Hello everyone and welcome. Today is Wednesday, September 11th. We're here to talk about the beginning of Assignment 2. Currently, there's some people in the meeting, which I love.
Nothing better than doing a lesson with an audience. This lesson might be one of the last ones where we all sit together, write all three classes, because this is now the part where we're going to be talking about authentication. So we've configured these VMs and now it's time for us to connect.
For the last three days, it's been a little hectic trying to work out with the other engineer, right? Eric Johnson in computer science, extremely helpful. He's the one that helps me put all this together. He's the one that gave me that third VM. And just working with him on how are we going to ensure that the machines are...
functioning correctly. Now you're probably thinking, duh, professor, it's been working, first assignment, it was done. And you're 100% right.
The first assignment went through very successful, for what I can tell. I'm waiting to meet with the grader. She's been amazing.
She already took care of quiz two for most people, for most classes. And now we're going to sit down and talk about the assignment, because I know some of you are very eager. to know how you perform.
But what's not ready is assignment two. We're not even going to see the instructions. I mean, I guess I can pull them out.
They look very similar and here's where paying attention and being present is going to help you. I'm going to show you something that might change. So I want you to be mindful that I'm a little behind and this one I wasn't expecting. this delay to happen usually the delay is at the beginning of the semester like organizing the VMs that if there's any update we're using a new one that's usually the delay we already went over that hump but it was a secondary delay and that's basically part of the problem what are we going to be working on together again all three classes will be doing the same and what we will be talking about is authentication yep authentication so why are we going to be talking about authentication uh because we're going to connect to the vms they're already going to be configured so when you pull down here and it says assignment 2 you're going to notice that you're going to select assignment 2 and then you're going to go to sento as this is going to be the first vm that we're going to work on uh this one is they're not in alphabetical order this one is a must i want to be clear I have you guys here.
We'll try to do this as a short video. I don't have the VMs. I don't have everything ready to show you, but I want to be very clear.
You need to have CentOS. This is a requirement. If you don't get CentOS to work, ladies and gentlemen, you will not move forward in this class. You can cry.
You can complain. You can curse. You can pout, whatever you want to do, you can do it.
But the only way you're going to get through is by going very slow and with meticulous steps on how to get this. SSH keys is the way of the future. It just is.
It just is. SSH is basically a way that protects everybody from getting your passwords stolen. And SSH is basically the default for most of the cloud.
providers to connect. Not teaching you about SSH, it's like, you know, just graduating a doctor who's never actually seen a live patient, just been working with dummies. It wouldn't work. Well, not that critical, but yes, it is critical. So SSH, in my opinion, is super important.
You really want to get the hang of it. And in this class, we are going to learn how to configure SSH. So I'm going to go ahead and give you an example. Again, this is not the formal example.
This is going to be more of a theory example. I don't have the VM ready for how this is going to operate. So I apologize again, trying to get the third server.
to cooperate with me. Step one, this one is for everybody. Ladies and gentlemen, have you checked your Ocelot credentials?
Let's see, we have six students attending this video. Let's ask around. Have you guys checked your Ocelot credentials? Yes, yes, thumbs up. Okay, that's three out of six.
The other three, not sure yet. No answer. Okay, if you're watching this video, it is important that you check your credentials. And you have to. So here's what I'm gonna do.
I'm going to log in to another box that I have called jump. Don't worry. oh why the professor just called these things um like little little what little shortcuts because you can create shortcuts they're pretty comfortable all right cool i have access to this box called jump i'm going to pause the screen here for a second i want to make sure i pull up something that i i need to i need to look at there's some notes i need to pull up very quickly and There you go.
I just wrote down my password because I want to show you this as clear as possible. From any computer, right? From your machine, your terminal, I cannot replicate it on my computer.
And I'm going to tell you why, because if I go to ocelot.fiu.edu, sorry, ocelot.aul.fiu.edu, dash my username, it's not going to ask me for a password. So I want it to be honest. This is what SSH keys. dude they're great they don't authentication happens very good but if i happen to be somewhere else like in a lab computer or if my connection comes from another server if i do ssh ocelot that aul that if i go to view and my username then i'm going to be asked for a password just like a regular human right i don't have any special powers i mistyped this three times and then it just the prompt goes back to like well you couldn't log in right like three strikes actually i think they have this a little bit different they have i forgot yeah they have a slightly different configuration it's gonna ask you like six times but time out right they just fail you don't want to do this too many times where like your account gets locked up so you just want to try and say well my but you cannot get in then you need to contact computer science for support but What I really want to show you is that, yes, if you enter the right password, boom, you're in.
As a matter of fact, it even tells you how many times you enter the incorrect password. That's how good this is. So we want to be inside of Ocelot.
And I think I drew that last time, right? So draw.io. It's your computer has to go through the cloud, and your computer has to write that. We'll make this one. much simpler right like this is your computer in orange this is the internet as a circle uh just making very quick drawings right and then the server is here in the cylinder looking guy and then we can think of the other servers the vms as smaller cylindrical shapes um in green right so they sit here you want to go from here to the green one but you have to go first through the internet and then second you have to go through ocelot all right so it's important there's no more jumping directly to the vm through vnc vnc is no more we don't need vnc all right so if i'm in my computer i'm now sitting in ocelot so you know i started my journey here and i now i'm able to connect to also that i'm actually sitting now in this server i should be able to connect to any vm that's available to me and the way you will do that is obviously with ssh the ip and then your username which could be that just that simple this is how you will connect um forgot we're not in do not disturb my apologies my apologies my apologies um all right We're here.
