SSH and Linux in the cloud - Linux Tutorial

- Previously, we showed how to do an SSH connection from a client to a server in a local area network, but quite often you'll be making SSH connections to the Cloud as well. So if we look at the slide here, in this lab, we're going to diagram how SSH connections can be made to Cloud-based virtual machines, and we'll also show how to connect to Linux systems in the Cloud with pre-made SSH keys. Now we're going to do a whole SSH key lab later in this video course, but you'll see a little bit of the basics with keys in this lab right now. So first, let's diagram how these connections are going to be made. And we'll just say that I'm working here at my computer, and this computer's name is NW1, and it makes a connection out, and I have my firewall, and then the firewall makes its connection out to the Cloud. And we'll just make a big cloud here. And we're going to have two connections. I have already set up a bunch of systems, and the bulk of those systems are in AWS. So we have virtual machines, or instances, on AWS, and we're going to make SSH connections to them. We also have some systems on Linode, another Cloud provider, not as big as AWS, and we have a couple systems over there. So we'll show connections to systems on AWS and on Linode, and talk a little bit about the security behind these connections as we do so. I also want to add a new system in AWS and build a new SSH key for that system. And the type of key I'm going to create is going to be a .pem file, and we'll show how to download that file to our computer and then SSH into that system with that PEM file. So we'll start with that, and we'll jump over to my AWS console here. You can see I already have a lot of instances created. I've got Ubuntu, Debian, SUSE, and so on, but I wanted to launch an additional instance to show how to build an SSH key while we make the instance, while we make that virtual machine. So I'm going to launch a new one here, and I'm going to call it SSH test, and I'll just use Amazon Linux, that's fine, that's their built-in brand. And the instance type that we want is t2.micro, and the reason being this is free tier eligible. Now if you do this on your systems, first of all, you'll need an Amazon account, but you need to keep in mind that you may be charged to build an instance on AWS. This is free tier eligible, but you only get so many hours per month of free access. So keep in mind that there may be a charge involved. If you don't want to have a charge, or you don't want to sign up for an AWS account, just watch along with the rest of this video. So I'm using t2.micro and it asks for an SSH key pair. Now we could select something, and I have a couple that I've created before, and in fact I'm using this one for other systems, and we'll show that in a little bit, but I'm going to create a new key pair. And you have the choice for RSA or ED25519. Normally I'll use ED25519, if at all possible, but some organizations will require RSA instead, so we'll go with RSA this time. And then you have two options here, .pem, which is used for open SSH, or .ppk, which is used with PuTTY. We're working with open SSH so we're going to use the .pem option, and we'll create the key pair now. Oh, and I have to name the key pair, so we'll call this aws-test-key. And we'll create the key pair now. Good, so it's going to use that aws-test-key as the key pair. I'm going to leave all the network settings as is. We're going to allow SSH traffic, otherwise we wouldn't be able to SSH in with our key, and leave the storage and advance details as is, and we'll go to launch instance. Okay, so it's been successful, we have a new instance, and if we go to instances, we should see it on our list. And here it is, SSH test. And if we click on that, we'll see the public IP, we can use that to SSH in, or we can use the public DNS name, which incorporates the public IP address into the host name. If you want to connect, we could go to connect here and we have multiple options. We could go to Instance Connect, we could use the serial console, or work with the SSH client. And so they give you directions on exactly how to do this. Now the first thing you want to do is you want to change the permissions for the SSH key. You actually want to reduce the permissions down to 400. We're going to be showing chmod and how it works later in the video course, but for now, what that does is it allows you to modify file permissions. So we need to do that first, then we'll be able to connect to our instance. So let's take a look at our system here. And I'm going to go to my downloads directory because I didn't really show it, but it should have downloaded the key automatically when we created it. And in fact it did, and it sent that to the downloads directory. If not, you could always download that key if you need to. And here it is, it's called aws-test-key.pem, so that's what we're going to use to actually connect. Okay, so we have our key here. The first thing we need to do is change permissions on it, otherwise the Amazon system won't allow us to connect. So if we do an ls -l and take a look here, we'll see that we have a fair amount of permissions on here. We need to reduce the amount of permissions. We're going to do that with the chmod command and use the octal numbers 4-0-0 to modify the permissions on that file. And we'll press enter, and we'll go full screen here, and now if we do an ls -l again, we'll see that our permissions are much less than what they were before. So that chmod 400 totally reduced the permissions to just read for the user. And again, we'll talk more about chmod later in the video course, but now we should be able to use the key, it will be able to connect to the Amazon instance with their security criteria. So we'll go back to our instance in the AWS console and you'll see the entire example here. We'll copy this over and copy that directly to our terminal. So this is the SSH command, and it uses -i, you use -i to specify a particular key. You can also state what the path is to that key if it's a different path from the directory that you're working in right now. And that path and file name has to be in double quotes, and then you have the entire fully qualified domain name, or host name if you will, for this instance that we want to connect to. So we're going to do an ssh -i, the