Difference between revisions of "SSH"

From CSE330 Wiki
Jump to navigationJump to search
(Creating from content formerly in Web Server Configuration and Workflow and Amazon Web Services)
 
 
(43 intermediate revisions by 4 users not shown)
Line 1: Line 1:
 +
Secure SHell, or '''SSH''', is the leading interface for connecting as an administrator from your local computer to something on the cloud.  You will be using exclusively SSH to execute commands and upload files to your cloud instance.  If you use a Git hosting service like BitBucket or Github, you will need SSH in order to save your changes there as well.
  
== SSH Configuration ==
+
SSH access requires that the ''sshd'' daemon is running on the remote machineBy default, SSH is preinstalled on your EC2 instance.  If you are not using an EC2 instance, simply install '''ssh''' from yum or apt on the remote machine.
 
 
Secure SHell, or '''SSH''', is the leading interface for connecting from your local computer to something on the cloudYou will be using exclusively SSH to execute commands and upload files to your cloud instance.  If you use a Git hosting service like BitBucket or Github, you will need SSH in order to save your changes there as well.
 
 
 
This section discusses how to set up your computer and your instance for SSH.  You need to do this only once.
 
  
=== SSH Keys ===
+
== SSH Keys ==
  
 
SSH can work using password-based authentication, but it is more common nowadays, and also more secure, to use ''public and private keys'', also known as a ''key pair''.
 
SSH can work using password-based authentication, but it is more common nowadays, and also more secure, to use ''public and private keys'', also known as a ''key pair''.
Line 13: Line 10:
  
 
You can think of the ''private key'' as the "key" and the ''public key'' as the "lock".
 
You can think of the ''private key'' as the "key" and the ''public key'' as the "lock".
 +
 +
== SSH Configuration ==
 +
 +
This section discusses how to set up your computer and your remote instance for SSH.  You need to do this only once.
 +
 +
{{RequiredInstructions|content=
  
 
=== Creating an SSH Key Pair ===
 
=== Creating an SSH Key Pair ===
Line 18: Line 21:
 
You should create your own SSH Key Pair.  You will keep the private key on your own computer, and you will upload the public key to all places to which you need to connect.
 
You should create your own SSH Key Pair.  You will keep the private key on your own computer, and you will upload the public key to all places to which you need to connect.
  
To generate a key pair, open Terminal or Cygwin and run the following command:
+
To generate a key pair, open a terminal ([[Workflow#Installing_a_Terminal_Emulator|on Windows, you'll need to have enabled WSL or installed Cygwin]] and run the following command:
  
<source lang="bash">$ ssh-keygen</source>
+
<source lang="bash"># Run on Local Machine in Terminal or Cygwin
 +
$ ssh-keygen</source>
  
Keep the default location. For the purposes of this course, you do not need to enter a passphrase, although you would probably want one in real life.
+
'''Important:''' Don't name the file unless you are using a CEC machine. If you are using a CEC machine, name the file ''/cygdrive/h/.ssh/id_rsa''
 +
 
 +
For the purposes of this course, you do not need to enter a passphrase, although you would probably want one in real life.
  
 
Your keys should have been created in ~/.ssh.  Check to make sure they exist using the ''ls'' command:
 
Your keys should have been created in ~/.ssh.  Check to make sure they exist using the ''ls'' command:
Line 31: Line 37:
 
</source>
 
</source>
  
''id_rsa'' is your private key, and ''id_rsa.pub'' is your public key.  Let's look at the public signature of your key pair:
+
''id_rsa'' is your private key, and ''id_rsa.pub'' is the corresponding public key.  Let's look at the public signature of your key pair:
  
 
<source lang="bash">
 
<source lang="bash">
 
$ cat ~/.ssh/id_rsa.pub
 
$ cat ~/.ssh/id_rsa.pub
ssh-rsa SomeLongGibberishStringOfCharacters
+
ssh-rsa AAAA3Bblahblahblahblah yourname@somedomain
 
</source>
 
</source>
  
We will need this later.
+
We will need this later. Let's now add our key to the ''ssh-agent''.
 +
 
 +
==== SSH Agent: OS X ====
 +
 
 +
Run the following command to add your key to the SSH agent in Mac OS X.
 +
 
 +
<source lang="bash"># Non-Cygwin
 +
$ ssh-add</source>
  
''' Cygwin Only:''' In order to make the SSH agent run when you start Cygwin, you need to add a couple of lines to your .bashrc file:
+
==== SSH Agent: WSL or Cygwin ====
 +
 
 +
In order to make the SSH agent run when you start your terminal, you need to run a couple more commands (these will add a line to your .bashrc file, which runs automatically on startup):
 +
 
 +
<source lang="bash">
 +
# Cygwin only
 +
$ echo "eval \`ssh-agent -s\`; ssh-add" >> ~/.bashrc
 +
$ source ~/.bashrc # reload the Bash shell
 +
</source>
 +
 
 +
If you get this scary-looking error after you run the second command…
 +
 
 +
<source lang="text">
 +
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
 +
@        WARNING: UNPROTECTED PRIVATE KEY FILE!          @
 +
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
 +
</source>
 +
 
