[![Open In Colab](https://colab.research.google.com/assets/colab-badge.svg)](https://colab.research.google.com/github/rzl-ds/gu511/blob/master/002_ssh.ipynb)

# `ssh`

almost all of the work we do in this course will be done on the linux command line, and the way we will be accessing that command line is from our laptops via `ssh` (**S**ecure **SH**ell).

## what is `ssh`?

have you used `ssh` before? from that perspective, what is it?

basically, [`ssh`](https://en.wikipedia.org/wiki/Secure_Shell) is a protocol for connecting to a remote server and executing commands in a "shell" (an interpreted environment where certain commands and programs are available to us via short typed commands) on that server.

this requires a few things

+ a "server"
    + some computer (besides ours) which is actively running a process which can
        + listen for requests in this protocol
        + interpret those requests
        + check if a request is authenticated (i.e. is an approved user with approved credentials), and
        + build connections and shells for remote users
        + note: [windows `ssh` servers exist](https://blogs.msdn.microsoft.com/powershell/2017/12/15/using-the-openssh-beta-in-windows-10-fall-creators-update-and-windows-server-1709/), but the vast majority of all `ssh` servers you will encounter are running linux

+ a "client"
    + this is *our* computer, and
    + some program (e.g. `putty` on old Windows machines, the [Windows `ssh` command](https://docs.microsoft.com/en-us/windows/terminal/tutorials/ssh) on new Windows machines, or `ssh` on linux or mac), and
    + an internet connection (not guaranteed!)

*semantics note: this paradigm of a "client" asking for something and a "server" responding with it is a ubiquitous design pattern*

## why use `ssh`?

first of all, it is secure. it encrypts all messages before transport (so if someone malicious is eavesdropping it doesn't matter), and neither side of the connection knows all of the details that made it secure (i.e. both sides have secrets) -- more on this in the homework.

second of all, it's standard. it is not the only method of secure communication, but it is almost universally supported.

## security and `ssh` keys

when making a connection, users generally need to authenticate. Typically this involves logging in *as* some authorized user, and although the default method of authentication in linux systems is user name and password, `ssh` communication has a secondary method of authenticating -- **`ssh` keys**.

In one of this week's exercises you will walk through some of the underlying math of `ssh` public/private key authentication, but for now the primary message is this:

+ clients (you) have a **private** key
+ clients (you) send servers (remote) a **public** key
+ these keys are used by both computers to
    + securely communicate a special message (an encryption key)
    + prove respective identities (authenticate)
+ after this, all communication is encrypted using that encryption key

advanced note: the private and public keys come in several different formats (most commonly: `ppk` for windows and `openssh` for linux) and represent different algorithms (most commonly: RSA)

<div align="center"><img src="http://drive.google.com/uc?export=view&id=1sl8ah8DVSKhzk-kdu5yiW1VDTXWJ6sRp"></div>

the next two sections will discuss using `ssh` from both windows and linux-like environments. Although *your* laptop is one or the other, it is extremely likely you will need to make connections from the other at some point -- knowing how to navigate `ssh` from both environments is absolutely necessary!

though the methods might seem different, they are going to ask you the same things:

1. what is the address of the server to which you want to connect
1. what is your name on that server
1. what should we send the remote server to authenticate (a password or `ssh` key pair)

let's collect some of that info. open a scratch file (notepad or whatever) so we can copy/paste some info.

let's start with the server address. this is the IP address or DNS that is the unique name on the internet of our `ec2` server

head back over to [your aws instances dashboard](https://console.aws.amazon.com/ec2/v2/home) (*top menu* services > ec2 > *left menu* instances) and copy your *public DNS* or *public IP* to your clipboard for use as the `[server address]` in that command above.

by default, the `[user name]` for logging in to `ec2` instances depends on the `ami` we chose

+ `ubuntu` for aws ubuntu instances
+ `ec2-user` for the aws linux instances

in our first lecture we built `ubuntu` instances so our user name will be `ubuntu`

as for that final part -- what we should send the remote server to authenticate -- that's slightly trickier, but it revolves around that special `.pem` file you downloaded when you created your `ec2` instance

go find that file and get the full path to it (mac: secondary/control click then press `option` and select `copy ... as path`; windows `shift + right click > copy as path`

armed with that, let's figure out what commands we can run on our laptops in order to use those three pieces of info (server name, user name, `ssh` private key file path) to connect to our `ec2` instance.