We want to go to the next. uh server we want to connect and we're going to connect to a server that's already been configured for you guys so this is the cool part this is really the cool part and i'm going to show you why my job is not only to teach you guys but i feel like my job is to come up with these really cool scenarios where i feel we are going to learn some really cool stuff with the latest and greatest because it helps me do a better job at my networking job at the university and it helps me teach you really cool things the third server called server c right i have a little shortcut right little cute little shortcut letter c i let me make this let me move this to the side a little bit before i run this command i want to make i want to make sure that nothing crazy is showing yep nothing crazy is showing Okay, here. I want to clone, because I already finished the VM. I want to make sure I already finished an Alma server.
I want to clone Alma. And this is going to happen on the website. So I'm showing you a little behind the scenes.
It's not a big deal. So we'll call this one as demo one. Bam.
So this is going to be an Alma VM. And when it's done. The website, trust me, this is a lot cooler on the website because on the website, we were struggling these last three days because the clones were not working correctly. When you clone, it wasn't doing what it was supposed to do. Eventually, in the website, you say, I want an AlmaVM, and then it gets you all the data.
I'm going to request two machines. I'm going to create an AlmaVM, and I'm going to create a CentOS VM. I'm just going to call them Demo1 and Demo2. It doesn't really matter for intents and purposes.
But why am I doing that? Because what I would like to show you here is that I'm going to have two machines. Here's one and here's the other. And I'm going to connect from demo one to demo two using SSH keys. This is going to be our first attempt to explain SSH keys.
as part of this explanation we need some machines so let's get to them oh really cool two servers all right right on i need the ips so i'm gonna pop another terminal right on the side i know you can't see them but trust me i'm gonna need this one and now i know the ips which is really So let's connect. All right, let's connect. Remember, I am in ocelot.
So from here, you will be able to connect to one server and one server only, which is going to be CentOS. You're going to be able to connect to CentOS using your actual panther ID as a password. This is the only time.
In this case, I will connect to server1 as root and I will enter the panther id again I'm the professor so I don't I'm not being asked for a password but pretend that you will so this is one server we are going to connect to another server we're going to do the same thing well again in my case I'm going to connect to the second server because I want to show you I want to show you something this is not the lecture that I had planned but roll with me we're gonna do this let's give this guy this guy's gonna be green this guy's gonna be blue it's kind of cool i love the fact that depending on your terminal client you get sometimes to color code things and color coding it believe me uh goes a long way because now right we can see which vm we're trying to do this we're going to go from green to blue right What do you guys think? Is it clear? I always panic when we do this lecture because I'm like, this is the lecture that I need to be the most OCD, careful explanation.
I don't want to lose anybody. So I just want to make sure, and I explain SSH keys like three different times because it's not the easiest concept. And I want to make sure that we're both on the same page. How are we doing so far? Are we following?
Is it good? Are we super confused? all right i see a thumbs up i see a thumbs up all right cool so here's what's gonna happen if you're lost up to this point it's okay you can write down on your notes at this time at 9 29 the professor really is when he's going to start getting started you can at this point forget everything we've done because all we want to do is we want to go from terminal from the green terminal to the blue terminal that's all we want to do right and we want to log in with sshp so pretend you have two servers right and just think of it as theory you're not going to practice this just yet this one's like the theory of the sshps so if i'm going to go from server from the green server to the blue server what will be the first thing that i need to know about the blue server not everybody at once guys come on so i can interact it talk to me The host name?
Sure, sure, sure, the host name. But we don't have a host name just yet, so we're going to have its IP, right? That's its bare minimum.
And if you're thinking, oh, these guys, when are we going to get to making websites? Well, you need to connect. You always need to connect from one machine to the other.
So we're getting there. Step one, get the IP, right? We need to connect to the blue terminal. So this is the IP of the blue terminal, right?
At work, they might tell you this is where you need to connect. They provide you usually this piece of information. But you do know the command, right?
This is where the crowd goes wild because everyone's like, yeah, we know the command. This is good. This is like a test command. How do you check the IP of your server? And then you can fill in the blank, right?
I type in IP ADDR. But did you know, as a fun fact, that IP ADDR is just short for IP address, basically? And did you know that IP ADDR is just short for IP ADD, which is also short for IP AD?
which is also short for IPA, like the type of ear, IPA. I know, terrible joke, but you know what? It's weird. I find it amazing.
I think it's kind of clever that whoever wrote the command didn't want to type that extra character. And I guess he felt his fingers were going to get like apps on his fingers from all the typing. So he's like, oh, you know what?
We can go as short as IP space. All right, we have the IP. Great.
So we can type in the ssh command, ssh minus ssh the IP, minus l root. So let's talk about this piece. Have you guys seen this message before?
If you haven't, don't worry about it. It's 100% okay. This usually happens when the first server is trying to connect.
