Transcript from the "Setup SSH Keys for Login" Lesson
>> All that knowledge about hashing, how it's used every single day and everything around us, why it's important, we now get to SSH. SSH uses something called a public key encryption, or you can think public key cryptography, something like that. So the concept is, there's two parts to an SSH key called a SSH key pair.
[00:00:21] There's the public part, which is something I can share out to anybody. I can share, give you my public key, post it on the Internet, post it on Twitter, it doesn't really matter, it's a public key. Then you have your private key, the private key is known only to me.
[00:00:35] The public key is used to encrypt any sort of data, any sort of message you want. And I think of it as a hashing function, or as the Psalter hashing function. But the great thing is, anybody can encrypt this message and send it to me, but I'm the only one that can decrypt it.
[00:00:54] Now, think how powerful that is. I can send a message in broad open, I can shout it from the streets, and no one will know what I'm saying other than me, because I'm the only one who can decrypt that. You can consider it one way, encryption, different ways of thinking about it, but that's a really powerful concept.
[00:01:11] So, what if we took our passwords and we were able to hash them in such a way that only I have the password, but you can't read it because I have the private key that's the password is based off of. And that's where we get what SSH is, and that's why it's such a powerful concept, much stronger than user password, much stronger than any other form of authentication.
[00:01:31] Biometric is completely different, we will talk about that. All right, SSH stands for secure socket shell. It just means that's how we connect to a server in a secure way. So when we connect to our server, and we will here in a minute, we're going to create a SSH key.
[00:01:47] We're gonna keep the private key on our end, it will never leave, you don't pass it around. You can put on a secure USB, but it's generally frowned upon. It's usually much better to create a new SSH key and add that, versus taking a private key and logging around, you don't wanna do that.
[00:02:04] Then every message we send to the server is encrypted with a public key, and the server itself has a public key and a private key. In that way, the server can send back messages encrypted, or I can send the server messages encrypted with this public key, and only it can decrypt it.
[00:02:20] And thus we have this completely transparent funnel of information flowing back and forth, but no one can read it other than the two parties at the end. That's such a powerful concept versus username and password which, if I wanna shout, hey, my password is password. Anybody standing in the middle between me and where I'm trying to communicate can learn that.
[00:02:40] But you can stand in the middle of an SSH tunnel and it'll just be gibberish to you, cuz you don't have the private key on either end. It's a really simple concept like this public key pair, but it's such a powerful way of securing our clients and our servers.
[00:02:58] So we've learned about hashing, we learned about hashing functions, we learned about SSH, let's go and create an SSH key then. Don't just take my word for it, you will see it, what it looks like. So SSH keys, they can live whatever, but by convention you want them in the .ssh directory.
[00:03:13] So that's in your home directory. The dot is important, and how do we see hidden files dot files? Yes with the a flag, ls -la, you'll see your SSH directory. You may have a key in there already, the default is called id_rsa, that'll be your private key, the public key always ends at a .pub.
[00:03:34] This is really important. If it doesn't say .pub, do not share it out. There's a big difference between your private key and public key, as we just talked about. So use the tool called ssh-keygen. And if you don't believe me, you can man ssh-keygen again, don't take my word for anything.
[00:03:50] I could be tricking you, I'm not, you never know. And then create a key and call it fsfe, full stack front end, just for simplicity sake. You can really name it whatever you want, but it's better if we all use the same naming convention. Okay, hopefully there wasn't any issues there, the two steps, but you never know what can happen.
[00:04:15] So let's go ahead and do that right now. Open up my terminal, I'm gonna clear it out. I'm gonna move into my SSH directory. Look around, I've already got some keys in there. I actually already have a key called full stack running when I was developing this course.
[00:04:35] So I'm gonna delete those, one sec go ahead, put a star on this just to make sure they're all gone, cool. And you know what's great about SSH? I can show you all these files, there's nothing secret about that, they're just the name, there's no information here. Again SSH keys super powerful, versus I couldn't have a file called passwords cuz I couldn't ever show that to you.
[00:04:57] There used to be the old way of how we logged in the server this file called password and you had mess password, yeah those were the dark days of the web. So I'm gonna use ssh-keygen. And again, the default is id_rsa, you may already have had one when you set up your computer or you needed it for some other reason.
[00:05:16] So we're just gonna name it something different. I'm not putting in passphrase, you generally should. I'm not going to because I'm lazy, and I'm not gonna use this much, but you should have a password on it. And there you go, it creates a fingerprint of the hash using SHA256.
[00:05:34] And you're saying, what's the randomart for? It doesn't actually have a purpose, it's just so you can quickly visually tell different keys from each other. And it doesn't seem like you can, but see, let's make another one, temp. See, they are slightly different and you can quickly identify your keys using this way.
[00:05:58] Not many people do, it's more of, it's cool to have randomart, but yeah, I'm just gonna delete. File because, there we go. All right, so now I have a key called full stack front end. So I can cat My publicly key, not my private key. Not that it matters, you're not gonna break into my server, but you might if you have my private key.