## `ssh` on macs, linux, and *newer* windows machines

If you have a linux or mac laptop -- and increasingly often, a windows computer -- chances are it already has the `ssh` executable installed. open a terminal (`cmd + space > terminal` on mac, open a [terminal](https://docs.microsoft.com/en-us/windows/terminal/get-started) on windows ([second link](https://www.howtogeek.com/336775/how-to-enable-and-use-windows-10s-built-in-ssh-commands/))) and type

```bash
ssh
```

you should see an output like

```
usage: ssh [-46AaCfGgKkMNnqsTtVvXxYy] [-B bind_interface]
           [-b bind_address] [-c cipher_spec] [-D [bind_address:]port]
           [-E log_file] [-e escape_char] [-F configfile] [-I pkcs11]
           [-i identity_file] [-J [user@]host[:port]] [-L address]
           [-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port]
           [-Q query_option] [-R address] [-S ctl_path] [-W host:port]
           [-w local_tun[:remote_tun]] destination [command]
```

if you see nothing, try one of the options below, and feel free to drop in zoom for some help!

1. mac: should be installed by default. don't try and do anything right now
1. windows: wait and see how we install `putty`, or try installing `openssh` yourself: https://docs.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse
1. linux: run `sudo apt install openssh-client`

**<br><div align="center">PAUSE FOR ZOOM QUESTION BREAK</div>**

we will generally invoke the `ssh` command as

```bash
ssh [some collection of flags] [user name]@[server address]
```

the `[user name]` and `[server address]` pieces should be obvious from above -- but how do we use our `.pem` ssh key file, and what does `[some collection of flags]` mean?

let's talk about `[flags]`. we will talk about these in some detail in the next `linux` lectures, but generally speaking, when we execute a command in `linux` we want to parameterize it (that is, tweak the way it executes for our particular use case).

when we wrote `ssh` in our terminal, the output actually told us what parameters that command can take

```ssh
usage: ssh [-46AaCfGgKkMNnqsTtVvXxYy] [-B bind_interface]
           [-b bind_address] [-c cipher_spec] [-D [bind_address:]port]
           [-E log_file] [-e escape_char] [-F configfile] [-I pkcs11]
           [-i identity_file] [-J [user@]host[:port]] [-L address]
           [-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port]
           [-Q query_option] [-R address] [-S ctl_path] [-W host:port]
           [-w local_tun[:remote_tun]] destination [command]
```

so if I wanted to provide something called a `bind_interface`, I could write `ssh -B MY_BIND_INTERFACE_VALUE`.

fortunately, we don't have to provide all of those parameters -- most of them have defaults (this is indicated by putting them in brackets, a la `[-B bind_interface]`), and almost all of the default values are what we want.

we do know that we need to answer that final question though (*what should we send the remote server to authenticate*), and for the `ssh` command this is done by setting the value of the parameter `identity_file`

### sidebar: passing parameters to `linux` functions

at a very high level (again, more detail in the next lecture), we can provide parameters to change how the `ssh` command executes in three ways

1. command line flags (strings like "`-*`" or "`--***`", (where `*`s are some meaningful letters) that are typed right after the command itself)
1. configuration files (files we save on our computer that the command knows to look for)
1. environment variables (variables as in any other programming language, like `python` or `R`)

let's look at how the first two categories affect the `ssh` command.