Whoa, we don't want to make the server fat. when the server is trying to connect to another one for the first time so he's going to ask hey are you sure you want to connect to this ip and then he says hey by the way this server has this fingerprint let's talk in real life have you ever been asked to confirm something before you do an action like are you sure you want to call that person i mean Don't want to call your ex, right? That's not usually the person that you want to be calling to, but sometimes, whatever. That's not the best example. But have you think of another example where you've been asked to validate who you're going to talk to?
Think about it. I'll give you a second. Huge thunder outside. About to pour down here.
What about sell? Have we heard about the scams on sell? Come on.
Not those heads. Give me those thumbs up. I know you've heard, right? Every time you send money to people, they tell you, make sure you're sending it to the right person.
If you're off by one digit, you send it to the wrong person and then you may lose your money. And then there goes 500 bucks, 30 bucks. I don't know about you, but even if I lose five bucks, that's five bucks too many.
So in companies like these, they started implementing things that are pretty old. ssh has been around for many many years as a matter of fact you know what ssh command or ssh server maybe you know little side side uh fact ssh is it might be older than some of you i don't know i would like to place some bets i think that ssh is actually older than a few years and it's been around for a while and like i was saying they you I bring in things back because they always come back so In SSH, you do verify who's the other person. Strangely enough, you are supposed to be able to see this key over here.
And you're probably going to say, professor, how do you see the key on this side? And the professor is going to go ahead and say, I forgot because I honestly did. I honestly forgot. But you could actually verify with the other party. Are you sure am I connecting to the right person?
And then this will be the signature. This is the fingerprint. This is how you know that you're connecting to the right guy.
There's a way for you to pull the key on the other side, but at this moment, it escapes my mind and I'm not going to go on a search on the internet. So I'm just going to take my word. We're going to say yes. Yes, we know who this person is.
It took too long. We didn't connect. All right, we're going to do it again.
We're going to try to connect. Here it is. Now we're being asked for the password.
Guys, do we have the password of the blue terminal? Again, this crowd is very quiet, so I'm just going to go in and answer the question. No, we don't. We have no idea. So let's give this guy a password.
Passwd. So this is a command to reset the password. So I'm just going to reset the password.
What's the password for today? The password today will be sep112024. sep112024.
Cool. So that's the password. Now we've changed the root password. So how do we verify this? We are able to connect, right?
So we can say, what's the password? SCP 11-20-24. And I think I completely butchered that. I didn't do a good job there. SCP 11-20-24.
And we connected. Aha, good job. Did we see anything special on the terminal?
on the green terminal how do we know that we connected to the right to the blue one because of the username it says root and localhost but it said root a localhost before so how do i know that i did a good job because in the terminal it says authentication tokens updated successfully here no no the blue terminal said that but i'm connecting from the green one to the blue one remember this is the diagram this is This is the goal for today. That's all we're trying to do. At some point, we said, forget everything else we've done. All we want to do is connect from here to here.
How do I know that I connected to? I don't know. My clapping on my hands doesn't simulate a clock ticking. Number one.
Well, it says it failed, so it didn't connect. Okay. All right.
But read it one more time. Oh, no, it says it last successfully logged in. So after three times of a time, they logged in the last time.
So it's logged in because it says last logged in, the date stamped. Correct. And here's where, not to pick on you, but this is where, you know, a quick assumption can completely backfire on you. Right?
If you're assuming that we didn't connect, then you're going to just flip the table around and say, you know, this is garbage. This doesn't work. But you got to be careful because you may connect. things can happen and if you're not careful with what's what you're typing you may be breaking things you're making it worse for you so this is where uh patience is key all right let's make it let's make an example uh in this server we're gonna create a file right i'm gonna create an empty file so here's a new command new command uh kind of an alert right this is something that may show up in a quiz right here there's a brand new command so i'm going to create a file it's an empty file we're going to call this one blue And if I look at the files in the server, I should see a file called blue. In the green server, if I'm connected to the blue one, what should I see?
I should see the same blue file. If I disconnect, I should no longer see the blue file, right? So technically, maybe right now what we can do is we can bring this little guy over here. I think he might be helpful. So currently, we're in the green.
Okay, positioning, right? That was a bad position on this. the screen. He's on the green terminal. Clearly he's not connected.
Let's try something else on the blue server. Host name, CTL, set host name. Oh man, I don't remember this from the top of my head. Blue. Okay.
That was not that bad. Let's exit this and let's try to connect again. All right.
Cool. Here's something else. The blue server has a... name on the terminal. That means that if I connect to the blue terminal, again right sep 11 2024 what happens in my green terminal i have moved from here to this guy again positioning this guy here and it's obvious right it's a little more obvious than the last time can we agree on it sure maybe a little rhetorical but i was hoping for people to answer so yes thank you for The answer.
What's going to happen now? Well, this is easy, but now we know that there are a few known facts about these machines, and we're going to kind of demystify why we don't want to use passwords. Number one, what is the user that both machines have in common? Root.
That is correct. It seemed like a trick question, but it really wasn't. It was just like, we're connecting us.
So if somebody that had access to Ocelot or somebody within FIU wanted to break into our machines, how many key pieces of information do they have to guess? Just the password? Almost.
