1 00:00:00,000 --> 00:00:03,300 Hello awesome people. In this lecture, 2 00:00:03,300 --> 00:00:05,160 we are going to cover how we could 3 00:00:05,160 --> 00:00:07,110 access a remote server without a 4 00:00:07,110 --> 00:00:10,950 password using SSH key. Now a remote 5 00:00:10,950 --> 00:00:12,900 server meaning, if we have a Linux 6 00:00:12,900 --> 00:00:15,240 machine and we want to access another 7 00:00:15,240 --> 00:00:18,300 Linux machine, that another Linux machine 8 00:00:18,330 --> 00:00:21,600 for us is a remote machine. Now there 9 00:00:21,600 --> 00:00:24,090 are two reasons that we need to access a 10 00:00:24,090 --> 00:00:26,820 remote machine without a password. One 11 00:00:27,390 --> 00:00:30,720 is repetitive logins, meaning if you 12 00:00:30,810 --> 00:00:33,270 have a Linux machine A and you log into 13 00:00:33,270 --> 00:00:35,580 a Linux machine B like 10 times or 14 00:00:35,580 --> 00:00:38,100 20 times a day, and you don't want to 15 00:00:38,100 --> 00:00:40,110 enter username and password again and 16 00:00:40,110 --> 00:00:43,380 again, then you will generate SSH key. 17 00:00:43,890 --> 00:00:47,010 Second reason, which is the more 18 00:00:47,010 --> 00:00:49,410 important reason is automation through 19 00:00:49,410 --> 00:00:52,800 scripts. If you have scripts run, that 20 00:00:52,800 --> 00:00:55,800 are sitting on on your server A, and you 21 00:00:55,800 --> 00:00:58,620 need to execute those scripts on server 22 00:00:58,620 --> 00:01:02,130 B. So that is the automation that will 23 00:01:02,130 --> 00:01:04,560 run on B, but every time you run it 24 00:01:04,560 --> 00:01:06,660 from A to B, it will prompt for a 25 00:01:06,660 --> 00:01:08,730 username and password. And of course, 26 00:01:08,760 --> 00:01:11,250 this is an everyday thing and you don't 27 00:01:11,250 --> 00:01:13,560 want to have any type of interaction 28 00:01:13,620 --> 00:01:16,200 with it, so that is why you create SSH 29 00:01:16,200 --> 00:01:18,420 key, so the automation will take place 30 00:01:18,420 --> 00:01:21,540 by itself, without any human interaction. 31 00:01:22,410 --> 00:01:25,200 Now keys are generated at the user 32 00:01:25,200 --> 00:01:27,840 level. So you could generate keys like 33 00:01:27,840 --> 00:01:30,600 your own self or as a regular user, in 34 00:01:30,600 --> 00:01:33,805 my case, you could be generated as iafzal user, 35 00:01:33,805 --> 00:01:35,220 or you could generate 36 00:01:35,220 --> 00:01:37,470 the keys at the root level. So if you 37 00:01:37,470 --> 00:01:40,410 want to log in from A to B through root, 38 00:01:40,530 --> 00:01:42,150 you could also generate the keys for 39 00:01:42,150 --> 00:01:44,070 root. So next time when you log in as 40 00:01:44,070 --> 00:01:45,780 root, it's now going to prompt you for 41 00:01:45,780 --> 00:01:48,690 username and password. Now let me put it 42 00:01:48,690 --> 00:01:51,360 in a graphical way so this way I could 43 00:01:51,360 --> 00:01:53,550 make you understand what are we trying 44 00:01:53,550 --> 00:01:55,620 to achieve here. So let's say you have a 45 00:01:55,620 --> 00:01:59,610 server or our Linux machine, and I'm 46 00:01:59,610 --> 00:02:02,040 going to call it MyFirstLinuxVM. 