Transcript from the "Logging in with SSH" Lesson
>> Jem: What did we learn from security Terry? We learned we don't wanna use passwords. And right now we can currently log into our server with just a password. And that's insecure. I know most of you use a short password because well, we're humans that's what we do. I use a short password.
[00:00:14] So we wanna use an SSH key instead of a password. What's the best way to do this? We can actually do all of that without even being in the server. We can do it through SSH commands, and that's what this does. Don't worry. I'm gonna break this out into tiny, bite-sized chunks.
[00:00:31] And this is fairly advanced command line, so by the end of this, you'll be a master at command line. So first off, this command, what it does is I'm printing out the contents of my public key, cuz I want to put the public key onto the server. And then, I wanna SSH into my server.
[00:00:57] So, just to go back to this example, first part, cat public key, pipe that into the SSH command. And don't worry, I have followup at the end. I just want everybody to understand what we're doing here. Because, again, I don't want you to do anything that you don't understand.
[00:01:16] Never do that. Someone's like, hey, type this to your server. You're like, okay, ha-ha, never do that. Always want to know what you're doing. So next, on that server, we're gonna make a new directory. The -p command in the command line says, make that directory if it doesn't already exist.
[00:01:34] So, we're gonna make a .ssh directory, where we want our SSH keys to live. Just like on your home computer, SSH keys live in .ssh for that user.
>> Jem: And then, we're gonna pipe the output from SSH into the authorized_keys file.
>> Jem: I know, people look a little confused.
[00:02:01] There is a longer way to do this, but this is definitely the shortest, most efficient way of adding an SSH key for a user. So, let's go and do that. I'm gonna pull up my own. Try not to copy paste it. Again, you learn better by typing it by hand.
[00:02:18] So, exit out of my server. I'm currently in my SSH directory, you don't have to be but it's just faster to do it. So I want a cat,
>> Jem: My public key, so that's my_key2.pub. So if we just run this now, it's just gonna print out my key.
>> Jem: So in UNIX, the pipe command takes the output of the last command and it sends it to the next command. Think of it like a function passing an argument through another function. So we wanna SSH into our directory. So, ssh jem@, what was my server IP. Just going to copy this.
>> Jem: Well with me so far. So we're just piping the command out our public key into SSH, doesn't do anything yet. So then in quotes, "mkdir -p, the- means it's your home directory. So this is gonna be slash user slash Jem, the home directory for me. So, ~.ssh,
>> Jem: With me so far?
>> Jem: Then, actually I have to look at it [LAUGH] cuz it's so long.
>> Jem: Right, double ampersand, just means do this, and do this. That's what double ampersand means. And we're just going to cat the file. Gotta remember to do this. Into,
>> Jem: SSH.
[00:04:05] Authorized keys, close it, and just gonna test this out. Enter my password. Don't worry I'm gonna jump back. I just wanna make sure I actually typed everything correctly. So now I should be able to SSH into that server using my_ key2 jem@ there. It's gonna ask for a password.
[00:04:39] Cool. Okay so, I'm gonna rewind.
>> Jem: So this is the command I just ran. So what I did was I made a directory, or first I printed out my public key, I made a directory on my server, and I just piped the output of my public key into a file called authorized_keys.
[00:05:10] Authorized_keys is where the server holds your public SSH keys.
>> Jem: Again, the slides are available, jemyoung.com/fefs. Cuz this is pretty advanced stuff. So I'm gonna show you the longer way of doing this. This is definitely the cooler way. The much longer way of doing this is, so we're in our serve, we have a user.
[00:05:41] I'm just gonna make a new user, just for, I think jem3.
>> Speaker 2: Yeah, I think you missed part of the command in that, that you did.
>> Jem: Which?
>> Speaker 2: It should be cat and then angle bracket. That's why you got the null file.
>> Jem: Crap, you're right. Good call.
[00:06:04] And that's why it asked me for a password. See, I'm not perfect. Thank you for catching that. So I'm just going to run that again. I forget to pipe that into this file. So, bracket bracket.