Almost. You're one third of the way. Anybody else?
I think it's actually on the chat. Look at the chat. what is the other thing that we didn't know earlier today what is this this uh those what's up not not uh those what's up not respect the do not disturb this is never happened before wow my apologies what was it i'm sorry the host name yes somebody said the host name that is perfect that's exactly That's exactly what we didn't have.
So somebody will have to first guess the host name, right? Or the IP. Say, hey, I would like to connect to server 1.1.1.1.1, right? And after they realize that there is a server, right?
That you can ping the server because, you know, if the server is available, you can say, hey, we're going to try to connect to this machine. Good. The next thing that they have is. a user.
So if they think it's a Unix server, they will connect as root. And then the only thing that they will be missing will be the password. Now, if you leave your machine unattended, this guy can actually be brute force. And it's a very descriptive word, brute force, brute force. Basically, you try enough times, many combinations, and you might be able to get in.
So the number one rule for any of the three classes is in the cloud as a security rule, as just obvious reasons, because you don't have to say that this is a standard. You just don't allow root to connect because that already gives people too much information, right? There are only so many IPs in the world available.
And if somebody didn't lock the computer correctly, they will be able to get in. So we don't want that. right we don't want that now we're not going to go into the specifics again we're trying to keep this video very light there's a lot of security that you can put in here you can have firewalls you can do so many things but at a bare minimum you could tell the system to remove the password now think about it if we remove the password then nobody even if you know the root you can't get in so what about this one uh remove password from user unix now again i know how to do this but i would like for us to take a quick look and then see okay well how many ways can i delete the password from my user and the internet is going to be filled with hundreds and thousands of answers and i can guarantee you that these and many other tutorials they are right there's so many ways to do it i'm gonna play with this guy for a little with this tutorial So if you don't have the password, you can't log in. Is that a good assumption to make?
Yeah, kind of rhetorical. Yes, that is the thing. So the bare minimum, regardless of the class that you're in, we have to understand that there's a very special file in the system called passwd and it's inside of the etc folder.
And this passwd contains the set of accounts that are installed in the machine by default. One of those accounts, what's his name? Root. Everybody has a root account.
and the root account is so important that in the account management side of the operating system which is the passwd and the shadow file here is the password it's encrypted don't worry about it you can't really guess it although i already mentioned it to you but this is the password here's a good here's a good one passwd i can change the password to i don't know password1 and password1 oh it fails the dictionary check so the computer's like no you don't be so so basic um so we're going to try a different password well apparently i don't know how to type and the only reason i want to try a different password is for this because i want to show you this is the old password and passwd come on Really? Okay. Oh, well, that was the second attempt. So let me enter the new one. All right.
This is the new password. And this is what the shadow file looks like. Let's see if we can make this into the same window so that we can see it, make this a little bit bigger. That way I don't get yelled out for the quality of the video again.
But this guy ends in 2UPQ0. And this guy ends in definitely not 2UPQ0. So they're definitely different, right?
I know you're probably thinking, wow, all this time just to show a password. That's not that crazy. Well, if you knew the password that I entered, you'd still be able to connect. But what if I tell you that we can pass WD?
passwd minus d enter oh it requires a username so we do have to say who do we want to remove the password so if i say root the password has been removed one thing that i love students to hold me accountable to is at the beginning of the semester i made you a promise and i said everything that we do in this class you will be able to verify did i say that i hope so I hope so. I told you everything we do is just how to get there. Here is the same file, but what's different? There is no password. With that being said, even if I knew the password on this side, you can't get in because there's nothing to check, right?
So this is one strategy. Obviously, there's a lot of other security tools, but without doing anything crazy. You could just remove the password for any account, your personal account, the root account, any account, and you can do it.
So then the question becomes, how do I connect to the new server, right? To the blue one. How do I do that?
And trust me, each and every single one of these options works because they're doing deletions, they're doing regular expressions, they're doing all sorts of funny things. There's so many ways to do it. Don't worry, they all work. But we're not going to go into all of them because it takes a lot of time. But we want to log into the blue terminal.
So we're back here in the green one. We can't get through. What we're going to do is we're going to do some work on the blue terminal.
We're going to prep the machine. And this is the part where the key commands are going to start to show up. Again, this is a demo.
We're not doing all of it. You know, you're just paying attention, very close attention. You're drawing this diagram in your head on a piece of paper because you realize. hey i really want to know why the professor is actually doing right and how things are going to work i need the drawing trust me step one are you writing it down step one ssh dash key gen this is the command this is going to be key this is step one on getting on creating ssh keys where do you create the ssh keys the blue terminal what will be a good way to label the blue terminal? What do you think the blue terminal is?
This will be what, like the target? Is that like a good name for it? I think so.
This will be like the target terminal. And the green one, you don't have two different servers. The green one for you might be Ocelot, right?
Because you go from home to Ocelot and from here, you're going to go into the VM. So technically speaking, we're thinking of the green terminal as Ocelot and the blue one as... target so the first step you're going to create you're going to type in ssh keys in the target terminal we're going to hit enter notice what's happening it's going to ask you a couple questions the first question you're going to generate a public and private key pair good stuff let's get some keys here i'm gonna this is this is cool i like this little application so we're gonna get a pair of keys blue what's gonna be blue blue it's gonna be private and yellow is going to be public key.
