Create pem file for SSH access Linux

It is always good practice to lock down password based logins and SSH using keys. We can use pem files to login to remote server from local machines. Infact if you use AWS, the only way to SSH into the server is using pem files.

This procedure can be done on any server cloud based or sitting on your LAN

1. On your local Machine from where you require access, I prefer to keep it in the home directory of the user

# cd $HOME

# ssh-keygen -t rsa -b 2048

Generating public/private rsa key pair.
Enter file in which to save the key (/Users/shadab/.ssh/id_rsa): wha
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in wha.
Your public key has been saved in wha.pub.
The key fingerprint is:
SHA256:*******************************
The key’s randomart image is:
+—[RSA 2048]—-+
| |
| . |
|= o |
|oB . . |
| o+ .o S |
|.+.o= .. |
|+ o*.Xo.+ |
|o =o&.BO o |
| + E+X++=.. |
+—-[SHA256]—–+

The file which i chose to create is “wha”, this will create 3 files “wha”, “wha.pem”, “wha.pub”

wha.pem is empty for now
wha : is your private key
wha.pub : is your public key

 

 

2. Keep the private key (wha) as it is and create a pem file from it

# rsa -in wha -outform pem > wha.pem

writing RSA key

Now the pem file is created. Next step to copy public key to remote server

Note: If you dont have rsa utility on your local machine, with a simple copy command also you can create the pem file.

# cp -p wha wha.pem

 

 

3. Copy the public key to your remote server, which needs to be accessed

# ssh-copy-id -i wha.pub root@1.0.0.1

/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: “wha.pub”
The authenticity of host ‘1.0.0.1 (1.0.0.1)’ can’t be established.
ECDSA key fingerprint is SHA256:*************************.
Are you sure you want to continue connecting (yes/no)? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed — if you are prompted now it is to install the new keys
root@1.0.0.1 password:

Number of key(s) added: 1

Now try logging into the machine, with: “ssh ‘root@1.0.0.1′”
and check to make sure that only the key(s) you wanted were added.

 

 

4. Change the permissions of your local machine pem file

# chmod 400 wha.pem

 

 

5. Login to remote server with pem file to check

# ssh -i /Users/shadab/wha.pem root@1.0.0.1

 

6. Disable SSH Access to server

On the remote server with root user

# vim /etc/ssh/sshd_config

Change parameter PasswordAuthentication yes to PasswordAuthentication no

Restart SSH Daemon

# systemctl restart sshd

or

# service sshd restart

 

P.S: If you need to do the same for any other user on the remote server. you just have to
copy the public key file with that user on the remote server

 

ssh-copy-id -i wha.pub oracle@1.0.0.1

ssh -i /Users/shadab/wha.pem oracle@1.0.0.1

 

 

Execute Windows Commands from Linux using winexe. Connect from Linux to Windows without SSH

Winexe – is a software on Linux which uses RPC to run remote commands and might even come with your distribution’s packages. It depends on Samba for running rpc commands

Edit: even if your distro does not have it precompiled and you do not want to compile yourself, you should check out the Build Service – it is likely to have the binary version you would need for your system.

First Install samba-common on your Linux machine before beginning winexe

Use below article to check WinEXE installation

https://www.kickass.se/?p=189

Winexe is a GNU/Linux based application that allows users to execute commands remotely on WindowsNT/2000/XP/2003/Vista/7/8 systems. It installs a service on the remote system, executes the command and uninstalls the service. Winexe allows execution of most of the windows shell commands.

How to install:
You can download the source package from here [Current version is winexe-1.00.tar.gz]

  1. tar -xvf winexe-1.00.tar.gz
  2. cd winexe-1.00/source4/
  3. ./autogen.sh
  4. ./configure
  5. make basics bin/winexe
  6. make “CPP=gcc -E -ffreestanding” basics bin/winexe (For X64 bit)

this will create a [ winexe ] binary file in the bin folder. You can use that binary to execute the windows commands from Linux.

or else there are some compiled version of binary itself available for download. You can download and use it from here.

The above version of winexe works only till version Windows Server 2012. For Windows Server 2012R2 requires below method to make winexe work with latest version of windows. Below method will get the code for samba and winexe from the github repository and we will have to build it for it to work.

Alternate Method (Best Method to Work with Latest Version of Windows 10 and Windows Server 2012R2)

http://rand0m.org/2015/08/05/winexe-1-1-centos-6-and-windows-2012-r2/

  1. Install Samba on Linux

yum install samba-common

2.      fixup a bunch of samba dependencies

yum install gcc perl mingw-binutils-generic mingw-filesystem-base mingw32-binutils mingw32-cpp mingw32-crt mingw32-filesystem mingw32-gcc mingw32-headers mingw64-binutils mingw64-cpp mingw64-crt mingw64-filesystem mingw64-gcc mingw64-headers libcom_err-devel popt-devel zlib-devel zlib-static glibc-devel glibc-static python-devel

yum install git gnutls-devel libacl1-dev libacl-devel libldap2-dev openldap-devel