 +
…then you need to do the following to fix the permissions:
 +
 
 +
<source lang="bash">
 +
$ chgrp Users </path/to/id_rsa>
 +
$ chmod 600 </path/to/id_rsa>
 +
</source>
  
<source lang="bash">$ echo "eval `ssh-agent -s`; ssh-add" >> ~/.bashrc # Cygwin only
 
$ source ~/.bashrc # reload the Bash shell</source>
 
  
=== Connecting to Your Cloud Instance ===
+
=== Amazon EC2 SSH Configuration ===
  
When you first created your EC2 instance, you downloaded a *.pem file.  This is the ''private key'' for the default user ('''ubuntu''' on Ubuntu or '''ec2-user''' on AMI).  We need use this key to connect to your instance using the default user, at which point we will create a new custom user.  We will give that new user the public key that you created in the previous step.  You will then be able to log into your custom user using your personal key pair, so you won't need the default user again (although you should keep the *.pem file around just in case).
+
When you first created your EC2 instance, you downloaded a *.pem file.  This is the ''private key'' for the default user ('''ec2-user''' on AMI).  We need use this key to connect to your instance using the default user, at which point we will create a new custom user.  We will give that new user the public key that you created in the previous step.  You will then be able to log into your custom user using your personal key pair, so you won't need the default user again (although you should keep the *.pem file around just in case).
  
 
==== Logging In as the Default User ====
 
==== Logging In as the Default User ====
  
To connect to the default user on your Amazon EC2 instance, run this command in Terminal or Cygwin:
+
To connect to the default user on your Amazon EC2 instance, run this command in your terminal:
  
 
<source lang="bash">
 
<source lang="bash">
$ ssh -i /path/to/default-privatekey.pem ubuntu@ec2-xx-xx-xx-xx.compute-1.amazonaws.com # or ec2-user@... for AMI
+
# Run on Local Machine
 +
$ ssh -i </path/to/default-privatekey.pem> ec2-user@<ec2-xx-xx-xx-xx.compute-1.amazonaws.com>
 
</source>
 
</source>
 +
 +
'''Important:''' As soon as you are able to successfully log in, commands you type into your prompt will be executed on the remote instance, ''not'' your local machine.
  
 
If you get this scary-looking warning:
 
If you get this scary-looking warning:
Line 68: Line 105:
  
 
<source lang="bash">
 
<source lang="bash">
$ chmod 600 /path/to/default-privatekey.pem
+
# Run on Local Machine
 +
 
 +
# Cygwin Only:
 +
 
 +
$ chgrp Users </path/to/default-privatekey.pem>
 +
 
 +
# For Everyone:
 +
$ chmod 600 </path/to/default-privatekey.pem>
 
</source>
 
</source>
  
 
'''Food for Thought:''' Why you wouldn't want other people viewing your private key file?
 
'''Food for Thought:''' Why you wouldn't want other people viewing your private key file?
 
You should now be able to SSH into your instance.
 
  
 
==== Creating a New User with SSH Permissions ====
 
==== Creating a New User with SSH Permissions ====
  
First, you need to create your new user with sudo permissions.  Again, the instructions for this are in the Linux guide, but to keep everything in one place, the commands are:
+
First, you need to create your new user with sudo and SSH permissions.  Again, the instructions for this are in the Linux guide, but to keep everything in one place, the commands are:
  
 
<source lang="bash">
 
<source lang="bash">
 
# Run these on your instance, not on your local machine!
 
# Run these on your instance, not on your local machine!
$ sudo useradd -r -m -c "My Full Name" <username here> # don't forget to customize `My Full Name` and `<username here>`
+
 
$ sudo passwd <username here>
+
# Don't forget to customize `<My Full Name>` and `<usernameHere>`:
$ sudo chsh -s /bin/bash <username here> # Ubuntu only
+
$ sudo useradd -r -m -c "<My Full Name>" <usernameHere>
$ sudo visudo # you need to add your username to the sudoers list.  In my demo installation, this was near line 19.
+
$ sudo passwd <usernameHere>
 +
 
 +
# You need to add your username to the sudoers list.  Refer to the Linux guide for details.
 +
# Look around line 101.
 +
$ sudo visudo
 +
 
 +
# Restart the SSH server:
 +
$ sudo service sshd restart
 
</source>
 
</source>
  
Line 92: Line 141:
  
 
<source lang="bash">
 
<source lang="bash">
$ sudo su <username here> # switch to our own user to ensure that permissions are set correctly
+
# Switch to our own user to ensure that permissions are set correctly:
$ cd  # change the working directory to our user's home directory
+
$ su <username here>
$ mkdir .ssh  # make the nonexistent SSH configuration directory
+
 
$ nano .ssh/authorized_keys # create and edit the `authorized_keys` file
+
# Change the working directory to our user's home directory:
 +
$ cd
 +
 
 +
# Make the nonexistent SSH configuration directory and set its permissions:
 +
$ mkdir .ssh
 +
$ chmod 700 .ssh
 +
 
 +
# Create the `authorized_keys` file and set the permissions
 +
$ touch .ssh/authorized_keys
 +
$ chmod 600 .ssh/authorized_keys
 +
 