Pay close attention. This is like close-up magic. Keep an eye on them because these things are going to move. Next, the computer is going to tell you, we're going to do that.
Next step, we're going to save the keys in this location, and this is going to be the name of the key. Also very important. So IDRSA, it's going to be the... private key so this is not only going to be private but it's going to be private space private space id why why are you not typing private okay i think it broke right id underscore rsa now the public one On the other hand, it's going to be called very similar, but this is going to be the public key. So we're going to just call it public.
And it's just going to have the.pub at the end. That's it. That simple. That's what makes them different. Private and public.
The private is just for us to distinguish them. So you're going to press enter. Boom, nothing. We're not going to give them a passphrase. We're going to hit enter.
We don't have to repeat the passphrase, so we're going to hit enter again. Now. you're following right you're writing down the notes because eventually you're gonna have to do this and the more you understand it the better the keys create a cryptographic signature oh man that's for a security class we're not going to go down that route but just know that there is a cryptographic signature for your key which is similar to the first time that we connected from this computer to that computer all right what happens now remember the location of the keys We're currently sitting in the root folder.
We're going to go inside root, R-O-O-T slash dot ssh. Yes, you need a dot in front of it. This is a very special folder because it's sort of hidden.
That's the dot notation. Next, two files, idrsa, idrsa.pub. How are we doing?
I like to go slow. I want to make sure that you know, people understand it, at least on the first try. Maybe not on the first one, they do in the second, and if not on the third, but we'll do this a few times.
The second and third will be much faster. So far so good. We just created keys. They're meaningless.
We just have two keys. All right, let's actually use them. Let's use them. Number one, this is the private key. Remember, we called it.
This is the private key. Here's what I would like to do. I would like to take the private key and put it in Ocelot.
Why do you think I want to take the private key to Ocelot? Because it's private, right? It seems like the word means that you need to keep it. That's something that you will keep, right?
If you create a private key, that's for you. All right. So cool. Let's do that.
If I'm in Ocelot here, and this is your account, you will create a key. Now, I will create a file. I will use VI.
And by no means, again, you can, in the terminal, you can use many editors, but you have to get a little familiar with this. I don't have the time nor the bandwidth. This is not the class for this, to teach you the basics of.
the operating system, vi being one of them. So don't throw rocks at me, but yeah, you definitely, if you don't know how to use vi, I will show you some commands. We kind of will do some of it together, but if you really want to dive a little deeper, let me not be the one that stops you from watching a nice tutorial online to just expand your visual editor mode, because we're going to create a file.
Now I like to call the file something explanatory. You can call it too many things and we'll go into the many words that you can use but for this purpose I would like to call it I'm going to call it my username, that key underscore the year. It's completely arbitrary. Nobody said, nobody told me that I needed to do this. But it just makes sense.
Number one, it makes sense that I know what key belongs to. So it could be for this class. Actually, even better. Maybe I can just call it CTS 4348 or CGS or COP.
because that will just tell you hey this file was for that class i took with the crazy guy yes whatever class you want to call it just do it that or fall 2024 i guess key something that's gonna you're gonna remember what this file is enter in this editing mode you're gonna hit the letter i which changes the mode now you can your insert mode you can actually type if you don't hit insert it's gonna go crazy what do i need to do I'm going to open up this file called IDRSA. And it's a long file. Look, it's a lot of text.
This is the kind of stuff that nobody will guess. This is why this is better than a password. And we're going to paste it. After you paste it, right, you're going to scroll up and down. You're going to make sure that all of it, right, the little dashes, everything works.
Now, to my friends that take shortcuts, you cannot skip. the dashes you cannot miss a character if you miss something it's gonna fail and the frustration level is gonna go very high so please be present after you're done with this with the page you're gonna hit the escape key see the word insert was left left we're gonna hit colon wq that stands for right quit and we're back we're out of the we're out of the editing mode i can compare this is what the key looks like Right? And I can compare almost character by character, but you don't have to go that crazy. But, you know, does it look the same? Yes, yes, yes.
All right. So the key has gone from this server all the way to Ocelot. So far, are we good? Okay.
Hopefully the answer is yes. Here's what happened. So far, we got nothing.
I want to make sure that at this moment, you realize that we still have no progress. Nothing should... we cannot expect anything to work because we haven't finished the configuration.
So at this point, nothing has happened. We just have a private key sitting in our server. For this to work, what do I need?
I need to open up the public key. Let's do it. Public key, very small, very small. This is the key and this is the lock. You hold the key.
the lock is just sitting there okay what do i do with the lock the lock in order for it to work you need to save this content into authorized keys very important you need to save the content of this file into this other file so let's start copy the key edit the file called authorized keys which is green for special reasons or in a different color we're going to hit enter and you're going to notice that there's already a key inside there's already a key guess whose key that is that key belongs to the professor that's why he can able he's able to get into the machines without a password so now you start to understand okay cool the professor left his public key in here by pressing the letter o he will insert a new line underneath the one for the professor important underneath then paste you should have technically two keys starting with ssh rsa and then moving all the way down to the next ssh rsa hit the escape key w colon wq you're outside you can open up the file you should see again two keys at this point what have we done we've created the private key to sit here And we are technically done. I'll just explain to you why we're technically done. We have created an SSH connect.
