Key Pairs

Do the following steps to create an SSH key pair for each user. If you have set up a passwords and PasswordAuthentication is enabled, then users can also perform these steps themselves.

  1. sudo su <username>

    Omit this step if you are already logged in as the user

  2. mkdir ~/.ssh
  3. chmod 700 ~/.ssh
  4. ssh-keygen -t rsa

    Respond to all prompts by hitting enter

  5. cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys
  6. exit

    Omit this step if you are already logged in as the user

The resulting keys created can be used to login to the instance without a password. This private key should be stored where it can be found by the user's local SSH client. If logins with passwords are enabled, each user can retrieve the file ~/.ssh/id_rsa using scp or sftp. Otherwise, the trick will be to distribute the private keys to each user in some other secure manner. They should not just be attached to emails!

Enabling SSH logins with passwords

If you are intending to allow users to connect to the instance with only a password, then you will have to edit the /etc/ssh/sshd_config file with your preferred text editor, and change the line that says PasswordAuthentication no to yes. If this is set to no, password authentication will fail for all users, even with the correct password.

Note: It is a good idea to check that you can connect to the new user's account via ssh, even if the account is not for you, to ensure it was set up correctly.

Installing Software

The package manager for Ubuntu is called apt (also see the Ubuntu docs on apt and aptitude). Here are some basic commands worth making sure you understand (again, man apt will help here):

  • sudo apt update
  • sudo apt upgrade
  • apt search <package>
  • sudo apt install <package>


It is recommended that you:

  • Ensure your system is up-to-date after beginning an instance.
  • Install the screen-saving program tmux, which is often useful in case your connection is dropped (either intentionally or unintentionally) or if you want to have multiple terminals available without needing to login each time

To find available packages (from currently installed repositories), the following command may be used: apt search <package>. For instance, here are the first 6 results for apt search python:

 p   bpython                         - fancy interface to the Python interpreter
 p   bpython-gtk                     - fancy interface to the Python interpreter
 p   bpython-urwid                   - fancy interface to the Python interpreter
 p   bpython3                        - fancy interface to the Python3 interpreter
 p   cairo-dock-plug-ins-dbus-interf - Python interface to interact with Cairo-Do
 p   cantor-backend-python           - Python backend for Cantor

Note that the ‘p’ in the first column means that no trace of package exists on the system (run man apt for more details).

CentOS

This section has specific instructions for CentOS images on how to create your first user with sudo privileges, create additional users, and install software. If you are the sole user of your instance, you only need to follow the Initial User Setup steps. If you do want to create Additional Users, be sure to consider what privilege level you would prefer your users to have, and whether you wish to require a key pair for authentication (should be unique per user). If you have not used CentOS before, please read this whole section.

Initial User Setup

Once you have started a Linux Instance, you will want to connect using ssh and create a user account. You will first have to login as the root account and setup the user account yourself. It is advisable to setup the user account instead of continuing to use the root account. This section details how to correctly setup the user account on a CentOS image.

  1. ssh -i <keyname>.pem root@<ip of instance>
    • Connects to the instance via ssh as the root account
  2. adduser <username>
    • Adds a new user with the name <username>
    • Note that <username> could be e.g. ‘bob’, it doesn’t need to be (and really should not be) a Cornell netid, since you can optionally configure your instances to allow use of netid and netid passwords for project members
    • Multiple users may be added at the instance owner’s discretion.
  3. passwd <username>
    • This will prompt you to set and verify a password for the user
    • Note: if you do not run this command, a password will not be set for the user!
  4. usermod -aG wheel <username>
    • This will add <username> to the sudo group, which will enable <username> to easily install software and perform other administrative tasks without needing a root login. This has the advantage of making it more difficult to accidentally do something unfortunate to the system.
  5. mkdir ~<username>/.ssh
    • Creates a directory for the user to hold the public encryption key used in ssh
    • Note: The .ssh folder is hidden to the ls command by default because of the "." at the beginning. You can see all folders by sending the ls -a command.
  6. cp ~/.ssh/authorized_keys ~<username>/.ssh
    • This copies the public key to the correct place for the user to be able to ssh.
    • Only do this if you intend to ssh from the same computer with the private key every time you access the instance. This is recommended, since it is more secure.
  7. chmod 700 -R ~<username>/.ssh/
  8. vim /etc/ssh/sshd_config
    • Change the line that says Password Authentication yes to say no instead
    • Skip this step if you intend to have multiple users and wish to allow them to connect via ssh with a password, without requiring a key pair.
    • You could also use your preferred text editor
  9. systemctl restart sshd
  10. exit
  11. ssh -i <keyname>.pem <username>@<ip>
    • At this point your user should be set up to ssh
  12. sudo yum update

Additional Users

A normal user account on a Ubuntu system does not have sudo privileges, so they cannot install software or perform administrative tasks. These steps create a new user without sudo privileges:

  1. adduser <username>
  2. passwd <username>


It is also possible to create new user accounts with sudo privileges, which enables them to easily install software and perform other administrative tasks without needing a root (or the ubuntu) login. These steps create a new user with sudo privileges:

  1. adduser <username>
  2. passwd <username>
  3. usermod -aG wheel <username>


It is recommended, for security purposes, that instances be connected to using a key pair, but sometimes this is inconvenient if you have many users. If you are intending to allow users to connect to the instance with only a password, then you will have to edit the /etc/ssh/sshd_config file with your preferred text editor, and verify the line that PasswordAuthentication has a yes next to it (this should be the default). If not, change it so that authentication for the user will not fail with the correct password.

Note: It is a good idea to check that you can connect to the new user's account via ssh, even if the account is not for you, to ensure it was set up correctly.

Installing Software

The package manager for CentOS is called yum. Here are some basic commands worth making sure you understand (again, man yum will help here):

  • yum check-update
  • sudo yum update
  • yum search <package>
  • sudo yum install <package>


It is recommended that you:

  • Ensure your system is up-to-date after beginning an instance.
  • Install the screen-saving program tmux, which is often useful in case your connection is dropped (either intentionally or unintentionally) or if you want to have multiple terminals available without needing to login each time

SSH Security

Once you have set up a user with sudo privileges and ensured that you can indeed login and perform sudo commands successfully (it would be good to test this to be sure), you may want to secure the root login by disabling it.

Disable root login: This must be done while logged in either as root or your user with sudo privileges.

  1. vim /etc/ssh/sshd_config
  2. Change the the line PermitRootLogin yes to PermitRootLogin no
  3. Note: if this line is commented out (with a # character in the front), you will need to uncomment it.
  4. systemctl restart sshd

When you exit, you should verify that you cannot login as root, but that you can still login as your user.

For more information on SSH Security, see the CentOS guide on Securing OpenSSH.