name of the key, and then the fully qualified domain name. We'll press enter and we're in. And so you can see that I'm connected now as ec2-user, that's the default name for any Amazon Linux, that's the default user you would work with. And it's at that system, So we are in to Amazon Linux 2023, excellent. Like I said, you can also connect by IP address if you wish to. So if we go back to our system here, and it's actually in the name, you can see the IP address here, but again, if you want to see what that is, you can go to the instance itself and you'll see the public IP address here. You can copy it if you like. Go back to our connection here. Well, we're connected via SSH. We can either exit or press control + D to get out, run that command again, but instead of that huge fully qualified domain name, we'll just paste in the IP. And we'll say yes, and we're in. Now it asks for the fingerprint again because IP connections are different than fully qualified domain names. But we are in, and we can look at the system, we can take a look at what's happening here, it is Amazon Linux. We can do a system CTL status and check what networking service is running. For example, it should be running systemd-networkd. Okay, and it is, that is active, that's the baseline networking service that Amazon Linux 2023 uses. And then we can do whatever we need to with this server. We have our SSH connection to it. So I'm done with that, I'm going to press control + D to get out of there, and I'm going to jump to another set of terminal screens. And before we started recording this video, I created a bunch of instances, as you saw, on AWS and also on Linode. I used Terraform to build those instances, and so what I did was I built them locally and used Terraform to create that infrastructure on AWS. And so Terraform's another great tool that you may want to get into if you're working as a systems administrator, or in DevOps, especially if you're working with software and you need to create infrastructure quite often. And if you are interested in that, check out my Terraform course, that's a separate course altogether. But when I did so, I created outputs so we could output information about the instances that I created. And so we can find that by running a Terraform output command within the directory where we built the Terraform configuration. And we can see all of the instances that I created, and we see their public DNS names and their public IPs, so I can use these to connect. And I just use the Terraform output command to regenerate that information for me. So Terraform was used to build all these, now I'm going to connect to a couple via SSH. So the first one I want to connect to is my Debian system. Let's connect to the Debian_12 system that I built on AWS, and I'm going to do that with SSH. Now we need to use the -i parameter and locate the key that I created previously. What I did was I created a key just for these instances that I'm building. And that key is inside of the keys directory. And you can see it, it's called LNSF_key. That's what we're going to use to connect. So because I'm using a specific key, I need that -i and I need to state the location of the key, it's in the keys directory, and then the name of the key. And then I need to know the username that I'm connecting to, and the IP address, or the domain name, or host name of that system. And so when we're connecting to Debian Systems on Amazon, that is normally going to be admin. That's the name we're going to use to connect. And it's going to be admin at the IP address, and that is this IP address here. So let's see if we can connect. Press enter and we're in, that's it. No passwords necessary because we're using keys that I pre-generated. So I'm connected as admin at my Debian system, good. Let's do a quick check of this system. Let's do a cat /etc/debian_version. Okay, good, it's at 12.5. One of the interesting things is that when I first did the install, I checked it, and it was at 12.0, but Amazon AWS has automatically updated this over the past couple days to 12.5. That's a good thing, but we definitely want to check. As of the recording of this video, 12.5 is the latest minor release for our Debian system, but you definitely want to check this kind of thing on the Cloud and make sure that it is updated, and if it's not, we would go ahead and do the updates, more about updates later in this course. And I want to make one other connection, and that's going to be to my arch system on this IP address. This is actually at Linode, it is not at AWS, so let's make that connection. Once again, it's going to be an SSH -i, and it's going to be the LNSF key in double quotes, but this time I want to connect to that arch system. Now, when you first build a system on this particular Cloud provider, you have to connect as root the first time. So I'm going to connect to that, it's 97.107.140.84. And we'll press enter. "Are you sure?" Yes, I built it. And we're in. So remember back when we were talking about the principle of least privilege, and we showed a user account trying to connect to a server via SSH directly as root, and we said, "Ah, that's a no-no, you don't really want to do that." Well, in this case, we have to because it's the first time connection. But what we would do is we would go into the SSH directory within ETC, and we'd modify the SSHD_config file, and we would turn off root access, we would create another administrative account, a sudoer, so to speak, that we would use going forward and turn off root access in this file here. We'll show exactly how to do that in the SSH section. So this is definitely insecure, but it's only for a short period of time. There's other ways to go about this, but this is the default way when connecting to a virtual machine that you create on many of the Cloud providers out there. Not AWS, or Azure, or Google, but many of the others. So keep that in mind, we want to make sure that we're securing our connections and we'll show exactly how to do that later in the course. So there you go, there's a little bit of SSH, and we showed connectivity to various systems in various ways with the .pem key that we used to connect to that new instance, and then also with pre-built keys, which I built using ED25519 to connect to AWS instances and to Linode instances. So there you go, and that's it for this sub-lesson.