 +
# Edit the `authorized_keys` file
 +
$ nano .ssh/authorized_keys
 
</source>
 
</source>
  
Inside of the `authorized_keys` file, paste in your public key.  (Hint: your public key is the output of running <code>$ cat ~/.ssh/id_rsa.pub</code> on your local machine, which you did earlier.  It starts with "ssh-rsa".) When finished, save and close the file. '''Food for Thought:''' How would you enable your remote user to authenticate over SSH using the same default key instead of the one you created using ''ssh-keygen''?
+
For more detail on editing files on the command line, see [[Linux#File Editors|the Linux guide]].
 +
 
 +
Inside of the `authorized_keys` file, paste in your public key.  Your public key is the content of `~/.ssh/id_rsa.pub` '''on your local machine''' (it starts with "ssh-rsa")There are a few ways to get it onto your clipboard:
 +
 
 +
# '''OS X Only:''' Open a new Terminal and run: <source lang="bash">cat ~/.ssh/id_rsa.pub | pbcopy</source> This immediately copies the contents of your public key to your clipboard.
 +
# '''Windows Only:''' Navigate to id_rsa.pub manually, open it in your favorite text editor (like Notepad++), select all, and copy.  The location of id_rsa.pub might be: ''C:\cygwin\home\username\.ssh\id_rsa.pub''
 +
# '''&#42;NIX Only:''' Open a new Terminal and copy the output of the following command: <source lang="bash">cat ~/.ssh/id_rsa.pub</source> Note that this won't work as advertised in Cygwin because Cygwin adds extra line breaks when you try to copy out of it.
 +
 
 +
When finished, save and close `authorized_keys`.
  
That should be all that we need to do!
+
'''Food for Thought:''' How would you enable your remote user to authenticate over SSH using the same default key instead of the one you created using ''ssh-keygen''?
  
 
==== Logging In as your New User ====
 
==== Logging In as your New User ====
  
Let's test whether we can log into our instance using our own username and our own key pair. Open up a new Terminal or Cygwin and run:
+
Let's test whether we can log into our instance using our own username and our own key pair. Open up a new Terminal or Cygwin window '''on your local machine''' (not from ec2) and run:
  
 
<source lang="bash">
 
<source lang="bash">
$ ssh <username here>@ec2-xx-xx-xx-xx.compute-1.amazonaws.com
+
$ ssh <username here>@<ec2-xx-xx-xx-xx.amazonaws.com>
 
</source>
 
</source>
  
 
This is how you will be SSHing into your instances for the remainder of the semester.
 
This is how you will be SSHing into your instances for the remainder of the semester.
  
== Using SSH and SFTP ==
+
}}
  
Once you have completed the [[#SSH Configuration]] section above, all you need to do in order to SSH into your instance is to open a terminal and run:
+
=== Troubleshooting ===
  
<source lang="bash">
+
Almost everyone receives the following error at some point in their career: <code>Permission denied (publickey)</code>.
$ ssh <username here>@ec2-xx-xx-xx-xx.compute-1.amazonaws.com
 
</source>
 
  
However, once your configuration is complete, this is not the ''only'' way to log into your instance.  For example, your SSH server also supports '''SFTP''', which is a file transfer protocol that enables you to upload files directly to your instance.  This section documents some of these alternative methods of connecting via SSH.
+
Here are some possible causes for the error.
  
=== PuTTY ===
+
==== The Authorized Keys File ====
  
If you have Cygwin available, you should use it to SSH into your instance.  However, if you are using a different computer, you might not have Cygwin at your fingertips.  In this case, a lighter-weight SSH client called '''PuTTY''' is available for Windows.  You can download PuTTY from: http://www.chiark.greenend.org.uk/~sgtatham/putty/
+
Make sure that your remote ''authorized_keys'' file contains ''exactly'' your public signature from ''id_rsa.pub''.
  
Amazon provides http://docs.amazonwebservices.com/AWSEC2/latest/GettingStartedGuide/ConnectToInstanceLinux.html#connect-from-windows-machine a great tutorial on how to connect to a virtual machine from Windows].
+
===== Pasting into Vi =====
  
PuTTY is fairly simple and straight forward with one caveat: Amazon's ''*.pem'' files are SSH private key files, and they need to be converted to PuTTY's own '''.ppk''' format.  To do this, use the ''puttygen.exe'' utility available from the same page as PuTTY.  Select "Import" under the conversions menu, load the amazon ''*.pem'' key file, and press the "Save Private Key" button.
+
If you used vi to edit your file and you forgot to enter "insert" mode before pasting in your key, it is possible that you lost the first "s" in "ssh-rsa".
  
Copy and paste works similarly to the X Window System in Unix. You use the left mouse button to select text in the PuTTY window. The act of selection automatically copies the text to the clipboard: there is no need to press Ctrl-Ins or Ctrl-C or anything else. In fact, pressing Ctrl-C will send a Ctrl-C character to the other end of your connection (just like it does the rest of the time), which may have unpleasant effects. The only thing you need to do, to copy text to the clipboard, is to select it.
+
Check the contents of authorized_keys via <code>cat ~/.ssh/authorized_keys</code> on your server. If the output starts with "sh-rsa" instead of "ssh-rsa", edit the authorized_keys file and add the second '''s'''.
  