  1. As per the docs, remove libbsd-devel if installed

yum remove libbsd-devel

  1. Clone the git repos. samba is huge, like 280MB

cd /usr/src

git clone git://git.code.sf.net/p/winexe/winexe-waf winexe-winexe-wafgit clone git://git.samba.org/samba.git samba

  1. per winexe bug 64, samba needs to be reverted to a6bda1f2bc85779feb9680bc74821da5ccd401c5

cd /usr/src/samba

git reset –hard a6bda1f2bc85779feb9680bc74821da5ccd401c5

  1. Fixup the build deps

cd /usr/src/winexe-winexe-waf/source

vi wscript_build

# modify ‘wscript_build’, and at the very end …stlib=’smb_static bsd z resolv rt’lib=’dl gnutls’

7.     Build it! his does a huge configure, then also compiles samba, which takes a while. 

./waf –samba-dir=../../samba configure build

8.     Executable should be  /usr/src/winexe-winexe-waf/source/build/winexe-static

cd /usr/src/winexe-winexe-waf/source/build/

cat </dev/null | ./winexe-static -U ‘domain\admin%$PWD’ //iihoserver01 “ipconfig -all”

cat </dev/null | ./winexe-static -U ‘domain\admin%$PWD’ //iihoserver01 “ipconfig -all” -d99

Sample on How to use it to Check Service on Linux :

export CHECK_COMMAND=’sc query “Notification Service”‘

export STOP_COMMAND=’sc stop “Notification Service”‘

export START_COMMAND=’sc start “Notification Service”‘

## Check Service Status ##

cat </dev/null | ./winexe-static -U ‘domain\admin%$PWD’ //iihoserver01 –interactive=0 “$CHECK_COMMAND”

## Check with Debug ##

cat </dev/null | ./winexe-static -U ‘domain\admin%$PWD’ //iihoserver01 –interactive=0 “$CHECK_COMMAND” -d99

## Run powershell script or command on windows then like below ##

winexe -U administrator%$PWD //$IP “powershell -Command & {(c:\User\administrator\powershell.ps1)}”

 

## Stop and Start Service ##

export CHECK_COMMAND=’sc query “Browser”‘

export STOP_COMMAND=’sc stop “Browser “‘

export START_COMMAND=’sc start “Browser “‘

cat </dev/null | ./winexe-static -U ‘domain\admin%$PWD’ //iihoserver01 –interactive=0 “$CHECK_COMMAND”

cat </dev/null | ./winexe-static –U ‘domain\admin%$PWD’ //iihoserver01 –interactive=0 “$STOP_COMMAND”

cat </dev/null | ./winexe-static -U ‘domain\admin%$PWD’ //iihoserver01 –interactive=0 “$START_COMMAND”

 

 

Configure Passwordless SSH on Multiple Servers and Execute Commands on Multiple servers in Linux

1. On Server 1 (192.168.1.67)

ssh-keygen -t rsa

cd .ssh/

scp -r id_rsa.pub root@192.168.1.68:/root/.ssh/authorized_keys

2. On Server 2 (192.168.1.68)

ssh-keygen -t rsa

cd .ssh

cat id_rsa.pub >> authorized_keys

3. Send Server 2 authorized key to Server 1 (192.168.1.67)

scp -r authorized_keys root@192.168.1.67:/root/.ssh
4. Test from server 1

ssh root@192.168.1.68

Test from Server 2

ssh root@192.168.1.67
5. On Server 3 (192.168.1.69)

ssh-keygen -t rsa

cd .ssh

cat id_rsa.pub >> authorized_keys
6. On Server 4 (192.168.1.70)

ssh-keygen -t rsa

cd .ssh

cat id_rsa.pub >> authorized_keys

7. 5. On Server 5 (192.168.1.71)

ssh-keygen -t rsa

cd .ssh

cat id_rsa.pub >> authorized_keys

8. 5. On Server 6 (192.168.1.72)

ssh-keygen -t rsa

cd .ssh

cat id_rsa.pub >> authorized_keys

9. Now on Server 1  192.168.1..67

create a file called hosts.txt in /root directory, and save the ips of the below host

192.168.1.68
1192.168.1.69
192.168.1.70
192.168.1.71
192.168.1.72

To excute a remote command on all the hosts from server 1 run below command :

— Run Single Command —

for host in $(cat hosts.txt); do ssh “$host” “date” > “output.$host”; done
— Run Multiple Commands —

for host in $(cat hosts.txt); do ssh “$host” “uname -a && date && df -h” > “output.$host”; done

#Double-ampersands will execute the next command only if the preceding command exits with a status of zero. In the below example,

for host in $(cat hosts.txt); do ssh “$host” “uname -a ; date ; df -h” > “output.$host”; done

#Semi-colons will execute all commands regardless of exit status. In the below example, all three commands will be run.

# In short: double-ampersands should be used if the commands depend on each other, semi-colons should be used if they don’t.