[00:06:25] But the public key, we see that's what the public key looks like. Now if you run cat against your private key, the full stack front end key, not pub, you'll see it substantially longer. That's because the private key is a very expensive encryption [INAUDIBLE], it's called a symmetric or asymmetric cryptography, which means you can only do it one way, you can't do it the other way.
[00:06:51] That's why not all communication is encrypted in SHA256 because it's actually a very expensive hash. Again, these are just mathematical functions we're running every single time. But think about doing that millions of times a second, it'd burn up all your CPU. So there's times we use asymmetric cryptography, there's times we use symmetric cryptography, and it depends on the use case here, yes?
>> Why should we have a passphrase?
>> Just in case someone breaks into your computer and steals your keys. That is the challenge of SSH keys is they're as secure as the location they're secured on. Unlike biometric encryption, which you can argue is not a security there, cuz someone can just kidnap you and use your thumbprint.
[00:07:33] So there's no such thing as perfect security. But you generally have a passphrase just in case someone gets into your computer, it's one extra step. However, I would say if someone made it that far, made it to your computer, you've got bigger problems at that point than someone stealing your SSH key.
[00:07:49] But it's just a good habit to have, good question though. All right, hopefully we're all there, we have some SSH key, they're all different. And then we talked about this, we have the public key and your private key. I just ran the ls command through grep, which is just general regular expression.
[00:08:09] That's what I use to find files usually, I'll show you. I don't like to just tell, I like to show you. So we can say, ls, and I'm looking for my key. So I've got a bunch of keys here, that's annoying, let's clean that up. We'll run grep and then it'll show you the files that match.
[00:08:26] And we'll talk about grep a little bit later, and how we can use it to find things really quickly out of a lot of streaming data. Okay, so now what's left is we need to copy our public key into Digital Ocean. To say, hey, Digital Ocean, every time I wanna connect to my server, use my public key to do all that connection, and I can decrypt that connection using my private key.
[00:08:54] So let's jump back to the browser. And we'll choose SSH key as our authentication method, remember not password. And we'll say, New SSH Key, and I'm gonna copy. So I'm just gonna cat .pub, and I'm just gonna copy this. There's an application called pbcopy, which will do this for you.
[00:09:22] But I'm trying to use minimal software here, if possible, I don't have pbcopies built in. So just use your mouse and copy. And then you paste that in, give it a name, front end, 3. And let's add this SSH key, and there we go. Next you can give it a hostname.
[00:09:53] I don't know, I'm so bad at names, it takes me so long. I'll just leave it at the default, but you can give your computer its own personalized name. Names do matter. In this case, it doesn't really as much, but let's say you had 300 servers running. How do you know what that server is doing?
[00:10:10] Is it a node server? Is it a database server? Is it a load balancer? Names are really important, and once you name a server it's very very difficult to change it. So there's an about naming things. Maybe I'll post in the chat later, but just give it a name, for now the default is fine, you can call whatever you want.
[00:10:27] And let's create the droplet. Sf01 is unavailable, awesome. Thank you Digital Ocean, you're really providing good value here. But let's just create a new droplet in a different region, that's gonna happen from time to time. So I'll just choose SFO2, and Ubuntu we want the LTS, great. Basic, regular, cheapest one, and we have to recreate SSH key cuz it's already saved on Digital Ocean, there we go.
[00:10:58] Select front end and let's give this a shot again. Okay, it's coming online. I'm gonna delete this old one cuz I will get confused later. In the meantime, let's go ahead and queue up these commands that we're gonna need to log in. So once our server comes online, we're gonna be assigned an IP address.
[00:11:21] The user is always root, in the beginning. We will eventually create a new user in the coming steps. We never wanna be root, but we'll talk about that. And all we're gonna do is ssh into your computer. You have to specify the identity file, ssh by default uses the id_rsa.
[00:11:37] So if that's the key file you used, you're okay. If not, we have to specify with the flag -i, and link it to our private key. So let's check if my server is online yet. Yes, and there's the IP address. So I'm gonna copy it, just helpfully provided here.
[00:11:59] Clear, and I'm going to say, ssh -i, and we're already in directory but I'm gonna do things a long way, full stack front end, my private key, say, roots@ip. Everybody there so far, okay? And the authenticity with no connect to the server it's gonna say, yes or no, are you sure you wanna do this?
[00:12:22] We're just gonna say, yes. And if you do everything right, you're now logged in. Yeah, pat yourself on the back, you've just created a server, your SSH key it is secure this is the default. If whenever you're making anything, this seems like a lot of work in the beginning.
[00:12:40] You do it enough times it's very simple, just becomes rote. And we'll talk about how to make this even faster a little bit later too. All right, you're in your own server, it's running Ubuntu, we're running on roots, that doesn't seem right. Should we be running on root?
[00:12:56] What is root? Let's talk about that in a second.