>> Jem: Okay, that worked. And now when I login, it should not ask me for a password again.
[00:06:30] There we go. So you know it worked correctly when you log in as that user using that private key and it doesn't ask you for a password this time around. And if you look you can, whoops, ls -la, you should see a .ssh directory now. That wasn't there before and you just made it.
[00:06:49] Okay, but that was advanced, and I don't want anybody to feel too lost. So we're gonna do this the longer, boring way. So I'm gonna add a new user, adduser Jem3, I need to be sudo so what do we learn sudo bang bang. And password.
>> Jem: So I'm in a new user, I'm gonna switch to that user now
>> Jem: So su, whatever that user is.
>> Jem: And right now there's nothing here. So let's go into the, whoops, there we go. Cd ~ it switched back into your home directory for the current user that you're on. So pwd should be home/jem3. That tells me that I'm in the jem, or whatever user you just made, directory.
[00:07:46] So now ls -la, there's no .ssh directory. So, let's mkdir, make directory, .ssh
>> Jem: Now when we ls.la, ls is just list files, la means list all the files. And if something starts with dot, it's a hidden file by default, so we have to -la. So let's go ahead and cd into that .ssh directory.
[00:08:14] And we're gonna make a file called authorized_keys. So, there's different ways to make a file, I can say, I can vi authorized_keys.
>> Jem: And I'm not gonna put anything in here right now. The easier way to do this is just you can say touch and that makes a file.
[00:08:42] So if I say touch foo, it makes a file called foo. That's an easier way to just make an empty file. But let's go back to vi. Remember our old friend, vi? Just gonna vi into authorized_keys. Now, we need to copy our public key into this file. Now how do we do that?
[00:09:06] Well, because we are cheating, we are just gonna copy, paste directly from our computer. In the real world you can't do that, that is why we have to use the advance command line. But, this is a beginner class, so let's slow it down. So I am just gonna go ahead and open a new tab on my terminal.
[00:09:24] Cd into my .ssg directory, and cat my_key2.pub. And I'm just gonna copy and paste this in. This is totally cheating because in the real world you can't do this in a data center. You can't just copy and paste things, but.
>> Jem: Thanks, Mark for pasting that into the chatroom.
[00:09:53] But now, we can just insert, and we can paste this public key into our authorized keys file. Good, good. And what do we do, we write quit.
>> Jem: And that's it. So doing this command, exit again
>> Jem: So this command is equivalent of what we just did, except if you can tell doing it by command line is significantly faster if you're fast at it.
[00:10:24] And, I don't know is just easier to reason about, but you can always do it the long way which we just did, either way will work and we're coming close to lunch. I don't wanna go too far ahead cuz I know some people are still struggling a bit.
[00:10:39] So as long as you can SSH into your server. So again the way to test that is, ssh the private key that you just used,
>> Jem: The user that I just made, so Jem@.
>> Jem: 247.250.
>> Jem: Cool. And if you did things correctly, it will not ask you for a password this time around.
[00:11:14] If you didn't do things correctly, it's gonna ask you for a password. So this is very, very, very important make sure you can log in with only your SSH key. Because in a minute, actually after lunch we'll disable login with a password. Which means if you didn't set your SSH keys correctly, you will be locked out of your server.
[00:11:36] This is really important. You will be locked out your own server if you didn't set this up correctly. So, verify that you can login using SSH key only.
>> Speaker 2: It's not necessarily locked out forever, cuz Digital will let you reset it.
>> Jem: Fair, yeah. [LAUGH] In the real world, running your own server, you could not go to help and reset it.
[00:11:56] But is 100% right, they will help you out.
>> Speaker 3: So wait, we should be able to just type our username at our IP address and it will just connect without typing in password?
>> Jem: Exactly, you should be able to use your key file, so -i is to use that private key, and you should be able to log into your server.
>> Speaker 3: Okay, hold on.
>> Jem: Yeah, so make sure you can do something like this with your private key and login and it shouldn't ask you for a password this time around.
>> Jem: This is really, really important. Otherwise, yeah if you get locked out of your server, you've gotta start all the way back at the beginning.