To paste the clipboard contents into a PuTTY window, by default you click the right mouse button. If you have a three-button mouse and are used to X applications, you can configure pasting to be done by the middle button instead, but this is not the default because most Windows users don't have a middle button at all.
+
===== Unintentional Line Breaks =====
  
Here is a good PuTTY tutorial that you might find useful to get started: http://kb.mediatemple.net/questions/1595/Using+SSH+in+Putty+%28Windows%29
+
If you got your key via a <code>cat ~/.ssh/id_rsa.pub</code> and then copied it from the terminal, it's possible that you unintentionally introduced line breaks. Ensure that the key is represented by only one line of text.
  
=== SSHFS ===
+
==== Permissions ====
  
SSHFS is a filesystem client which allows secure mounting of remote file systems. While there are other ways to mount remote file systems, SSHFS has the advantage of being able to mount a file system located on any host that has an SSH daemon running without any host side installation or configuration. This means that you can easily access and edit your files using all of your local applications including IDEs.  
+
They need to be correct on both the client side and on the server side.
  
As you may have inferred from the name, the underlying implementation utilizes SSH File Transfer Protocol in combination with FUSE, a package now included in the kernel that allows unprivileged users to easily create their own file systems in userspace (see the wikipedia entry for more information [http://en.wikipedia.org/wiki/Filesystem_in_Userspace]).
+
* Local ''.ssh'' = 700
 +
* Local ''id_rsa'' = 600
 +
* Remote ''.ssh'' = 700
 +
* Remote ''authorized_keys'' = 600
  
To mount a share using password based authentication, the command is:
+
If you are in Cygwin and the permissions don't seem to change, you might need to add the troubled file to a usergroup, like this:
  
 
<source lang="bash">
 
<source lang="bash">
$ sshfs user@domain:/path/to/remote/directory /path/to/local/mountpoint
+
$ chgrp Users .ssh/id_rsa
 
</source>
 
</source>
  
For example, to mount the directory /home/joe/myfiles in the user ''joe'''s home directory for a machine with the domain schmoesfiles.org using SSHFS you would enter the command
+
==== The SSH Agent ====
 +
 
 +
You need to be sending the correct key along with your SSH Agent. Run the following command, and you should see some output:
  
 
<source lang="bash">
 
<source lang="bash">
$ sshfs joe@www.schmoesfiles.org:myfiles
+
$ ssh-add -l
 +
2048 ab:cd:ef:ab:cd:ef:ab:cd:ef:ab:cd:ef:ab:cd:ef:ab:cd /path/to/.ssh/id_rsa (RSA)
 
</source>
 
</source>
  
Note that if you are using public key authentication, the command to mount the remote filesystem may need to be slightly different:
+
If you don't see any output, or if the output does not contain your ''id_rsa'', then you need to run:
  
 
<source lang="bash">
 
<source lang="bash">
$ sshfs -o IdentityFile=/path/to/private/key user@domain:/path/to/remote/directory /path/to/local/mountpoint
+
$ ssh-add </path/to/.ssh/id_rsa>
 
</source>
 
</source>
  
To unmount the filesystem, you can use the following command:
+
=== More SSH Server Configurations ===
 +
 
 +
Up to this point, we have been using all of the default SSH configurations.  Like most things in Linux, SSH can be customized.
 +
 
 +
For the purposes of CSE 330, the additional configurations in this short section are optional; this serves only as a reference.
 +
 
 +
==== Disabling Root Access ====
 +
 
 +
It is almost always a good idea to disable root access over ssh. This could be done by editing ''/etc/ssh/sshd_config'' and setting 
 +
 
 +
<source lang="text">PermitRootLogin no</source>
 +
 
 +
You will need to restart the SSH server for changes to take effect:
  
 
<source lang="bash">
 
<source lang="bash">
$ fusermount -u /path/to/local/mountpoint
+
$ sudo service sshd restart
 
</source>
 
</source>
  
=== SFTP ===
+
==== Enabling Password-Based Authentication ====
 +
 
 +
Up to this point, we have been using key pairs for SSH.  A public/private key pair is generally considered to be more secure, but it requires that you always have access to your private key file when you want to log into your remote machine.
 +
 
 +
By default, EC2 instances allow only public/private key pair authentication.  You can enable password-based authentication by setting the PaswordAuthentication option in ''/etc/ssh/sshd_config'' to '''yes''':
  
Any server running an SSH server is also compatible with '''SFTP''' or Secure File Transfer Protocol.  (Compare to FTP, or File Transfer Protocol.)  SFTP is a convenient way to edit files on your computer and then upload them to your server in just a few clicks.
+
<source lang="text">PasswordAuthentication yes</source>
  
You can use SFTP from the command line, or you can use any GUI file transfer clientAll FTP clients I have seen also support SFTPOne popular FTP client is [http://www.filezilla-project.org/ Filezilla].
+
There may be a line with this option that you can un-commentFor me, it is line 25You will need to restart the server for changes to take effect.
  
==== Using FileZilla ====
+
If possible, however, you should restrict yourself to using private and public keys.
  
# Download and install FileZilla from http://filezilla-project.org/download.php?type=client
+
== Using SSH ==
#: If you are using a lab computer, you can save it to your H drive.
 
