Rules for labs and homework

  • Work on your own. Do not copy another student’s work.
  • If you feel overwhelmed, talk to your teachers - we are here for you after all.
  • English, Czech and Slovak are all fine.
  • Use common sense while doing the homework. In return, you can expect us to use common sense while grading it :-)
  • Stay vigilant and always keep an eye out for things which are suspicious or out of place. Feel free to violate any rules and disobey any instructions you consider incorrect, wrong or malicious. If you can justify it afterwards, you will not lose points for the exercise in question. (You may actually earn some extra points.)
  • If you manage to find a security flaw anywhere, exploit it as far as you can. You will be awarded extra points for that. However, you are warned not to engage in purposefully malicious, destructive and childish behavior, since others still need to be able to get their credit. Failure to comply with this request will have very dire consequences for everybody involved!
  • If you’re not certain how these rules apply in a particular case, it is your responsibility to ask.
  • Apart from that—have fun!

Tasks for this week

  • Make sure you can log in to linux.ms.mff.cuni.cz (LDAP credentials, ask for fingerprint)
  • There are four machines dedicated to this course:
    • IPs are 10.10.50.{7,9,10,11}
    • You can connect to these from linux.ms.mff.cuni.cz
    • Make sure you can ssh into all of them (LDAP credentials, ask for fingerprint)
  • Make sure you’re familiar with basic shell commands, built-ins and variables. A non-exhaustive list follows for convenience.
  • Read through the manpages to learn about the command itself and the options mentioned below.
  • Don’t read man pages top-to-bottom, that’s impossible. The goal is to know what commands there are, not to know every single option they have.
  • Learn to search the man page (/ if the pager used is less).
  • Most of these (with obvious exceptions, such as rm or reboot) are safe to just try—take advantage of that.
  • You probably use most of these already, or at least you know they exist:
    • man, man -k
    • read man man to learn about different sections of the manual and the $PAGER variable
    • PAGER=cat man ls
    • To reference a man page and section, you often use ls(1) in writing to refer to the man page of ls in section 1 of the manual (man 1 ls).
    • Multiple sections may contain the same page, cf man 1p mkdir and man 3p mkdir.
    • The double-dash (--) option terminator as implemented by many built-ins and commands
    • If you’re interested in a bit of history, check out Unix command line conventions over time (8 min reading)
    • The $POSIXLY_CORRECT environment variable
    • set, set -eux
    • env, export
    • command -v (POSIX) vs. which, which -a
      • What is the difference between a command, a built-in (command) and an alias?
    • $?
    • exit
    • whoami, id, /etc/passwd, /etc/group, /etc/shadow
    • Man pages exist for files and file formats too, see e.g. passwd(5)
    • cd, cd -
    • pwd, $PWD
    • passwd
    • chsh
    • sudo, sudo -E, sudo -u, sudo -i, sudo -s
    • hostname
    • uname -a vs. /etc/os-release
    • printf (POSIX) vs. echo [-n] (many different implementations)
    • read -r, $IFS
    • test
      • -eq, -gt, -ge, …
      • =, !=
      • -e, -f, -d
      • -s
      • -r, -w, -x
      • Understand test vs [ ... ] vs [[ ... ]]
    • ls, ls -la, ls -latr
    • touch
    • mkdir
    • rm, rm -r, rm -f, -rf, rmdir
    • cat, cat -n
    • less
    • tee
    • ln -s, ln -sf
    • readlink -f
    • realpath
    • find with the following predicates:
      • -!
      • \( ... \)
      • -type
      • -name
      • -path
      • -size
      • -executable
      • -exec ... \;
    • wc, wc -l, wc -c
    • head, tail
    • diff, diff -u
    • comm, comm -123
    • cut -f, cut -d
    • paste, paste -d, paste -s
    • bc
    • grep, grep -E, grep -F, grep -r, egrep and fgrep (deprecated)
    • sed, sed -e CMD -e CMD ...
    • awk
    • reboot, poweroff
    • xargs, xargs -I, xargs -n
    • sort, sort -n, sort -r
    • uniq, uniq -c
    • seq
    • base64, base64 -d
    • hexdump, hexdump -C
    • truncate
    • sha256sum, sha512sum
  • These may be new to you, but are nonetheless very useful:
    • ps, ps auxf
    • pgrep, pgrep -f, pgrep -a
    • kill, kill -SIGNAL
    • pkill, pkill -SIGNAL, pkill -f
    • htop, top, iotop
    • watch, watch -n
    • sleep
    • pause
    • time
    • date, date -d @TIMESTAMP, date -u
    • df
    • lsblk, blkid
    • du, du -h, du -s
    • free, free -h
    • /proc/meminfo
    • reset
  • Debugging:
    • strace, strace -f, strace -p
    • gdb, gdb --args
    • dmesg
    • lsmod, modprobe
    • objdump
  • Networking:
    • ip link (ip l), ip addr (ip a), ip route (ip r) etc.
    • Many of the following commands support -4 (force IPv4) and -6 (force IPv6), that will be useful.
    • ping
    • traceroute, mtr
    • ssh, ssh -p
    • nc, nc -l, socat
    • ss, netstat
    • iw
    • telnet
    • curl
    • drill, dig, nslookup
  • UNIX permissions will be of utter importance:
    • What is the meaning of rwx bits for files and directories respectively?
    • chmod with both symbolic and octal mode, chmod -R u+X .
    • chown, chown -R
  • Make sure you understand basic concepts of the Unix shell. You don’t need to understand the underlying mechanisms (although that cannot hurt), but you must be able to use them:
    • Writing shell scripts:
      • What is the shebang/hashbang?
      • What is the #!/usr/bin/env ... idiom used for?
      • Which permissions are required for a script to be successfully executed?
    • I/O redirection:
      • What is stdin, stdout and stderr?
      • What is a file descriptor and how is it related to stdin, stdout and stderr?
      • CMD <f
      • CMD >f, CMD 2>f, CMD 2>&1, >f CMD
      • CMD >>f
      • Order matters: CMD >/dev/null 2>&1 vs CMD 2>&1 >/dev/null
    • Pipes:
      • grep /sbin/nologin /etc/passwd | cut -d: -f1
      • What is the exit code of a pipeline?
      • set -o pipefail (Bash, Zsh)

