# `ssh`

almost all of the work we do in this course will be done on the linux command line, and the way we will be accessing that command line is from our laptops via `ssh` (**S**ecure **SH**ell).

### what is `ssh`?

who has used `ssh` before? from that perspective, what is it?

basically, [`ssh`](https://en.wikipedia.org/wiki/Secure_Shell) is a protocol for connecting to a remote server and executing commands in a "shell" (an interpreted environment where certain commands and programs are available to us via short typed commands) on that server.

this requires a few things

+ a "server"
    + some computer (besides ours) which is actively running a process which can
        + listen for requests in this protocol
        + interpret those requests
        + check if a request is authenticated (i.e. is an approved user with approved credentials), and
        + build connections and shells for remote users
        + note: [windows `ssh` servers exist](https://blogs.msdn.microsoft.com/powershell/2017/12/15/using-the-openssh-beta-in-windows-10-fall-creators-update-and-windows-server-1709/), but the vast majority of all `ssh` servers you will encounter are running linux

+ a "client"
    + this is *our* computer, and
    + some program (e.g. `putty` or [the new `openssh` program](https://blogs.msdn.microsoft.com/powershell/2017/12/15/using-the-openssh-beta-in-windows-10-fall-creators-update-and-windows-server-1709/) for windows, or the `ssh` executible for linux or mac), and
    + an internet connection (not guaranteed!)
    
*semantics note: this paradigm of a "client" asking for something and a "server" responding with it is a ubiquitous design pattern*

### why use `ssh`?

first of all, it is secure. it encrypts all messages before transport (so if someone malicious is eavesdropping it doesn't matter), and neither side of the connection knows all of the details that made it secure (i.e. both sides have secrets) -- more on this in the homework.

second of all, it's standard. it is not the only method of secure communication, but it is almost universally supported.

### security and `ssh` keys

when making a connection, users generally need to authenticate. Typically this involves logging in *as* some authorized user, and although the default method of authentication in linux systems is user name and password, `ssh` communication has a secondary method of authenticating -- **`ssh` keys**.

In one of this week's exercises you will walk through some of the underlying math of `ssh` public/private key authentication, but for now the primary message is this:

+ clients (you) have a **private** key
+ clients (you) send servers (remote) a **public** key
+ these keys are used by both computers to
    + securely communicate a special message (an encryption key)
    + prove respective identities (authenticate)
+ after this, all communication is encrypted using that encryption key

advanced note: the private and public keys come in several different formats (most commonly: `ppk` for windows and `openssh` for linux) and represent different algorithms (most commonly: RSA)

the next two sections will discuss using `ssh` from both windows and linux-like environments. Although *your* laptop is one or the other, it is extremely likely you will need to make connections from the other at some point -- knowing how to navigate `ssh` from both environments is absolutely necessary!

though the programs are fairly different, they are going to ask you the same things:

1. what is the address of the server to which you want to connect
2. what is your name on that server
3. what should we send the remote server to authenticate (a password or `ssh` key pair)

## `ssh` on linux

If you have a linux or mac laptop, chances are it already has the `ssh` executible installed. to verify this on your machine, open a terminal and execute

```bash
whatis ssh
```

You should see a summary description of the `ssh` command. If you don't, you should install the client (and server) by executing

```bash
# debian varieties
sudo apt install openssh-client
```

we will generally invoke the `ssh` command (in linux) as

```bash
ssh [some collection of flags] [user name]@[server address]
```

head back over to [your aws instances dashboard](https://console.aws.amazon.com/ec2/v2/home) (*top menu* services > ec2 > *left menu* instances) and copy your *public DNS* or *public IP* to your clipboard for use as the `[server address]` in that command above.

by default, the `[user name]` for aws ubuntu instances is `ubuntu`.

generally speaking, with linux commands there are three types of thing you care about:

1. command line flags (strings like "`-*`" or "`--***`" that modify a command)
2. configuration files
3. environment variables

let's look at how the first two categories affect the `ssh` command.

### `ssh` flags

the results of

```bash
man ssh
```

will load the *man*ual for the `ssh` command, and will list the *many* options available to you (note: press "q" to exit that manual viewer program).