# When you launch FileZilla, go to Edit→Settings or FileZilla→Preferences, and go to the SFTP options (under Connection).  Click "Add keyfile…", and choose the *.ppk file that you made earlier using Puttygen.  (If you lost that file, you can choose your *.pem file, and FileZilla will convert it for you.)
 
#: When finished, press '''OK''' (not the red ×) to save your changes.
 
# Back on the main FileZilla screen, there are four fields: Host, Username, Password, and Port.  Fill them in as follows:
 
#* '''Hostname:''' sftp://ec2-xxx-xx-xx-xxx.compute-1.amazonaws.com/
 
#* '''Username:''' The username you created on your server.
 
#* '''Password:''' Since you are using a key, you may leave this blank.
 
#*: If you changed your SSH settings to allow password-based authentication, then you could put your password in here.
 
#* '''Port:''' 22
 
# Then click Quickconnect.  If everything is configured correctly, FileZilla should log into your server.
 
  
 +
Once you have completed the [[#SSH Configuration]] section above, all you need to do in order to SSH into your instance is to open a terminal and run:
  
[[File:FileZilla.png]]
+
<source lang="bash">
 +
$ ssh <username here>@<ec2-xx-xx-xx-xx.compute-1.amazonaws.com>
 +
</source>
  
 +
=== PuTTY ===
  
On the left and right of the FileZilla window, you can drag files between your computer and your server.  Thus, you can edit a file in a text editor like Notepad++ on your decktop, and then upload it to your server by simply dragging it from the left pane to the right pane in FileZilla.
+
'''This short section about PuTTY serves only as a reference.'''
  
== SSH Server ==
+
If you have Cygwin available, you should use it to SSH into your instance.  However, if you are using a different computer, you might not have Cygwin at your fingertips.  In this case, a lighter-weight SSH client called '''PuTTY''' is available for Windows.
  
When connecting as an administrator to your machine over the internet or intranet, you will most likelly be using ''ssh'' (secure shell). SSH access requires that the ''sshd'' daemon is running in your machine.
+
You can download PuTTY from: http://www.chiark.greenend.org.uk/~sgtatham/putty/
  
By default, SSH is preinstalled on your EC2 instance.  If you are not using an EC2 instance, simply install it from yum or apt.
+
Amazon provides [http://docs.amazonwebservices.com/AWSEC2/latest/GettingStartedGuide/ConnectToInstanceLinux.html#connect-from-windows-machine a great tutorial on how to connect to a virtual machine from Windows].
  
=== SSH Keys ===
+
PuTTY is fairly simple and straight forward with one caveat: Amazon's ''*.pem'' files are SSH private key files, and they need to be converted to PuTTY's own '''.ppk''' format.  To do this, use the ''puttygen.exe'' utility available from the same page as PuTTY.  Select "Import" under the conversions menu, load the amazon ''*.pem'' key file, and press the "Save Private Key" button.
  
Normally, you can SSH into your machine with one of two ways: you can use traditional username/password authentication, or you can use a public/private key pair.  A public/private key pair is generally considered to be more secure, but it requires that you always have access to your private key file when you want to log into your remote machine.  By default, EC2 instances allow only public/private key pair authentication.  You can enable password-based authentication by changing the PaswordAuthentication option in ''/etc/ssh/sshd_config'' to '''yes''':
+
Copy and paste works similarly to the X Window System in Unix. You use the left mouse button to select text in the PuTTY window. The act of selection automatically copies the text to the clipboard: there is no need to press Ctrl-Ins or Ctrl-C or anything else. In fact, pressing Ctrl-C will send a Ctrl-C character to the other end of your connection (just like it does the rest of the time), which may have unpleasant effects. The only thing you need to do, to copy text to the clipboard, is to select it.
  
<source lang="text">PasswordAuthentication yes</source>
+
To paste the clipboard contents into a PuTTY window, by default you click the right mouse button. If you have a three-button mouse and are used to X applications, you can configure pasting to be done by the middle button instead, but this is not the default because most Windows users don't have a middle button at all.
  
If possible, however, you should restrict yourself to using private and public keys.
+
Here is a good PuTTY tutorial that you might find useful to get started: http://kb.mediatemple.net/questions/1595/Using+SSH+in+Putty+%28Windows%29
  
=== SSH Server Configurations ===
+
== SSHFS and SFTP ==
  
The configuration files for SSH are in ''/etc/ssh''. You can modify the files to affect SSH permissions, among other things. For example, it is always a good idea to disable root access over ssh. This could be done by editing ''/etc/ssh/sshd_config'' and setting 
+
In addition to just SSH, your SSH server also supports '''SSHFS''', which enables you to mount your remote instance as a disk on your local computer, and '''SFTP''', which is a file transfer protocol that enables you to upload files directly to your instance.
  
<source lang="text">PermitRootLogin no</source>
+
=== SSHFS ===
  
'''Caution:''' Disabling root access over SSH for your EC2 instance should only be done after setting up an additional user account and adding that account to the sudoers list.
+
SSHFS is a filesystem client which allows secure mounting of remote file systems. While there are other ways to mount remote file systems, SSHFS has the advantage of being able to mount a file system located on any host that has an SSH daemon running without any host side installation or configuration. This means that you can easily access and edit your files using all of your local applications including IDEs.  
  