I mean, the SSH kind of fundamentals, we have them here. So now we should be able to connect from here to this server. Let's give it a shot. Let's see. Let's see what happens.
Can I connect? What do you guys think? Let's take some guesses. Do you think that we will be able to connect?
so with this you no longer need so if you remove the root password the only person that is able to connect is those that have the SSH verified, right? That is correct, yes. That's what we're trying to do. And this is how the internet works now, because people with such fast computers can brute force any password very easily.
And even the size of the keys are being brute forced, but this is actually a much better way to be secure. And cryptographically speaking, it's a lot harder to do. There's a lot of things that happen. This is really the way to get in.
And then firewalls and a bunch of other layers of security. But at the bare minimum, the understanding of SSH keys is very, very important. So we are going through the scientific method and we're trying to say, hey, can I connect from this computer to that one?
Let's give it a shot. Same command, SSH IP minus L root. And the answer is like, what? We're being asked for a password.
And then you are going to flip the table around because... Like this didn't happen. All right, cool. Well, hold on a second. Hold on a second.
Let's make some changes here. What did we miss? If you go to the internet, there are going to be hundreds, if not thousands of too many articles on how to do this.
And everybody has a different way. Now, I can promise you that in the chats, people will get very upset by hearing me out. They are very... There are a lot of ways to do it. One of those ways says that you could specify the key that you would like to log in.
It's like saying, hey, I want to log in and I would like to take my key and try to open up this lock. That's one way, right? But you have to explicitly say which key would you like to use.
This approach works very well when you have what? When you're a professional in the industry and you have your computer full of keys. One key is for Amazon. Another key is for your work. Another key is for your personal environment.
Another key is for something else. When you have too many keys, you're going to connect to the server by saying, use this key. And this is when you say, what's the name of the key? Well, we're going to now remember the name of the key.
And we said this was fall 2024, that key. Now you can call it whatever you want, but you must remember that this key is the... Blue one, oh, I guess we forgot there.
That's the key. That's the little blue key that opens up this log. You have to remember that. This is where you have to be accountable for.
So you know that this file opens up this key. You're the only one that knows that. So we're going to try.
All right. We're going to try to connect again. And bam, progress, progress. What is this? What happened here?
What do we see? Can somebody read this for me? It says we're using an unprotected key file.
The permissions are not correct. All right, that's fine. No big deal. No big deal.
It fails back to the password, but we're going to ignore the password for now. All right, so we have to change the key. It says it's too open.
All right, so keys. have to be stored in a safe location. And if you have many keys, which this is the case, your key has changed permissions.
So we can say, for example, ls minus l, a full key of 2024, we see that the permission is read-write for the user, read for the group, and read for other. If I'm going too fast, let me remind you that you must have, at some point, you should have taken operating systems and all of this is quite just the foundation of it. what a file is and some of its standard permissions right that's just what we have here we have to change a permission the computer is telling us it's too open i will not send the key if it's in this format so we're going to say chmod 600 fall of 2024. we are then going to verify the permissions and we are only allowing read write to the file others and group, nobody can see anything else. We're going to try that connection one more time. Bam!
What happened here? Tell me. It lets you in.
It let me in. And now, and how do we know that? Well, we can read the blurb, but we can also see the prompt. And now let me challenge you a little bit. Do you think that it was a waste of time to set up the VMs?
from the CD. And the challenge there is like, well, when we were setting them up, We were using things like the IPs, setting up the accounts, the initial password. We were setting up things as basic as the host name, right? Like what does it display here?
It might not be, this is FIU, you know, bob.fiu.edu. It's not the real name. It's just what the machine identifies itself.
Well, going from localhost to blue tells me that we actually made a connection. We went from here to here. And that is huge. That's a huge step.
And we did that step with SSH keys. And we know that because by looking at the simple fundamentals of the operating system, we know that there's an account called root. We know that there's supposed to be a password called in the shadow file. And that password doesn't exist.
So the authentication took place via SSH keys, which is a much more advanced way to connect. This is the way of the future. And what's going to happen in... throughout the semester is that you're going to sit here in Oslo with your one key because you're not going to have too many you're going to have one key if you're taking the class if you're taking many classes with me I think you're you're the one that takes Maria right you're taking two classes I don't know I think I may maybe I don't remember maybe it's you maybe it's the other there's another girl no it's me I'm taking both okay so to you and to the few because there's more than one. If you're taking two classes, it's the same key for all your VMs.
So you just have to do this once. Again, this is still kind of like a buy one, get one free because you still have to do one assignment only. The key, it's going to work for all your future VMs.
So every time we spin up something, the professor is going to hold on to your public key and he's going to save it. So he's going to say, this one is Maria's keys. And then he's going to say, oh.
Bob wants to save his key and then I'm going to keep the public key from Yasser. Okay, so everyone's name, right? I'm going to keep everyone's public key.