There are a few options (aka "flags") that are particularly relevant, though:

+ `-p`: the port number
+ `-i`: the identity file (the path to our public key)
+ `-X`: capital `X` sets up "X11" forwarding -- a protocol for forwarding windows and graphic interfaces over `ssh`

### `ssh` configuration files

There are four main files you should know about when using the `ssh` program. As is often the case with linux programs, the files that matter for the `ssh` command are kept in a folder called `~/.ssh` (the `~` variable is your home directory, and the `.` makes the file "hidden").

these files are:

+ `config`
    + a way of hard-coding parameters such as user names, host names, and identity file paths to a shortcut
    + allows you to create compact shorthand representations
    
for example, suppose I regularly have to sign in to an ERI server for work, and I find myself typing

```bash
ssh -i ~/.ssh/my_eri_private_key my_eri_username@ssh.eri.com
```

I could instead update the file `~/.ssh/config` to include a section:

```
Host eri
    HostName ssh.eri.com
    User my_eri_username
    IdentityFile ~/.ssh/my_eri_private_key
```

and from then on I would only need to execute

```bash
ssh eri
```

+ `[key file name]`
    + the private key will always exist as a file of a bunch of random letters and numbers
    + if you don't provide the `-i` flag, the `ssh` command will assume you mean to use the file `~/.ssh/id_rsa` (which might not exist)
    
here's an example of a private (rsa) key created using the `openssh` format:

```
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAnD2SMDVMwQ+I7n1lDwS1c0EZDy0aCajGIB1Ex/u33Qr2BjDM
flompsp3Bs3LDGaXElg2xpQhLqP/zU0nNgkktI3YLA4QRx2deJBzuQOc04a5jcNL
/w/QB/wWhNQfJbPvogxNkpizBECAFQ+CH5nVn5AsGWkLaOoSG+F1FxA/yc/HVsxu
KKTqX4DTA4mCt9cuaoYGUInWknVDTTsQaAj2nph1EaeUsAZvrG0500B+KM2vxT5H
duBt0bofUxiKAQeRRrvkHM9bbhm5PvCMuqFplhWvmfl7U6VG7OVx46bXGyOcV1bD
3YN+tLyvnawlpCRL3SARM0F8Bw4n/fOaF9+60wIDAQABAoIBADJlPckk+AvxydY7
RiSQ/UIexkl538Mr2DQ1nKDw1X6L8Y1PojZDN+JmvfvI12y5jpMRNyHYV9emeHUt
JK+uRVOjyQ10v9VgfRGNbnZH7wbfluxeCR5NaGma61yO2zkbD/lyBHd7n4qIj4e7
h9pPkXM1WrQbiN2fWpX5o/37dMfQJ0zrVvDl5njG6rpMWWf+Jjyu2M1hKY3LXuFV
Ps7YdEHgcDikoKqopBw5zPHz9uZtjxN3RQfUq832teI36mblG7utW1tToS7CqZRl
dW4Y1PO3exBS526wEYjwRRMow35o2GFxYdtT6ksIc5N2HTa/jK75YPOQNwqCXk3k
H53iMbkCgYEAzE3qFL0REeFJzGpClJlz5HziLEOOSVRkYRC02pdVbToLqf5NLe0D
mcZWjwsWxjgu0ehuLyNL0UCTShhulZeJTTefk+t+UHfqaGZFo03T5qtR+GKn5QnK
xkCvaM/KkoyxTBD8cE0Rc1bUIo7fS5MOiEyYNIFFd8Gtv7zfvN6WVw0CgYEAw8ZB
8A6942JVELuDEtVCT0JEE9ahx1xCBOyIujp1IYfa8KDy5Aoef5DhpWVR1GT4j8l7
Ccr60KI4k45GpIKwSTVgy/OpwcAEarzNIz67YbQzyYd9SLb5OUteAu61OnRO8R7d
LL34juv9X5WqGWGSs2pJG3nQlO6dAnCLe9Uf4V8CgYA1W3PzDp3SqZ/4fxf8b0dR
OTxoiwwyIpREtXRGUpfA+xPoxb2qbOgv1RjuKts70ZiIwcdlEDbQ46iUBWV8NCNr
w0ct/qbypR7XPT6as8zPxZaW5E0tCC2pMWOeYAZr18rGLvl+6uHP2bF1hRLUTgfR
mQ93Rvu5lx+ln9JfJVLmUQKBgQCA3oyg/NM6Tow4S3Zoe0D+81vkwzATD0PWAe2u
yLQ5sjgIlanNOmwBBNnECgHnkd+cpr/7HkYj9+TOHKWbvPtV9XEWT/q6sy81I7rV
LIIkOn6sdieeKfO8J0RnIcLiC5W7Wtm0jgiD7AwJU3d45aWvvJMLJxCKONfZt0PZ
69zkeQKBgQCoT5Tam7cOZbSafJDG9HeXK3SfwQ5Q3zEg02OdXOy3yIhBRXzwsW8F
NgQzxQ0/BYsuV2PFIcBoFLh+4Qo//hwI6dtFXy09FCXLGzH4k0dVq5gQ/l/Gg1vj
27+/qHpwhJxffHVscgTi5LEXYt0+F+RhIUGN2F6pUuoxOao+SfaY+g==
-----END RSA PRIVATE KEY-----
```