Homework

Git repo setup

  • Create a private repository nswi106-$login hosted on GitHub or sourcehut
  • GitHub: allow @dcepelik R/W access
  • sourcehut: allow ~uxjayn91 R/W access
  • We will receive an invite from GitHub/sourcehut
  • Please commit your solutions of the following tasks into the repo and push them afterwards
  • The filename is given for each task (the path starting with $repo/)

$repo/hw/00/00-pubkey

  • Generate a new ed25519 ssh key (ed25519-sk if you’re Slovak)
  • ssh-keygen(1)
  • Do not use your existing SSH keys (if you have them); it’s good practice to keep separate keys for separate things
  • Push your public key
    • Only push your public key, your private key is yours and yours only. Keep your private key secret at all times! (2022-10-04)
  • Do protect the private key with a password!
  • (10 points)

$repo/hw/00/01-i-must-not-use-passwordless-keys

  • Describe a practical scenario where keeping your ssh key unprotected by a password would cause a big problem.
  • Use your favorite text editor.
  • The rest of the file must read I Must Not Use Passwordless Keys 1000 times, once per line
  • Use DOS line endings
  • Use the ISO/IEC 8859-2 encoding
  • (This task is partly a text editing exercise)
  • (10 points)

$repo/hw/00/02-ssh-agent

  • Use ssh-agent to hold your SSH keys unlocked, so that they can be used without password
  • ssh-agent(1), ssh-add(1)
  • Tell us what you did
  • (10 points)

$repo/hw/00/03-ssh-config

  • Configure ssh for single-command passwordless log-in to all 5 machines (linux.ms... + 10.10.50.{7,9,10,11})
  • “Passwordless” means:
    • You need not type password when logging in to the machine
    • Password is not used for ssh authentication, ssh keys are
    • No credentials other than your username are stored in .ssh/config!
  • ssh-copy-id(1)
  • ssh_config(5)
    • Host (there’s wildcard support)
    • ProxyJump
    • Do not copy your private key to the proxy host (linux.ms.mff.cuni.cz). Why would that be a bad idea in general? (No need to answer that, just think about it.)
  • Hint: ssh -v ... (or -vv or -vvv) is very useful for debugging
  • 5 bonus points for making the config tidy and clean (hint: use wildcards)
  • (10+5 points)

$repo/hw/00/04-forward-agent

  • In your own words, why should you be careful with the ForwardAgent SSH option? Check the appropriate man page. It’s OK to google the answer provided you understand it.
  • (10 points)

$repo/hw/00/05-os

  • Which operating system (and potentially which distro) are you using?
  • What advantages and disadvantages do you think it brings?
  • (10 points)

$repo/hw/00/06-feedback

  • Please provide meaningful feedback for the past week of the course.
  • For example, you could tell us what you liked or disliked, what was the most difficult topic, what was the most useful topic, state any concerns, etc.
  • The feedback is private and will not be shared.
  • Saying that “everything was OK” is valid and will be accepted for full points, but please be honest - we are open to any feedback as long as it’s constructive.
  • (10 points)