For more detail on editing files on the command line, see [[Linux#File Editors|the Linux guide]].
+
As you may have inferred from the name, the underlying implementation utilizes SSH File Transfer Protocol in combination with FUSE, a package now included in the kernel that allows unprivileged users to easily create their own file systems in userspace (see the wikipedia entry for more information [http://en.wikipedia.org/wiki/Filesystem_in_Userspace]).
  
You will need to restart the server for changes to take effect:
+
To mount a share using password based authentication, the command is:
  
 
<source lang="bash">
 
<source lang="bash">
$ sudo service ssh restart  # if that doesn't work, try: sudo /etc/init.d/sshd restart
+
$ sshfs <user>@<domain>:</path/to/remote/directory> </path/to/local/mountpoint>
ssh stop/waiting
 
ssh start/running, process 1443
 
$
 
 
</source>
 
</source>
  
== Accessing your EC2 Instance via SSH ==
+
For example, to mount the directory /home/joe/myfiles in the user ''joe'''s home directory for a machine with the domain schmoesfiles.org using SSHFS you would enter the command
  
To access your instance via SSH, right click on the icon for the instance and click Connect. You have two options:
+
<source lang="bash">
 +
$ sshfs joe@www.schmoesfiles.org:myfiles
 +
</source>
  
# You can use an SSH client on your computer.  Amazon gives you instructions, and even gives you the command you need.  For more information, see [[Workflow|the Workflow guide]].
+
Note that if you are using public key authentication, the command to mount the remote filesystem may need to be slightly different:
# You can use an SSH client that Amazon provides that runs in your browser.
 
  
It is more convenient for you to use an SSH client on your machine so that you do not have to log into AWS every time you want to access your server.  However, which option to use is up to you.
+
<source lang="bash">
 +
$ sshfs -o IdentityFile=</path/to/private/key> <user>@<domain>:</path/to/remote/directory> </path/to/local/mountpoint>
 +
</source>
  
At first, you will need to SSH into your server using Amazon's default user.
+
To unmount the filesystem, you can use the following command:
  
* In the Amazon AMI, the default user is '''ec2-user'''
+
<source lang="bash">
* In Ubuntu 12.04 LTS, the default user is '''ubuntu'''
+
$ fusermount -u </path/to/local/mountpoint>
 +
</source>
  
To configure your server to allow logins using your own username, refer to [[Web Server Configuration#SSH|the Web Server Configuration guide]].
+
=== SFTP ===
  
 +
Any server running an SSH server is also compatible with '''SFTP''' or Secure File Transfer Protocol.  (Compare to FTP, or File Transfer Protocol.)  SFTP is a convenient way to edit files on your computer and then upload them to your server in just a few clicks.
  
 
[[Category:Module 2]]
 
[[Category:Module 2]]

Latest revision as of 15:24, 3 June 2024

Secure SHell, or SSH, is the leading interface for connecting as an administrator from your local computer to something on the cloud. You will be using exclusively SSH to execute commands and upload files to your cloud instance. If you use a Git hosting service like BitBucket or Github, you will need SSH in order to save your changes there as well.

SSH access requires that the sshd daemon is running on the remote machine. By default, SSH is preinstalled on your EC2 instance. If you are not using an EC2 instance, simply install ssh from yum or apt on the remote machine.

SSH Keys

SSH can work using password-based authentication, but it is more common nowadays, and also more secure, to use public and private keys, also known as a key pair.

Here's how it works. You have a private copy of your key, called your private key. Servers to which you want to connect have an analog to your private key called your public key. When you attempt to connect to a server using your private key, the server checks to see if any of its public keys "fits" your private key, and if it finds a match, it lets you in.

You can think of the private key as the "key" and the public key as the "lock".

SSH Configuration

This section discusses how to set up your computer and your remote instance for SSH. You need to do this only once.

Creating an SSH Key Pair

You should create your own SSH Key Pair. You will keep the private key on your own computer, and you will upload the public key to all places to which you need to connect.

To generate a key pair, open a terminal (on Windows, you'll need to have enabled WSL or installed Cygwin and run the following command:

# Run on Local Machine in Terminal or Cygwin
$ ssh-keygen

Important: Don't name the file unless you are using a CEC machine. If you are using a CEC machine, name the file /cygdrive/h/.ssh/id_rsa

For the purposes of this course, you do not need to enter a passphrase, although you would probably want one in real life.

Your keys should have been created in ~/.ssh. Check to make sure they exist using the ls command:

$ ls ~/.ssh
id_rsa  id_rsa.pub

id_rsa is your private key, and id_rsa.pub is the corresponding public key. Let's look at the public signature of your key pair:

$ cat ~/.ssh/id_rsa.pub
ssh-rsa AAAA3Bblahblahblahblah yourname@somedomain

We will need this later. Let's now add our key to the ssh-agent.

SSH Agent: OS X

Run the following command to add your key to the SSH agent in Mac OS X.