+ `[key file name].pub`
    + the public portion of the above private key
    + it may not exist, which is okay -- it can be generated from the private key
    
here's an example of the public key corresponding to the above private key:

```
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCcPZIwNUzBD4jufWUPBLVzQRkPLRoJqMYgHUTH+7fdCvYGMMx+WiamyncGzcsMZpcSWDbGlCEuo//NTSc2CSS0jdgsDhBHHZ14kHO5A5zThrmNw0v/D9AH/BaE1B8ls++iDE2SmLMEQIAVD4IfmdWfkCwZaQto6hIb4XUXED/Jz8dWzG4opOpfgNMDiYK31y5qhgZQidaSdUNNOxBoCPaemHURp5SwBm+sbTnTQH4oza/FPkd24G3Ruh9TGIoBB5FGu+Qcz1tuGbk+8Iy6oWmWFa+Z+XtTpUbs5XHjptcbI5xXVsPdg360vK+drCWkJEvdIBEzQXwHDif985oX37rT zlamberty@megaman
```

+ `authorized_keys`
    + a file on the **server** which indicates which **public keys** are acceptable
    + the remote server must already have your public key added to this file for you to be able to access the server as your user on that server
    + aws installs your public key on your ec2 instance for you
        + in the real world, on non-cloud machines you may have to work with sysads to get this done.

the lines in `authorized_keys` will be formatted just like the public key strings shown on the previous slide

## `ssh` on windows

by *far*, the most common `ssh` programs on windows is Simon Tatham's [PuTTY](https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html). this may be changing now that windows 10 has native `openssh`, but you may not always have control over that!

If you are a windows user, go to that page and download the installer (probably 64 bit).

Let's walk through the installation in a windows VM!

**<div align="center">demo: installing and configuring PuTTY on Windows</div>**

in an aws virtual server, let's do the following:

1. launch the VM / server
2. navigate to https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html
3. follow the installation instructions
4. use `puttygen` to create a `ppk` file
5. discuss the differences between the `ppk` format and the `openssh` format
6. show how we could use puttygen to convert
    1. a `ppk` to `openssh`
    2. an `openssh` to a `ppk`