#### `ssh` flags

we already discussed these above, but we could provide our key file by writing it as we write and execute the `ssh` command:

```bash
ssh -i /path/to/my/private/key.pem user_name@remote_address
```

the `-i` tells the `ssh` command that what follows is the value of the `identity_file`, and what follows is a file path on our computer for an identity file (our `.pem` file)

#### `ssh` configuration files

imagine that I regularly have to sign in to an `ec2` server for work, and I find myself typing

```bash
ssh -i ~/.ssh/my_ec2_private_key my_ec2_username@ssh.storyblocks.com
```

multiple times a day. it would be nice if I could give these parameters a name and stop typing them so often...

this is basically what is done in the `.ssh` configuration file. because some smart developer wrote `ssh` to allow this, instead of writing those parameters every time we could instead update the file `~/.ssh/config` (where `~` is my "home" directory) to include a section:

```
Host work
    HostName ssh.storyblocks.com
    User my_ec2_username
    IdentityFile ~/.ssh/my_ec2_private_key
```

and from then on I would only need to execute

```bash
ssh work
```

pretty cool

### another sidebar: other `ssh`-related files

There are four main files you should know about when using the `ssh` program. As is often the case with linux programs, the files that matter for the `ssh` command are kept in a folder called named for the command: `~/.ssh` (the `~` variable is your home directory, and the `.` makes the file "hidden").

these files are:

+ `config` -- the file we just talked about above. this allows us create "profiles" (i.e. shortcut names) for the sets of parameters used to make connections to a given remote server

+ private keys (aka `identity_file`s)
    + to make `ssh` connections we will use `ssh` keys. these files are large blocks of a bunch of random characters
    + note that the `ssh` command will *always* try to provide an `identity_file`. if you don't specify one with `-i identity_file` on the command line or via a `IdentityFile` value in the `~/.ssh/config` file, it will look for a *default* value in the `~/.ssh/` directory.
    + the default file will be assumed to have one of the names `id_dsa`, `id_ecdsa`, `id_ed25519`, or `id_rsa`, where the value `XXXX` in `id_XXXX` is the encryption algorithm

here's an example of a private (rsa) key created using the `openssh` format:

```
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAnD2SMDVMwQ+I7n1lDwS1c0EZDy0aCajGIB1Ex/u33Qr2BjDM
flompsp3Bs3LDGaXElg2xpQhLqP/zU0nNgkktI3YLA4QRx2deJBzuQOc04a5jcNL
/w/QB/wWhNQfJbPvogxNkpizBECAFQ+CH5nVn5AsGWkLaOoSG+F1FxA/yc/HVsxu
KKTqX4DTA4mCt9cuaoYGUInWknVDTTsQaAj2nph1EaeUsAZvrG0500B+KM2vxT5H
duBt0bofUxiKAQeRRrvkHM9bbhm5PvCMuqFplhWvmfl7U6VG7OVx46bXGyOcV1bD
3YN+tLyvnawlpCRL3SARM0F8Bw4n/fOaF9+60wIDAQABAoIBADJlPckk+AvxydY7
RiSQ/UIexkl538Mr2DQ1nKDw1X6L8Y1PojZDN+JmvfvI12y5jpMRNyHYV9emeHUt
JK+uRVOjyQ10v9VgfRGNbnZH7wbfluxeCR5NaGma61yO2zkbD/lyBHd7n4qIj4e7
h9pPkXM1WrQbiN2fWpX5o/37dMfQJ0zrVvDl5njG6rpMWWf+Jjyu2M1hKY3LXuFV
Ps7YdEHgcDikoKqopBw5zPHz9uZtjxN3RQfUq832teI36mblG7utW1tToS7CqZRl
dW4Y1PO3exBS526wEYjwRRMow35o2GFxYdtT6ksIc5N2HTa/jK75YPOQNwqCXk3k
H53iMbkCgYEAzE3qFL0REeFJzGpClJlz5HziLEOOSVRkYRC02pdVbToLqf5NLe0D
mcZWjwsWxjgu0ehuLyNL0UCTShhulZeJTTefk+t+UHfqaGZFo03T5qtR+GKn5QnK
xkCvaM/KkoyxTBD8cE0Rc1bUIo7fS5MOiEyYNIFFd8Gtv7zfvN6WVw0CgYEAw8ZB
8A6942JVELuDEtVCT0JEE9ahx1xCBOyIujp1IYfa8KDy5Aoef5DhpWVR1GT4j8l7
Ccr60KI4k45GpIKwSTVgy/OpwcAEarzNIz67YbQzyYd9SLb5OUteAu61OnRO8R7d
LL34juv9X5WqGWGSs2pJG3nQlO6dAnCLe9Uf4V8CgYA1W3PzDp3SqZ/4fxf8b0dR
OTxoiwwyIpREtXRGUpfA+xPoxb2qbOgv1RjuKts70ZiIwcdlEDbQ46iUBWV8NCNr
w0ct/qbypR7XPT6as8zPxZaW5E0tCC2pMWOeYAZr18rGLvl+6uHP2bF1hRLUTgfR
mQ93Rvu5lx+ln9JfJVLmUQKBgQCA3oyg/NM6Tow4S3Zoe0D+81vkwzATD0PWAe2u
yLQ5sjgIlanNOmwBBNnECgHnkd+cpr/7HkYj9+TOHKWbvPtV9XEWT/q6sy81I7rV
LIIkOn6sdieeKfO8J0RnIcLiC5W7Wtm0jgiD7AwJU3d45aWvvJMLJxCKONfZt0PZ
69zkeQKBgQCoT5Tam7cOZbSafJDG9HeXK3SfwQ5Q3zEg02OdXOy3yIhBRXzwsW8F
NgQzxQ0/BYsuV2PFIcBoFLh+4Qo//hwI6dtFXy09FCXLGzH4k0dVq5gQ/l/Gg1vj
27+/qHpwhJxffHVscgTi5LEXYt0+F+RhIUGN2F6pUuoxOao+SfaY+g==
-----END RSA PRIVATE KEY-----
```

