# SSH

This page shows aspects of working with the ssh connection. We will consider an example where an ssh connection is established from one Docker container to another.

## Set up

Let's create the necessary docker entities:

- `ssh_host` container that starts the ssh server - we would be able to connect to this server using ssh.
- `ssh_client` container to which we will give access to the `ssh_host`.
- `network` to allow communication between containers.

In [1]:
docker network create ssh_test_network
docker run -dit --rm --name ssh_host --network ssh_test_network alpine
docker run -dit --rm --name ssh_client --network ssh_test_network alpine

b8adaaefc4115e706bcba6bec42c54e046ffb69de0e4f9a475db442ebf1b4f10
1c28f21287477d01382fd662b4332d5bb7acab14c8cee5e07d59d3a63814d909
a966d6bfec5272f2b23b653ce00613952d2a700f6e16b64b27e714960a295022


Install and start the ssh server.

In [2]:
# openssh instalation
docker exec ssh_host apk add -q openssh
# generating default host keys - they are necessary for running ssh server
docker exec ssh_host ssh-keygen -A
# running ssh server
docker exec -d ssh_host /usr/sbin/sshd -D

ssh-keygen: generating new host keys: RSA ECDSA ED25519 


Installing ssh client.

In [3]:
docker exec ssh_client apk add -q openssh-client

**Note** Don't forget to stop the container and the network.

In [21]:
docker stop ssh_client ssh_host
docker network rm ssh_test_network

ssh_client
ssh_host
ssh_test_network


## Generating key

You need to generate an ssh key. It consists of two parts, a public key and a private key. You can generate it wherever you like. But in our example we will consider the most straightforward option - generating it on the client.

You can just run `ssh-keygen` and follow the CLI's instructions. It'll ask for filepath for the key and passphrase. However, due to the limitations of the jupyter notebook we are using for the presentation, we need to specify some options:

- `t rsa`: This option specifies the type of key algorithm to use. In this case, it specifies RSA as the algorithm. RSA is a widely used asymmetric encryption algorithm.
- `N ""` : This option sets the passphrase (or password) for the generated key. In your command, it is set to an empty string, effectively creating a key without a passphrase. It means that anyone with access to the private key file can use it without providing a passphrase.
- `f /root/.ssh/id_rsa`: This option specifies the filename and path where the generated key pair will be stored. In this case, it will be stored in the /root/.ssh/ directory with the filename id_rsa. The id_rsa file will contain the private key, while the id_rsa.pub file (automatically generated) will contain the public key.


In [4]:
docker exec ssh_client ssh-keygen -t rsa -N "" -f /root/.ssh/id_rsa

Generating public/private rsa key pair.
Created directory '/root/.ssh'.
Your identification has been saved in /root/.ssh/id_rsa
Your public key has been saved in /root/.ssh/id_rsa.pub
The key fingerprint is:
SHA256:BEnzuv/LtD4LWkjLLdm1P/M8uQcK6VWR2FHdesSB42g root@a966d6bfec52
The key's randomart image is:
+---[RSA 3072]----+
|     .+.     oo*=|
|      .+    .o+ =|
|        o   o .+ |
|       o   E .o .|
|      o S o. . . |
|     o B .o.. .  |
|      B =.oo . o |
|       = +oo+.o .|
|      . .oB+.+++ |
+----[SHA256]-----+


After all I'll have `id_rsa` and `id_rsa.pub` files in my the sepcified for ssh keys folder.

In [5]:
docker exec ssh_client ls /root/.ssh

id_rsa
id_rsa.pub


This is what the private key looks like.

In [6]:
docker exec ssh_client cat /root/.ssh/id_rsa | head -n 10

-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEApv/5Ep7/57bCdEMNacB0Xo/wWYOqg+elefUa4JYztym89ntdteEq
v8YJRRDVHWYtogVfrKTDE9+6OUu8xPoO+M/KcoIsmZ4nyfIdz6ewOPc3KJ2f6W2M1s6y2e
2NMANz6BbHpgw92d+eT+0rVOJT32BtVo6Tzc5TQC5skPqlX7mat35s2QznrgzkdxnN11Qt
2juFqoJRZoCb3FZL2HKCi2PsgNiCI1LkBjxkGOlYq720ZNE5KI4KlX2QFfLywAjoB2BM2i
eBhbUMFjQDCNchd10eKZaIwCghTqTq/dT2Pdib7TldddChkEDgQoLj/99Nclcitl6HNmOR
nIYbGYuyNml99tlRXf6JlNzCvX48ueezaORYfe94fLcxacU9V7QBu12wO/tOGXfBUDHb2G
kZaI57nEPm4f+AtGVrj28p7txibXCtgoNv9uysBpXiV+3gmAp+7/g2Lrre20n4H48AwxY4
OpcTpmb7ScRTy4nIgmR5uX67rx4JwyicibISCC7LAAAFiHp4bI96eGyPAAAAB3NzaC1yc2


**Note** Only a few lines can be printed here because Githab, which I use to save these pages, sends me notifications that I have credentials leaks.

And here is what the public key looks like.

In [7]:
docker exec ssh_client cat /root/.ssh/id_rsa.pub

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCm//kSnv/ntsJ0Qw1pwHRej/BZg6qD56V59RrgljO3Kbz2e1214Sq/xglFENUdZi2iBV+spMMT37o5S7zE+g74z8pygiyZnifJ8h3Pp7A49zconZ/pbYzWzrLZ7Y0wA3PoFsemDD3Z355P7StU4lPfYG1WjpPNzlNALmyQ+qVfuZq3fmzZDOeuDOR3Gc3XVC3aO4WqglFmgJvcVkvYcoKLY+yA2IIjUuQGPGQY6VirvbRk0TkojgqVfZAV8vLACOgHYEzaJ4GFtQwWNAMI1yF3XR4plojAKCFOpOr91PY92JvtOV110KGQQOBCguP/301yVyK2Xoc2Y5GchhsZi7I2aX322VFd/omU3MK9fjy557No5Fh973h8tzFpxT1XtAG7XbA7+04Zd8FQMdvYaRlojnucQ+bh/4C0ZWuPbynu3GJtcK2Cg2/27KwGleJX7eCYCn7v+DYuut7bSfgfjwDDFjg6lxOmZvtJxFPLiciCZHm5fruvHgnDKJyJshIILss= root@a966d6bfec52


## Copying public key

On the server, list all the public keys that have access in the `/root/.ssh/authorised_keys` file. In our case, there would only be one line corresponding to the generated pre-public key.

In [8]:
docker exec ssh_client cat /root/.ssh/id_rsa.pub > authorized_keys
docker exec ssh_host mkdir /root/.ssh
docker cp authorized_keys ssh_host:/root/.ssh/authorized_keys
rm authorized_keys

Successfully copied 2.56kB to ssh_host:/root/.ssh/authorized_keys


**Note** files copied with the `docker ps` command have the wrong permissions and ownership - the following cell fixes this.

In [9]:
docker exec ssh_host chown root:root /root/.ssh/authorized_keys
docker exec ssh_host chmod 644 /root/.ssh/authorized_keys

## Getting acceess

If setup correcd you can get ssh from the client server to the host server using command `ssh <user_name>@<host_name>`. In our example try:

```bash
docker exec -it ssh_client ssh root@ssh_host
```

So here is a rather tricky case - we have access to the `ssh_host` CLI through the `ssh_client` CLI.

The following cell shows that it works: we create files in `ssh_host`using `ssh_client`.

In [20]:
docker exec ssh_client ssh root@ssh_host touch file{1..5}
docker exec ssh_host ls /root

file1
file2
file3
file4
file5