### comparing keys: `ppk` (windows) vs `openssh` (linux)

the `openssh` format public key above was (just to remind everyone):

```
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAnD2SMDVMwQ+I7n1lDwS1c0EZDy0aCajGIB1Ex/u33Qr2BjDM
flompsp3Bs3LDGaXElg2xpQhLqP/zU0nNgkktI3YLA4QRx2deJBzuQOc04a5jcNL
/w/QB/wWhNQfJbPvogxNkpizBECAFQ+CH5nVn5AsGWkLaOoSG+F1FxA/yc/HVsxu
KKTqX4DTA4mCt9cuaoYGUInWknVDTTsQaAj2nph1EaeUsAZvrG0500B+KM2vxT5H
duBt0bofUxiKAQeRRrvkHM9bbhm5PvCMuqFplhWvmfl7U6VG7OVx46bXGyOcV1bD
3YN+tLyvnawlpCRL3SARM0F8Bw4n/fOaF9+60wIDAQABAoIBADJlPckk+AvxydY7
RiSQ/UIexkl538Mr2DQ1nKDw1X6L8Y1PojZDN+JmvfvI12y5jpMRNyHYV9emeHUt
JK+uRVOjyQ10v9VgfRGNbnZH7wbfluxeCR5NaGma61yO2zkbD/lyBHd7n4qIj4e7
h9pPkXM1WrQbiN2fWpX5o/37dMfQJ0zrVvDl5njG6rpMWWf+Jjyu2M1hKY3LXuFV
Ps7YdEHgcDikoKqopBw5zPHz9uZtjxN3RQfUq832teI36mblG7utW1tToS7CqZRl
dW4Y1PO3exBS526wEYjwRRMow35o2GFxYdtT6ksIc5N2HTa/jK75YPOQNwqCXk3k
H53iMbkCgYEAzE3qFL0REeFJzGpClJlz5HziLEOOSVRkYRC02pdVbToLqf5NLe0D
mcZWjwsWxjgu0ehuLyNL0UCTShhulZeJTTefk+t+UHfqaGZFo03T5qtR+GKn5QnK
xkCvaM/KkoyxTBD8cE0Rc1bUIo7fS5MOiEyYNIFFd8Gtv7zfvN6WVw0CgYEAw8ZB
8A6942JVELuDEtVCT0JEE9ahx1xCBOyIujp1IYfa8KDy5Aoef5DhpWVR1GT4j8l7
Ccr60KI4k45GpIKwSTVgy/OpwcAEarzNIz67YbQzyYd9SLb5OUteAu61OnRO8R7d
LL34juv9X5WqGWGSs2pJG3nQlO6dAnCLe9Uf4V8CgYA1W3PzDp3SqZ/4fxf8b0dR
OTxoiwwyIpREtXRGUpfA+xPoxb2qbOgv1RjuKts70ZiIwcdlEDbQ46iUBWV8NCNr
w0ct/qbypR7XPT6as8zPxZaW5E0tCC2pMWOeYAZr18rGLvl+6uHP2bF1hRLUTgfR
mQ93Rvu5lx+ln9JfJVLmUQKBgQCA3oyg/NM6Tow4S3Zoe0D+81vkwzATD0PWAe2u
yLQ5sjgIlanNOmwBBNnECgHnkd+cpr/7HkYj9+TOHKWbvPtV9XEWT/q6sy81I7rV
LIIkOn6sdieeKfO8J0RnIcLiC5W7Wtm0jgiD7AwJU3d45aWvvJMLJxCKONfZt0PZ
69zkeQKBgQCoT5Tam7cOZbSafJDG9HeXK3SfwQ5Q3zEg02OdXOy3yIhBRXzwsW8F
NgQzxQ0/BYsuV2PFIcBoFLh+4Qo//hwI6dtFXy09FCXLGzH4k0dVq5gQ/l/Gg1vj
27+/qHpwhJxffHVscgTi5LEXYt0+F+RhIUGN2F6pUuoxOao+SfaY+g==
-----END RSA PRIVATE KEY-----
```

the corresponding `ppk` file can be made by

1. saving that `openssh` key as a private key (extension doesn't matter)
1. loading it in `puttygen` with "Conversions > Import key"
1. saving the public or private key after importing the `openssh`