+ public keys
    + `ssh` keys come in pairs: public and private. these files are the public portion of the above private key
    + it may not exist, which is okay -- it can be generated from the private key

here's an example of the public key corresponding to the above private key:

```
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCcPZIwNUzBD4jufWUPBLVzQRkPLRoJqMYgHUTH+7fdCvYGMMx+WiamyncGzcsMZpcSWDbGlCEuo//NTSc2CSS0jdgsDhBHHZ14kHO5A5zThrmNw0v/D9AH/BaE1B8ls++iDE2SmLMEQIAVD4IfmdWfkCwZaQto6hIb4XUXED/Jz8dWzG4opOpfgNMDiYK31y5qhgZQidaSdUNNOxBoCPaemHURp5SwBm+sbTnTQH4oza/FPkd24G3Ruh9TGIoBB5FGu+Qcz1tuGbk+8Iy6oWmWFa+Z+XtTpUbs5XHjptcbI5xXVsPdg360vK+drCWkJEvdIBEzQXwHDif985oX37rT zlamberty@megaman
```

+ `authorized_keys`
    + a file on the **server** which indicates which **public keys** are acceptable
    + the remote server must already have your public key added to this file for you to be able to access the server as your user on that server
    + aws installs your public key on your ec2 instance for you
        + in the real world, on non-cloud machines you may have to work with sysads to get this done.

the lines in `authorized_keys` will be formatted just like the public key strings shown on the previous slide

### enough sidebars, back to `ssh` on `linux`

after all that, we should be able to make a connection by executing

```sh
ssh -i /path/to/my/private/key.pem user_name@remote_address
```

or updating `~/.ssh/config` to include a block

```
Host gu511
    HostName remote_address
    User user_name
    IdentityFile /path/to/my/private/key.pem
```

and running

```sh
ssh gu511
```

we will do that, right after we talk about Windows

## `ssh` on the *other* windows

if you are using windows to make `ssh` connections, you should always check to see if you can do it using the `ssh` command from the previous section.