And when your VM turns on, I will then say, here, here's your public key. And only you can connect to this machine. And then Maria will set up a new VM and then I will give her her key.
That's where I've been kind of busy because in the third server. this has been a little bit challenging to set up but i think we got it but besides that uh that's more of the logistics of what happens when we do assignment two but from a theoretical perspective this is what we're dealing with right we're dealing with public sorry with the private key and the public key this is uh public key cryptography And there's a whole science behind it. And there's a whole explanation, which I'm not going to go into.
There's algorithms. I mean, this is for like a security class. Again, I just copy pasted a few things if you want to read them, right?
But eventually you do have to keep your key private. There is a faster way. And I'm going to go into the advanced configuration of this, because I know some students really ask me, they're like, professor, but you don't say which key you want.
And that is true. Sometimes I just do this. So in fact, sometimes I just say SSH and they just get in, right? But let me do it the simple way.
There is a way where you can just say this IP and this username. And I get the students confused because they're like, well, later in the semester, you don't specify the key. So they keep thinking that they cannot connect and they have issues.
But I'm going to show you why that is. The key is saved in your root folder, but in your computer. There's also a.ssh, I mean there should be an ssh folder here, there should be. So let's create it. In ocelot you can create a.ssh folder, so let's create it.
mk directory.ssh. Oh, it says it's already there. Easy. The reason why we don't see it is because what? It's supposed to be a hidden file, so we didn't display the hidden files.
This is the command. to view all files. I want to pause here for a second as well to just let you know, remind you that all of these commands are things that are fair game for the quizzes because even though I'm not reading from a book, even though we're not doing this, we are actually doing hands-on and all of this is learning. I hope, I hope, and I hope that you guys realize that. Cool!
What I can do? Here's the interesting part. I can move this file.
so i'm going to use the mb command to move the file whoops that's not what is that oh wow that's the uh that's this thing but the text representation of something in that server all right i'm going to move the full 2024 key i'm going to send it to root dot ssh and then i'm going to call the key something there's a default name if the computer realizes that you have what's called an idrsa file right if he understands that you have an idrsa RSA file in your root.ssh, right? So in your root.ssh, if you have that file, guess what happens? He's going to automatically fill in the blank. He's going to say, oh, you want to connect from the green terminal to the blue terminal?
We got it. The ID RSA file becomes your, is there like a much more golder, I'm saying all the wrong words, but like, is there like a... something bright whatever let's just think that the the yellow is of the yellow this is the this is like the golden key the master key if you have a file called id rsa you can connect from your computer to any server that contains the public one so as long as you have this key name that way and there's a public one at the target you are able to connect without specifying the key, which works because then it's one listing to type, right?
Do you remember IPADDR? When I told you that somebody was so lazy to type the whole thing and they just wanted a shortcut. Unix is all about shortcuts, guys. It's all about being efficient. If I don't have to type in minus I, if I want to write the whole path, root.ssh slash id underscore rsa.
This, see the connection we went to blue, I can exit. This is the same as doing this. Because by default, the computer understands, hey, I have a file called IDRSA inside SSH. I'm going to try that key to see if it works. And because that's your default key and it actually does work, that's how you're able to connect.
We're done. I'm not going to do anything else. I think we went through. a lot.
I still have to go back and do more work to set the VMs. Make sure that you can spin up the right one for assignment two and then we will have another video. And this week's quiz is going to be very specific about the keys.
Just so you know, this is the first video of two or three that they will give you keys, but this will be the last classes where the two are together. Hopefully by the next video tomorrow. I have assignment two.
I can show you what it looks like and then what happens when you submit because now it's going to be key for you to test on your own. Are we clear? So we're going to use Ocelot to connect to the VMs that are being built through the website, right?
Correct. That's this ugly drawing, right? This will be your computer, the internet. This is Ocelot.
And then Ocelot is going to connect to as many VMs as you need throughout the entire semester. But Ocelot is the only way to get to them. So when we rebuild the, let's say we have to rebuild the VM that's created, does the SSH key stay the same? Yes, it stays the same because you're going to hold on to the private one in Ocelot.
And when you submit assignment two, and this is what I was trying to get at, assignment two has a special submission protocol. When you submit assignment two. I will hold on to that key and put it away. And I say, this is going to be Bob's key.
And this is Maria's key. And this is Juan's key. And this is Pepito's key. And this is Felipe and Germán and the professor.
And this is all the keys I'm going to have. If there's 160 students, I'm going to have 160 keys. And then every time you say, hey, professor, I need a new VM.
I'm going to say, perfect. Here's your new VM. Oh, you're Bob. Here's your key, Bob. Boom.
And I pair them up. Because in the internet, and trust me, this to me is a good accomplishment. I'm not going to say this is the best thing I've done in my career.
This is not the worst thing I've done in my career. But this simulation of keys is very much what they do on the cloud. Google does it.
AWS does it. Azure does it. Oracle.
They do key provisioning so that when they give you a VM, they don't let you install it from the CD anymore because they have to do some customization to it. But when they give you the VM, they say, here, look, here's the key. and this is and then you figure out how to connect but they're like you gave me a key through some website and then i'm going to use that key to for all of your vms and you're probably wondering what do you mean the professor gave me the VM well guess what look this blue VM which by the way it's what type of VM is this this is an OS release this is CentOS 9 and the green VM which I can exit the green VM was what what did we start with this is Alma right Alma Linux in the blue VM DNF history so to the students are asking about the assignment Assignment one, we needed to connect, right? So we connect. Notice I deployed the VM yesterday.