47 00:02:02,040 --> 00:02:03,990 And by the way, this is the actual host 48 00:02:03,990 --> 00:02:06,270 name I have on my Linux machine. And 49 00:02:06,270 --> 00:02:08,310 this machine wants to access another 50 00:02:08,310 --> 00:02:11,310 Linux machine. And that host name of 51 00:02:11,310 --> 00:02:14,067 that another Linux machine is LinuxCentOS7. 52 00:02:14,067 --> 00:02:15,810 I have both of these Linux 53 00:02:15,810 --> 00:02:18,540 machine set up and ready for me to do 54 00:02:18,540 --> 00:02:20,760 this testing for this lecture. Now if 55 00:02:20,760 --> 00:02:23,190 you have only one Linux machine at this 56 00:02:23,190 --> 00:02:25,650 time, then you can either skip this 57 00:02:25,650 --> 00:02:27,750 lecture or come back to it when you have 58 00:02:27,750 --> 00:02:30,300 another second machine. I will recommend 59 00:02:30,300 --> 00:02:32,880 you that you should build another Linux 60 00:02:32,880 --> 00:02:35,374 machine and name it let's say cent 61 00:02:35,374 --> 00:02:37,290 LinuxCentOS7 or whatever that you 62 00:02:37,290 --> 00:02:39,960 want to call it, so you could actually 63 00:02:39,960 --> 00:02:42,570 practice this lecture on the second 64 00:02:42,570 --> 00:02:46,950 Linux machine. Anyway, now this client 65 00:02:46,980 --> 00:02:49,140 which is my first Linux machine 66 00:02:49,260 --> 00:02:52,330 wants to access the server LinuxCentOS7. 67 00:02:52,330 --> 00:02:54,930 And it access it through SSH, 68 00:02:54,930 --> 00:02:56,640 right. You open up PuTTY, you go from one 69 00:02:56,640 --> 00:02:58,170 machine to another or from if you're 70 00:02:58,170 --> 00:03:00,540 logged into the Linux machine, you can 71 00:03:00,540 --> 00:03:03,150 run a command SSH to log into a remote 72 00:03:03,150 --> 00:03:06,270 machine. When you log in, or when you 73 00:03:06,270 --> 00:03:08,670 execute SSH command to remote machine, 74 00:03:08,700 --> 00:03:10,380 the remote machine prompts you for two 75 00:03:10,380 --> 00:03:14,100 things. Username and Password, right. So 76 00:03:14,100 --> 00:03:16,200 you provide those username and password. 77 00:03:16,380 --> 00:03:19,850 And then it will let you in. 78 00:03:19,850 --> 00:03:22,980 Now the purpose of this lecture is what 79 00:03:22,980 --> 00:03:25,470 if we wanted to log in without providing 80 00:03:25,470 --> 00:03:27,630 the username and password. Now for that, 81 00:03:27,630 --> 00:03:29,220 what you need to do is you need to 82 00:03:29,220 --> 00:03:32,940 generate some keys on your client 83 00:03:32,940 --> 00:03:35,220 machine. Meaning that is your 84 00:03:35,220 --> 00:03:37,440 authentication that includes like your 85 00:03:37,440 --> 00:03:40,410 ID or whatever, you generate those 86 00:03:40,410 --> 00:03:43,320 keys that is a combined, a combination of 87 00:03:43,320 --> 00:03:46,080 letters and keys and symbols. When you 88 00:03:46,080 --> 00:03:49,110 generate them, you copy those keys over 89 00:03:49,110 --> 00:03:51,780 to the server. And you tell the server 90 00:03:51,780 --> 00:03:55,110 Hey, this is my authentication. So go 91 00:03:55,110 --> 00:03:57,750 ahead and keep that key that I've 92 00:03:57,750 --> 00:04:00,360 generated. Go ahead and keep it in your 93 00:04:00,390 --> 00:04:03,780 authorized key file. Then once that is 94 00:04:03,780 --> 00:04:06,300 copied over, the next time the client 95 00:04:06,690 --> 00:04:10,500 tries to log in from MyFirstLinuxVM 96 00:04:10,500 --> 00:04:14,580 to LinuxCentOS7 over SSH, then it 97 00:04:14,580 --> 00:04:18,360 will not prompt that user for 98 00:04:18,360 --> 00:04:21,810 username and password. Now that is how I 99 00:04:21,810 --> 00:04:23,790 could put it and from machine to 100 00:04:23,790 --> 00:04:25,860 machine. Now in a regular way, in 101 00:04:25,860 --> 00:04:28,890 everyday life to make it more simpler, I 102 00:04:28,890 --> 00:04:31,530 will give you a scenario of a user or 103 00:04:31,800 --> 00:04:34,890 someone who wants to access a building 104 00:04:34,920 --> 00:04:37,590 or a house. That person goes into the 105 00:04:37,590 --> 00:04:41,400 house, and first thing they do is if 106 00:04:41,400 --> 00:04:43,200 they don't have keys or access to that 107 00:04:43,200 --> 00:04:46,110 house or that building, they ring a bell 108 00:04:46,140 --> 00:04:49,950 or they meet the the security guard and 109 00:04:49,950 --> 00:04:52,530 then they give them the authentication 110 00:04:52,530 --> 00:04:55,140 and make sure it is verified and then 111 00:04:55,140 --> 00:04:57,870 you come in. Now another way you could 112 00:04:57,870 --> 00:05:00,120 do is, next time you want to come in, 113 00:05:00,210 --> 00:05:02,550 you give some type of keys, like you 114 00:05:02,550 --> 00:05:04,020 already go through your background 115 00:05:04,020 --> 00:05:05,880 check, you already go through the 116 00:05:06,300 --> 00:05:09,450 verification process, and then you give 117 00:05:09,450 --> 00:05:12,000 those verification process to the 118 00:05:12,000 --> 00:05:14,580 security team, or whoever homeowner of 119 00:05:14,580 --> 00:05:17,010 that building, you give it to them. Then 120 00:05:17,010 --> 00:05:18,690 next time when you come in, you don't 121 00:05:18,690 --> 00:05:20,880 have you won't be prompted for using a 122 00:05:20,880 --> 00:05:22,200 password. All you have to do maybe 123 00:05:22,200 --> 00:05:25,650 flash your badge, or scan it and your in. 124 00:05:26,700 --> 00:05:30,780 So, to come or to get 125 00:05:30,780 --> 00:05:33,630 this process work, we have a few steps 126 00:05:33,630 --> 00:05:35,730 that we need to follow. The first step 127 00:05:35,730 --> 00:05:38,280 is on the client machine, the client 128 00:05:38,280 --> 00:05:40,350 machine is the one that trying to go to 129 00:05:40,350 --> 00:05:42,630 the server, we have to generate the 130 00:05:42,630 --> 00:05:45,480 keys. And for that, the command we'll run 131 00:05:45,480 --> 00:05:49,830 is ssh-keygen. The second step is 132 00:05:50,130 --> 00:05:53,730 copy that key to the server. And the 133 00:05:53,730 --> 00:05:55,740 command you use is exactly this 134 00:05:55,740 --> 00:06:00,478 command, which is ssh-copy-id root, 135 00:06:00,478 --> 00:06:02,010 because you generated the 136 00:06:02,010 --> 00:06:05,490 keys as root, so you specify as root@ 137 00:06:05,820 --> 00:06:08,190 the IP address of the server where you 138 00:06:08,190 --> 00:06:12,720 copying it to. Then login from the 139 00:06:12,720 --> 00:06:15,240 client to server. Now since you 140 00:06:15,240 --> 00:06:17,430 already copied over, now go ahead and try 141 00:06:17,430 --> 00:06:19,440 to log in to the server using the 142 00:06:19,440 --> 00:06:22,920 command like ssh root @ the IP address 143 00:06:22,920 --> 00:06:27,390 of the server or ssh -l root and the 144 00:06:27,420 --> 00:06:29,280 IP address of the server. Both commands 145 00:06:29,280 --> 00:06:30,990 are the same, they actually 146 00:06:30,990 --> 00:06:32,910 let you enter from one machine to 147 00:06:32,910 --> 00:06:37,410 another or the account route. All right. 