# Non-Cygwin
$ ssh-add

SSH Agent: WSL or Cygwin

In order to make the SSH agent run when you start your terminal, you need to run a couple more commands (these will add a line to your .bashrc file, which runs automatically on startup):

# Cygwin only
$ echo "eval \`ssh-agent -s\`; ssh-add" >> ~/.bashrc
$ source ~/.bashrc # reload the Bash shell

If you get this scary-looking error after you run the second command…

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

…then you need to do the following to fix the permissions:

$ chgrp Users </path/to/id_rsa>
$ chmod 600 </path/to/id_rsa>


Amazon EC2 SSH Configuration

When you first created your EC2 instance, you downloaded a *.pem file. This is the private key for the default user (ec2-user on AMI). We need use this key to connect to your instance using the default user, at which point we will create a new custom user. We will give that new user the public key that you created in the previous step. You will then be able to log into your custom user using your personal key pair, so you won't need the default user again (although you should keep the *.pem file around just in case).

Logging In as the Default User

To connect to the default user on your Amazon EC2 instance, run this command in your terminal:

# Run on Local Machine
$ ssh -i </path/to/default-privatekey.pem> ec2-user@<ec2-xx-xx-xx-xx.compute-1.amazonaws.com>

Important: As soon as you are able to successfully log in, commands you type into your prompt will be executed on the remote instance, not your local machine.

If you get this scary-looking warning:

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

…then you need to correctly set the permissions on your *.pem file. You should know how to do this from the Linux guide, but in case you didn't catch that detail, run:

# Run on Local Machine

# Cygwin Only:

 $ chgrp Users </path/to/default-privatekey.pem>

# For Everyone:
$ chmod 600 </path/to/default-privatekey.pem>

Food for Thought: Why you wouldn't want other people viewing your private key file?

Creating a New User with SSH Permissions

First, you need to create your new user with sudo and SSH permissions. Again, the instructions for this are in the Linux guide, but to keep everything in one place, the commands are:

# Run these on your instance, not on your local machine!

# Don't forget to customize `<My Full Name>` and `<usernameHere>`:
$ sudo useradd -r -m -c "<My Full Name>" <usernameHere>
$ sudo passwd <usernameHere>

# You need to add your username to the sudoers list.  Refer to the Linux guide for details.
# Look around line 101.
$ sudo visudo 

# Restart the SSH server:
$ sudo service sshd restart

Okay, cool: we have created our custom username on our remote instance. Now, we need to enable this account to accept our SSH key when authenticating. To do this, we need to add our public key to a file named authorized_keys, which is stored in your remote username's SSH configuration directory.

To create the directory and edit the file, run on your instance:

# Switch to our own user to ensure that permissions are set correctly:
$ su <username here>

# Change the working directory to our user's home directory:
$ cd

# Make the nonexistent SSH configuration directory and set its permissions:
$ mkdir .ssh
$ chmod 700 .ssh

# Create the `authorized_keys` file and set the permissions
$ touch .ssh/authorized_keys
$ chmod 600 .ssh/authorized_keys

# Edit the `authorized_keys` file
$ nano .ssh/authorized_keys

For more detail on editing files on the command line, see the Linux guide.

Inside of the `authorized_keys` file, paste in your public key. Your public key is the content of `~/.ssh/id_rsa.pub` on your local machine (it starts with "ssh-rsa"). There are a few ways to get it onto your clipboard:

  1. OS X Only: Open a new Terminal and run:
    cat ~/.ssh/id_rsa.pub | pbcopy
    
    This immediately copies the contents of your public key to your clipboard.
  2. Windows Only: Navigate to id_rsa.pub manually, open it in your favorite text editor (like Notepad++), select all, and copy. The location of id_rsa.pub might be: C:\cygwin\home\username\.ssh\id_rsa.pub
  3. *NIX Only: Open a new Terminal and copy the output of the following command:
    cat ~/.ssh/id_rsa.pub
    
    Note that this won't work as advertised in Cygwin because Cygwin adds extra line breaks when you try to copy out of it.

When finished, save and close `authorized_keys`.

Food for Thought: How would you enable your remote user to authenticate over SSH using the same default key instead of the one you created using ssh-keygen?

Logging In as your New User

Let's test whether we can log into our instance using our own username and our own key pair. Open up a new Terminal or Cygwin window on your local machine (not from ec2) and run:

$ ssh <username here>@<ec2-xx-xx-xx-xx.amazonaws.com>

This is how you will be SSHing into your instances for the remainder of the semester.

Troubleshooting

Almost everyone receives the following error at some point in their career: Permission denied (publickey).

Here are some possible causes for the error.

The Authorized Keys File

Make sure that your remote authorized_keys file contains exactly your public signature from id_rsa.pub.

Pasting into Vi

If you used vi to edit your file and you forgot to enter "insert" mode before pasting in your key, it is possible that you lost the first "s" in "ssh-rsa".

Check the contents of authorized_keys via cat ~/.ssh/authorized_keys on your server. If the output starts with "sh-rsa" instead of "ssh-rsa", edit the authorized_keys file and add the second s.

Unintentional Line Breaks

If you got your key via a cat ~/.ssh/id_rsa.pub and then copied it from the terminal, it's possible that you unintentionally introduced line breaks. Ensure that the key is represented by only one line of text.

Permissions

They need to be correct on both the client side and on the server side.