(Bonus) $repo/hw/00/07-automate.sh

  • Write a shell script which automates the boring tasks above
  • Support common options:
    • Print usage when -h
    • Increase verbosity when -v
  • The script takes the following inputs:
    • $login
    • $ssh_key_filename
    • $ssh_config_include, defaults to ~/.ssh/config.mff
    • Use options (getopts), positional arguments or environment variables (since you need to support -h and -v, which of these input methods is the most economical one?)
  • Generates new password-protected ed25519 ssh key pair into $ssh_key_filename{,.pub}
    • Does not overwrite existing key material (public nor private key part)
    • ssh-keygen will prompt the user for the password to be used with the new ssh key
  • Unlocks the new key (may prompt for the key password again)
  • Copies the key to all the machines
    • ssh will prompt for the LDAP password once per machine
    • Log in as $login
  • Outputs the relevant part of .ssh/config into $ssh_config_include
  • Please note that you cannot just overwrite .ssh/config, it is not usually empty. It’s way too dificult to merge the existing config with the generated bits. Hint: see Include in ssh_config(5). Can you use it to vastly simplify the problem?
  • Make sure that the script behaves correctly regardless of whether this is the first time it’s run, or whether it’s run several times in a row, even if the previous run has failed. This is the harder part.
    • When the script is run for the first time, it will prompt you for the fingerprint. On successive runs, it won’t. This is ok, you don’t have to remove the fingerprint from known_hosts to make the script behave exactly the same each time. The important part is that the script always produces a secure setup which works.
  • Evaluation criteria:
    • Correctness
    • Simplicity
    • Shellcheck (shellcheck -axo add-default-case,avoid-nullary-conditions,check-unassigned-uppercase,quote-safe-variables) reports no errors
    • Produces helpful errors (missing arguments, any key part exists, etc.)
    • Written in POSIX sh (#!/bin/sh + Shellcheck still does not complain)
  • (0+30 points)

(Total = 70+35 points)

Deadlines (strict):

  • 2022-10-06 9:00 Prague time (Thursday labs)
  • 2022-10-10 9:00 Prague time (both Monday and Thursday labs)

Don’t forget to git push all your changes!

Additional resources to get you started

  • If you enjoy Linux, it’s a good idea to stay tuned to the latest buzz. Consider reading Hacker News and LWN regularly. HN Trending is also interesting.
  • If you use Google, note that Google US is guaranteed to consistently give much better search results than regional (CZ/SK) Google search (except when you actually need to search something regional, obviously). Even if you use google.com, you’re still being served local results. There are various ways to use Google US. Give it a try!
    • For the privacy minded, DuckDuckGo may be a viable alternative.
  • Czech is a beautiful language, treat it as such—use it for love letters and poetry. For professional work involving computers, English is the language of choice. Read it, write it and speak it whenever you have the chance.
    • Certainly do not install Czech localization. It turns half the error messages into incomprehensible garbage (recent Fedora: “passphrase” is “heslová fráze”).
  • Learn to type with all your fingers, without looking at the keyboard. Unless you do already, force yourself to learn it. You’ll thank us later.
  • Don’t use standard Czech keyboard layout (QWERTZ, “Czech QWERTY”, “Czech programming” and other abominations) for programming, they suck. We recommend that you use the US layout (QWERTY) + UCW variant of the CZ layout.
    • setxkbmap -layout us,cz -variant ,ucw -option grp:switch
    • Press Right Alt + z, you’ll figure out the rest from here

  • Fingerprints of ssh keys used by 10.10.50.{7,9,10,11}:
    $ ssh-keyscan localhost | ssh-keygen -lf -
    2048 SHA256:k1yil5TWLoU2w0U0UfI+4bYI03dCCsXnlFc0nW6Xj6s localhost (RSA)
    256 SHA256:jDz2EkplKp5gf50eMnQymYSHhIUdG064kHEpDmDDDf0 localhost (ECDSA)
    256 SHA256:64AIXFdmiBcBHZ9mPeCWhI3Q09WBPuoJ5W+AsOqniqI localhost (ED25519)
    
  • Fingerprints of ssh keys used by linux.ms.mff.cuni.cz:
    $ ssh-keyscan localhost | ssh-keygen -lf -
    3072 SHA256:Z11Qbd6nN6mVmCSY57Y6WmxIJzqEFHFm47ZGiH4QQ9Y localhost (RSA)
    256 SHA256:ltoc1TjoYhCZk6b8qSTAL6wFsRv7blw6u3h6NqCcYvI localhost (ECDSA)
    256 SHA256:/CVwDW388z6Z5VlhLJT0JX+o1UzakyQ+S01+34BI0BA localhost (ED25519)