148 00:06:37,950 --> 00:06:40,860 Now enough talking, let's go and login 149 00:06:40,860 --> 00:06:43,290 to my Linux machines, and I will go 150 00:06:43,290 --> 00:06:46,800 ahead and try this process. Now I have 151 00:06:47,310 --> 00:06:51,360 my PuTTY terminal open. This first 152 00:06:51,360 --> 00:06:54,990 machine is MyFirstLinuxVM, and if you 153 00:06:54,990 --> 00:06:58,110 do hostname MyFirstLinuxVM , and if 154 00:06:58,110 --> 00:07:00,870 you do, whoami, I'm logged in as root. 155 00:07:01,410 --> 00:07:04,463 Now, what is my IP address? I could do ifconfig 156 00:07:04,463 --> 00:07:07,770 enp0s3 is the interface 157 00:07:07,770 --> 00:07:10,410 where I have my IP address. And you will 158 00:07:10,410 --> 00:07:13,020 see my IP address of my client is 159 00:07:13,020 --> 00:07:18,420 192.168.1.95. Now, I wanted to go 160 00:07:18,420 --> 00:07:22,500 to my server. This is my server, its 161 00:07:22,500 --> 00:07:27,720 host name is LinuxCentOS7. And I 162 00:07:27,720 --> 00:07:30,690 am logged into that host as root. And 163 00:07:30,690 --> 00:07:36,360 the IP address of the server is 0s3, I'll do 164 00:07:36,360 --> 00:07:38,520 the same thing. And my IP 165 00:07:38,580 --> 00:07:42,133 IP address of the server is 192.1681.58. 166 00:07:42,133 --> 00:07:44,820 Now from the client, if I log in 167 00:07:44,820 --> 00:07:48,240 to the server using the command ssh root 168 00:07:48,450 --> 00:07:52,470 @ the IP address of the server, and hit 169 00:07:52,470 --> 00:07:54,540 enter, you see it's prompting me for the 170 00:07:54,540 --> 00:07:58,830 password. That's what we wanted to 171 00:07:58,830 --> 00:08:02,130 avoid. So I'll just Ctrl C and get out 172 00:08:02,130 --> 00:08:05,820 of it. Now I'm back into my client 173 00:08:05,820 --> 00:08:07,890 machine which is MyFirstLinuxVM. 174 00:08:08,070 --> 00:08:11,100 Now go ahead and clear the screen. So 175 00:08:11,100 --> 00:08:14,130 this way we could start and run the 176 00:08:14,130 --> 00:08:18,570 command in the client, ssh-keygen. 177 00:08:18,570 --> 00:08:21,150 [No audio] 178 00:08:21,150 --> 00:08:23,700 Hit enter. It is going to tell you 179 00:08:23,700 --> 00:08:26,340 Generating public/private rsa key pair. 180 00:08:26,430 --> 00:08:28,560 If you want to know more about RSA, RSA 181 00:08:28,560 --> 00:08:31,050 is a mechanism of our authentication 182 00:08:31,050 --> 00:08:32,700 level. If you wanted to learn more about 183 00:08:32,700 --> 00:08:35,190 it, go ahead and search for it. Enter 184 00:08:35,190 --> 00:08:38,130 file in which to save the key. Now by 185 00:08:38,130 --> 00:08:40,679 default, it is going to save the key in 186 00:08:40,679 --> 00:08:43,320 this directory. But wait, this directory 187 00:08:43,320 --> 00:08:46,350 is on the client, on it's local machine. 