**if you can't**, then the preferred `ssh` client program on windows is Simon Tatham's [PuTTY](https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html)

### private key file formats: `ppk` (windows) vs `openssh` (linux)

the `putty` program is straight-forward except for one wrinkle. recall that we are always answering three questions when we make `ssh` connections:

1. what is the address of the server to which you want to connect
1. what is your name on that server
1. what should we send the remote server to authenticate (a password or `ssh` key pair)

the way that `putty` answers that 3rd question is a little different and requires we jump through a hoop: `aws` gave us our authentication details in a private key in a particular **file format** (`.pem`) -- the information is written in a way that the `ssh` command knows how to read

`putty` has **it's own special format** that contains the exact same information but written in in a different way. this format is a lot more human readable but, importantly, *not* what `aws` wanted to give us. it is called the "putty private key" format (or `.ppk`)

for example, the following two files contain the exact same information but written in slightly different ways (`openssh` format (like your `.pem`) on the left, `putty` private key (`.ppk`) on the right)

<div align="center"><img src="http://drive.google.com/uc?export=view&id=15ejnGT1_8Nd7tBwVtRSxTRbewixXXcSt"></div>

if you are a windows user who doesn't have `ssh` available (or just prefers a point-and-click option), go to that page (https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html) and download the `MSI` installer (probably 64 bit).

let's walk through the installation in a windows VM!

**<div align="center">demo: installing and configuring PuTTY on Windows</div>**

in an aws virtual server, let's do the following:

1. launch the VM / server
2. navigate to https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html
3. follow the installation instructions
4. use `puttygen` to create a `ppk` file
5. discuss the differences between the `ppk` format and the `openssh` format
6. show how we could use puttygen to convert
    1. a `ppk` to `openssh`
    2. an `openssh` to a `ppk`

### converting your `aws` `.pem` file to a `.ppk` you can use in `putty`

the information `aws` gave you to connect to your `ec2` instance was in the `.pem` file format, and to make a connection you will need to convert that file to a `.ppk`. to do this:

1. locate that `.pem` private key file on your laptop
1. open `puttygen` (not `putty`, `puttygen`)
1. load your `.pem` file into `puttygen` with "Conversions > Import key"
1. click "Save private key" after importing

<div align="center"><img src="http://drive.google.com/uc?export=view&id=1mpQawk4eSjN3MlmfZftvmIpPvPX9yrh2"></div>

# connecting to your `ec2` instance

I really hope you saved your private and public keys somewhere!

*NOTE: if you are using campus wifi, you must connect to the `saxanet` wifi network. `guestnet` will not work*

from a terminal on a mac / linux / new windows:

```bash
ssh -i /path/to/my/aws_private_key.pem ubuntu@my.ec2.ip.addr
```

you may get an error message about the permissions on your `pem` keyfile being too open:

```
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0644 for '/home/zlamberty/.ssh/gu511_ubuntu.pem' are too open.
It is recommended that your private key files are NOT accessible by others.
This private key will be ignored.
key_load_private_type: bad permissions
Permission denied (publickey).
```

if so, make a mental note of this, but then execute the following (we'll explain what we're doing here in a later lecture):

```bash
chmod 400 /path/to/my/aws_private_key.pem
```

and re-run the `ssh` command above

on old windows:

1. open puttygen
    1. Conversions > import key
    2. navigate to aws private key (pem) and select / open
    3. click "save private key"
    4. make note of location (consider /user/myname/.ssh/, in analogy to linux)
2. open putty
    1. add the ip address or dns string
    2. create a new name for an `ssh` profile
    3. save this profile
    4. go to "Connection > Data" and add your user name (ubuntu)
    5. go to "Connection > `ssh` > Auth" and add the path to the private key file

**<div align="center">I'M IN</div>**
<div align="center"><img src="http://drive.google.com/uc?export=view&id=0ByQ4VmO-MwEEYjVPY1ZoWWRnc0k"></div>

# END OF LECTURE

next lecture: [a linux crash course](003_linux_1.ipynb)