  • Local .ssh = 700
  • Local id_rsa = 600
  • Remote .ssh = 700
  • Remote authorized_keys = 600

If you are in Cygwin and the permissions don't seem to change, you might need to add the troubled file to a usergroup, like this:

$ chgrp Users .ssh/id_rsa

The SSH Agent

You need to be sending the correct key along with your SSH Agent. Run the following command, and you should see some output:

$ ssh-add -l
2048 ab:cd:ef:ab:cd:ef:ab:cd:ef:ab:cd:ef:ab:cd:ef:ab:cd /path/to/.ssh/id_rsa (RSA)

If you don't see any output, or if the output does not contain your id_rsa, then you need to run:

$ ssh-add </path/to/.ssh/id_rsa>

More SSH Server Configurations

Up to this point, we have been using all of the default SSH configurations. Like most things in Linux, SSH can be customized.

For the purposes of CSE 330, the additional configurations in this short section are optional; this serves only as a reference.

Disabling Root Access

It is almost always a good idea to disable root access over ssh. This could be done by editing /etc/ssh/sshd_config and setting

PermitRootLogin no

You will need to restart the SSH server for changes to take effect:

$ sudo service sshd restart

Enabling Password-Based Authentication

Up to this point, we have been using key pairs for SSH. A public/private key pair is generally considered to be more secure, but it requires that you always have access to your private key file when you want to log into your remote machine.

By default, EC2 instances allow only public/private key pair authentication. You can enable password-based authentication by setting the PaswordAuthentication option in /etc/ssh/sshd_config to yes:

PasswordAuthentication yes

There may be a line with this option that you can un-comment. For me, it is line 25. You will need to restart the server for changes to take effect.

If possible, however, you should restrict yourself to using private and public keys.

Using SSH

Once you have completed the #SSH Configuration section above, all you need to do in order to SSH into your instance is to open a terminal and run:

$ ssh <username here>@<ec2-xx-xx-xx-xx.compute-1.amazonaws.com>

PuTTY

This short section about PuTTY serves only as a reference.

If you have Cygwin available, you should use it to SSH into your instance. However, if you are using a different computer, you might not have Cygwin at your fingertips. In this case, a lighter-weight SSH client called PuTTY is available for Windows.

You can download PuTTY from: http://www.chiark.greenend.org.uk/~sgtatham/putty/

Amazon provides a great tutorial on how to connect to a virtual machine from Windows.

PuTTY is fairly simple and straight forward with one caveat: Amazon's *.pem files are SSH private key files, and they need to be converted to PuTTY's own .ppk format. To do this, use the puttygen.exe utility available from the same page as PuTTY. Select "Import" under the conversions menu, load the amazon *.pem key file, and press the "Save Private Key" button.

Copy and paste works similarly to the X Window System in Unix. You use the left mouse button to select text in the PuTTY window. The act of selection automatically copies the text to the clipboard: there is no need to press Ctrl-Ins or Ctrl-C or anything else. In fact, pressing Ctrl-C will send a Ctrl-C character to the other end of your connection (just like it does the rest of the time), which may have unpleasant effects. The only thing you need to do, to copy text to the clipboard, is to select it.

To paste the clipboard contents into a PuTTY window, by default you click the right mouse button. If you have a three-button mouse and are used to X applications, you can configure pasting to be done by the middle button instead, but this is not the default because most Windows users don't have a middle button at all.

Here is a good PuTTY tutorial that you might find useful to get started: http://kb.mediatemple.net/questions/1595/Using+SSH+in+Putty+%28Windows%29

SSHFS and SFTP

In addition to just SSH, your SSH server also supports SSHFS, which enables you to mount your remote instance as a disk on your local computer, and SFTP, which is a file transfer protocol that enables you to upload files directly to your instance.

SSHFS

SSHFS is a filesystem client which allows secure mounting of remote file systems. While there are other ways to mount remote file systems, SSHFS has the advantage of being able to mount a file system located on any host that has an SSH daemon running without any host side installation or configuration. This means that you can easily access and edit your files using all of your local applications including IDEs.

As you may have inferred from the name, the underlying implementation utilizes SSH File Transfer Protocol in combination with FUSE, a package now included in the kernel that allows unprivileged users to easily create their own file systems in userspace (see the wikipedia entry for more information [1]).

To mount a share using password based authentication, the command is:

$ sshfs <user>@<domain>:</path/to/remote/directory> </path/to/local/mountpoint>

For example, to mount the directory /home/joe/myfiles in the user joe's home directory for a machine with the domain schmoesfiles.org using SSHFS you would enter the command

$ sshfs joe@www.schmoesfiles.org:myfiles

Note that if you are using public key authentication, the command to mount the remote filesystem may need to be slightly different:

$ sshfs -o IdentityFile=</path/to/private/key> <user>@<domain>:</path/to/remote/directory> </path/to/local/mountpoint>

To unmount the filesystem, you can use the following command:

$ fusermount -u </path/to/local/mountpoint>

SFTP

Any server running an SSH server is also compatible with SFTP or Secure File Transfer Protocol. (Compare to FTP, or File Transfer Protocol.) SFTP is a convenient way to edit files on your computer and then upload them to your server in just a few clicks.