if you do the above, the `ppk` is:

```
PuTTY-User-Key-File-2: ssh-rsa
Encryption: none
Comment: imported-openssh-key
Public-Lines: 6
AAAAB3NzaC1yc2EAAAADAQABAAABAQCcPZIwNUzBD4jufWUPBLVzQRkPLRoJqMYg
HUTH+7fdCvYGMMx+WiamyncGzcsMZpcSWDbGlCEuo//NTSc2CSS0jdgsDhBHHZ14
kHO5A5zThrmNw0v/D9AH/BaE1B8ls++iDE2SmLMEQIAVD4IfmdWfkCwZaQto6hIb
4XUXED/Jz8dWzG4opOpfgNMDiYK31y5qhgZQidaSdUNNOxBoCPaemHURp5SwBm+s
bTnTQH4oza/FPkd24G3Ruh9TGIoBB5FGu+Qcz1tuGbk+8Iy6oWmWFa+Z+XtTpUbs
5XHjptcbI5xXVsPdg360vK+drCWkJEvdIBEzQXwHDif985oX37rT
Private-Lines: 14
AAABADJlPckk+AvxydY7RiSQ/UIexkl538Mr2DQ1nKDw1X6L8Y1PojZDN+JmvfvI
12y5jpMRNyHYV9emeHUtJK+uRVOjyQ10v9VgfRGNbnZH7wbfluxeCR5NaGma61yO
2zkbD/lyBHd7n4qIj4e7h9pPkXM1WrQbiN2fWpX5o/37dMfQJ0zrVvDl5njG6rpM
WWf+Jjyu2M1hKY3LXuFVPs7YdEHgcDikoKqopBw5zPHz9uZtjxN3RQfUq832teI3
6mblG7utW1tToS7CqZRldW4Y1PO3exBS526wEYjwRRMow35o2GFxYdtT6ksIc5N2
HTa/jK75YPOQNwqCXk3kH53iMbkAAACBAMxN6hS9ERHhScxqQpSZc+R84ixDjklU
ZGEQtNqXVW06C6n+TS3tA5nGVo8LFsY4LtHobi8jS9FAk0oYbpWXiU03n5PrflB3
6mhmRaNN0+arUfhip+UJysZAr2jPypKMsUwQ/HBNEXNW1CKO30uTDohMmDSBRXfB
rb+837zellcNAAAAgQDDxkHwDr3jYlUQu4MS1UJPQkQT1qHHXEIE7Ii6OnUhh9rw
oPLkCh5/kOGlZVHUZPiPyXsJyvrQojiTjkakgrBJNWDL86nBwARqvM0jPrthtDPJ
h31Itvk5S14C7rU6dE7xHt0svfiO6/1flaoZYZKzakkbedCU7p0CcIt71R/hXwAA
AIEAqE+U2pu3DmW0mnyQxvR3lyt0n8EOUN8xINNjnVzst8iIQUV88LFvBTYEM8UN
PwWLLldjxSHAaBS4fuEKP/4cCOnbRV8tPRQlyxsx+JNHVauYEP5fxoNb49u/v6h6
cIScX3x1bHIE4uSxF2LdPhfkYSFBjdheqVLqMTmqPkn2mPo=
Private-MAC: 786c77a212bd189b79c7c64bb80f7e9e69da9383
```

# connecting to your `ec2` instance

I really hope you saved your private and public keys somewhere!

on linux:

```bash
ssh -i /path/to/my/aws_private_key.pem ubuntu@my.ec2.ip.addr
```

you may get an error message about the permissions on your `pem` keyfile being too open:

```
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0644 for '/home/zlamberty/.ssh/gu511_ubuntu.pem' are too open.
It is recommended that your private key files are NOT accessible by others.
This private key will be ignored.
key_load_private_type: bad permissions
Permission denied (publickey).
```

if so, make a mental note of this, but then execute the following (we'll explain what we're doing here in a later lecture):

```bash
chmod 400 /path/to/my/aws_private_key.pem
```

and re-run the `ssh` command above

on windows:

1. open puttygen
    1. Conversions > import key
    2. navigate to aws private key (pem) and select / open
    3. click "save private key"
    4. make note of location (consider /user/myname/.ssh/, in analogy to linux)
2. open putty
    1. add the ip address or dns string
    2. create a new name for an `ssh` profile
    3. save this profile
    4. go to "Connection > Data" and add your user name (ubuntu)
    5. go to "Connection > `ssh` > Auth" and add the path to the private key file

<!--div align="center">***I'M IN***</div>
<img align="middle" src="http://drive.google.com/uc?export=view&id=0ByQ4VmO-MwEEYjVPY1ZoWWRnc0k"></img-->

# END OF LECTURE

next lecture: [a linux crash course](003_linux_1.ipynb)