This was on 9th, September 10th. It has the timestamp of when the machine was installed. And it was already updated. So this computer that you're going to use, it's already with the latest and greatest software. And this happens on the cloud too.
They want to make sure that they give you the computers. They give you a phone. They give you a PS5, an Xbox with the patches so that nobody can break in.
Security is... at the top of the list. And no matter if we're doing websites, if we're writing scripts, if we're doing Unix, we have to have these concepts as the foundation, like from here, we build up. And I know it sounds weird, but why do I teach it on three classes?
Because I don't know if you're going to see, if I'm going to see you again in another class. So I use my academic freedom to say, hey, I'm going to emphasize this piece and then we can go into our separate. branches but up to here security getting your feet wet getting everything done but is that good clear are we comfortable with what's what's to come all right actually i don't even see where the uh the meeting is but i guess so okay so then the next thing that i'm going to do is i'm just going to quickly open the quiz on the on the other side i'm just going to kind of just go through some of the questions that you may have answered uh that you know what did we ask in the book i mean what did i ask you so you can see the type of questions that were in one class but they were not on the other like can you copy paste on vnc i believe that was something that we mentioned in the lectures we want to be using a terminal because the terminal does allow copy paste vnc may allow copy paste depending on the operating system and but in the configuration for this class it is not allowed to copy paste in vnc so that's like false. There's some instructions on the operating system. Like when we were to pick what kind of base operating system did you pick?
It's just to see if you were paying attention, right? Did you see anything? Did you actually read the menus, right?
Or did you just follow like just copy paste again? So like things like that. When we got stuck, and we needed to manually update the IP in Oracle, I ask you like, hey, what was that command that we used to update? So obviously that comes from the lectures and the things that we type, right? Because if I type in history here, you're going to realize that there's a lot of commands and a lot of things that we have executed to get this going.
And then how do we verify that kdump was running? Again, this was part of the assignment. Simple things like, hey, if I deleted the... password, right? If I type in history, you can see so many commands that we've typed.
You want to understand what we've done. But more important, if this one of these, like how do you verify the work, then this is how we know that root no longer has a password. Obviously, in that assignment was how do we verify that kdump was disabled.
And then packet managers. What is the packet manager for Alma? And CentOS is called DNF, was the package for OpenZoos and Ubuntu.
So you can see that I'm going to start questioning things that we are doing just to make sure that you are present, that you're going along with the video. You're not just trying to submit the assignment and be done with it. So that's that. Hopefully that helped. I'm sorry it took a little longer than I expected.
But I think that's it. So I feel it was a very informative session. So thank you guys for showing up.
Definitely an audience changes the dynamic of the video. So I am glad that we are here. Cool. Questions, comments, queries? When is assignment two due?
Hopefully tomorrow we can launch it officially and it will be about two. two weeks so we'll have we'll have some time don't worry okay because i had to submit a i submitted an ocelot password request yesterday because for some reason It wasn't working. So I'm still waiting on them to get back to me. No worries.
We'll start the countdown tomorrow. And it's fine. This assignment is the one that really has the most quirks to get through because of Ocelot itself and the keys, right?
You cannot work on the second VM until you get the keys to work because I will not... The only VM that you're going to be able to connect with your password is going to be CentOS. After that, you're going to create the keys in there.
And after that, every VM is going to require your SSH key to work, which is going to be quite obvious that it works. But a lot of students are like, but I did it. And I'm like, no, you didn't.
Because if you did, then you would have been able to connect to Fedora and Alma. If you didn't do it right, it's not going to work. And you'll be surprised how many times I had to sit through a phone call in Zoom to...
watch the students type in the commands and I feel like all they need is an adult supervision in front of them because once they once I'm there I say like two words and then they're like oh and that was it and then it's like yeah that was it because they need to you know just be careful of what terminal are they typing in are they typing on the target or are they typing in Oslo and it could be that in Oslo if you're not careful you may be creating files that will eventually backfire on you. So you don't want to get to the point where you have created a lot of garbage and then you have to clean up the garbage for it to work again, right? But that will be all kind of self-inflicted files. So I also recommend in the next video, you'll see me working a few things and then say, well, if you need to backtrack, then you should be careful and then remove. anything that you may have created so we'll go into a little troubleshooting next video that's why i say it takes about three little videos to kind of get it the whole thing some people get it on the first one some people don't we'll see but good question and don't worry it's not like a this is the longest piece because everybody has to get on top of it and like i said it's the best piece because this is the part where you're gonna take it to the industry by saying you do know how to authenticate with SSH keys and you know the importance and you know the difference between how simple it is to maybe crack a password and then the keys and the website does have a little bit of that I do let you know what your public key is because this is the one that everybody should know and when did you uploaded the key to the website so we'll talk about it but no just wanted to you know introduction of your introductory video it's just getting really really long now but this is it guys thank you very much appreciate your participation have a good night