[00:12:37] Or contact Digital Ocean which will probably take a while, so.
>> Speaker 3: So should we still have to type in a password for the key?
>> Jem: No, if you're typing a password, you did not do things correctly. [LAUGH] Okay, since we have a few minutes until lunch, I'm going to go over it again.
[00:13:06] And this is nobody's fault. This is pretty advanced stuff. So this command, I'm just gonna go break it down. Cat, your public key. Cat's just printing out the public key. Pipe it into your SSH. This is the user you wanna log into, let me pull this up a little bit.
>> Jem: So we're printing our public kay, we're logged into the server, in quotes we're making a directory. The -p command just makes it if it doesn't already exist. We're making, ~/.ssh. So in your home directory, we're making a .ssh directory.
>> Jem: With me so far?
>> Speaker 3: I ran the command just fine but it still asks me for a password for my key, not for my user code.
>> Speaker 2: Did you type in a pass phrase?
>> Speaker 3: For my key?
>> Speaker 2: For your key. Was I not supposed to?
>> Jem: You can if you want, I don't cuz I'm a bad-
>> Speaker 2: Because of this.
>> Jem: Yes.
>> Speaker 3: Okay, so it must be working fine then.
>> Jem: Yes.
[00:14:21] If it asked for a key for your server then you did [CROSSTALK].
>> Speaker 3: Yeah.
>> Speaker 2: I'm totally sorry, that's my bad.
>> Speaker 3: That's okay, cuz it asked me for a password for the key itself, and I didn't realize I should of just not set it up.
>> Speaker 2: Yeah, the word is pass phrase.
>> Speaker 3: Yeah, sorry, sorry, I didn't see that.
>> Jem: Yeah, but it's confusing for sure.
>> Speaker 2: Couple questions here. The cat command, should we be running that from the local computer?
>> Jem: Yes, this is all on your local machine, not your server.
>> Speaker 2: Cuz we're copying our local keys up to the remote server.
>> Jem: Exactly, exactly.
>> Speaker 2: Next question, if I change the file name on my SSH key, will that effect anything like I have named foo_key, if I rename that to DigitalOcean_key will that be fine?
>> Jem: That's fine, just as long as a, you remember it, b, you change your public and private key to the same name, so you know that they sync up together.
>> Speaker 2: Okay and then, would there be any difference if we used the .pub key when we log in?
>> Jem: Yes, you can't use your public key to login. It's again, private public private encryption. The public key lives on the server, the private key only lives on your local machine.
[00:15:29] Public key locks everything, only your private key can unlock it.
>> Jem: And remember the test it -i, your key, your username @ your server IP. And it shouldn't ask you for a password. There might be a passphrase on your SSH key, but it shouldn't ask you for a server password if you did things correctly.
[00:15:58] Hopefully, we all got this working, and we are able to log into our server without using a password. I'm gonna go through creating a key one more time because I think there's two or three people having a bit of trouble.
>> Speaker 2: Can you make a key with a different name?
[00:16:16] I think that's confusing people.
>> Jem: Yeah.
>> Speaker 2: And how you would give its unique name.
>> Jem: Just exit out of here. Clear, so now I'm in my .ssh, so we're gonna use SSH keygen. That's right,
>> Jem: -t, fill out the encryption method. And at this point it says what you want to name it.
[00:16:43] If you hit Enter, it's gonna give you a default name of id_rsa, which is gonna overwrite your key if you already have a key called id_rsa. So at this point, give it a name. So, foo_bar, it doesn't matter. And then I'm not gonna give it a passphrase, cuz I'm lazy and I hate typing it in every time.
[00:17:01] But you can, it's optional. If you're using something with you need high security, I'd give it a pass phrase but I'm not going to. And that's our key. So if we ls, we can see foo_bar our private key and our public key has just been created.
>> Jem: Everybody so far, hopefully we're all caught up again.
[00:17:26] So I'm just gonna log back into my server.
>> Jem: So, everybody needs to be able to do this at this point to SSH into your server just using your private key and not use a password. This is really important everyone. So no password needed.