188 00:08:46,679 --> 00:08:49,020 If you want to change this location, you 189 00:08:49,020 --> 00:08:50,970 could specify here, but I would 190 00:08:50,970 --> 00:08:53,190 recommend you you leave it default and 191 00:08:53,190 --> 00:08:56,880 just simply hit enter. Next step is 192 00:08:56,910 --> 00:09:00,000 asking you to Enter passphrase (empty for 193 00:09:00,000 --> 00:09:01,740 no passphrase). Now if you are in a 194 00:09:01,740 --> 00:09:03,420 production environment, in the corporate 195 00:09:03,420 --> 00:09:05,520 environment, I recommend you to put in a 196 00:09:05,520 --> 00:09:07,740 passphrase anything that you like, could 197 00:09:07,740 --> 00:09:10,020 be a password or anything, a combination 198 00:09:10,020 --> 00:09:13,590 of letters. But we are doing this test 199 00:09:13,590 --> 00:09:15,780 in a lab environment. So I'm not going 200 00:09:15,780 --> 00:09:18,330 to pick any passphrase. So I'll just 201 00:09:18,330 --> 00:09:20,280 leave that empty and simply hit enter. 202 00:09:21,960 --> 00:09:24,330 it's prompting me again saying, Enter 203 00:09:24,330 --> 00:09:27,300 same passphrase again, so I didn't enter 204 00:09:27,300 --> 00:09:29,160 anything, so I'm not going to enter it 205 00:09:29,160 --> 00:09:32,430 again, so simply hit enter again. Now 206 00:09:32,430 --> 00:09:34,260 it's saying your identification has been 207 00:09:34,260 --> 00:09:38,153 saved in /root/.ssh/id_rsa. 208 00:09:38,153 --> 00:09:39,630 So if you cat this file, you're 209 00:09:39,630 --> 00:09:42,300 gonna see the key as this is the key. 210 00:09:42,960 --> 00:09:44,940 And your public key has been saved in 211 00:09:44,940 --> 00:09:49,050 /root/.ssh/id_rsa.pub, 212 00:09:49,170 --> 00:09:52,230 which is public. This is a key. Now what 213 00:09:52,230 --> 00:09:54,510 we need to do is, we have already 214 00:09:54,840 --> 00:09:56,670 authenticated ourselves, we have 215 00:09:56,670 --> 00:09:59,010 generated the keys, now we need to copy 216 00:09:59,010 --> 00:10:03,360 this key to our server, so this time, so 217 00:10:03,360 --> 00:10:05,190 next time when I log into the server, 218 00:10:05,190 --> 00:10:07,470 the server would know, and it says, oh, yeah, 219 00:10:07,500 --> 00:10:09,180 I know you, I have your key. So you 220 00:10:09,180 --> 00:10:12,300 could come in without a password. So I 221 00:10:12,300 --> 00:10:14,940 have to copy that key. So to do that, I 222 00:10:14,940 --> 00:10:20,880 will do ssh-copy-id root is the 223 00:10:21,030 --> 00:10:25,020 root account that is on this server. 224 00:10:25,350 --> 00:10:28,950 It's not the root on this client. So 225 00:10:28,950 --> 00:10:36,300 root@ the server IP 192.1681.58. You 226 00:10:36,300 --> 00:10:38,460 can right click if you're using PuTTY, 227 00:10:38,460 --> 00:10:40,770 and it will copy it for you. Now hit 228 00:10:40,770 --> 00:10:45,480 enter. Now, it is going to actually ask 229 00:10:45,480 --> 00:10:47,010 you for the password because you are 230 00:10:47,010 --> 00:10:49,110 going in for the first time. And of 231 00:10:49,110 --> 00:10:50,730 course, once you add that key, it's 232 00:10:50,730 --> 00:10:52,770 going to ask you that as just the last 233 00:10:52,770 --> 00:10:54,360 time, so go ahead and put in a password 234 00:10:54,360 --> 00:10:58,320 for that root account. And now it's 235 00:10:58,320 --> 00:11:02,370 saying that, the keys has been 236 00:11:02,370 --> 00:11:03,900 copied. And now it's saying now try 237 00:11:03,900 --> 00:11:07,860 logging into the machine with, ssh 238 00:11:07,860 --> 00:11:10,710 root@192.168.1.58. It 239 00:11:10,710 --> 00:11:12,930 remembers my server and check to make 240 00:11:12,930 --> 00:11:15,450 sure that only the key you wanted were 241 00:11:15,510 --> 00:11:19,650 added. By the way that key is added to 242 00:11:19,650 --> 00:11:24,150 this server, and it is added to root 243 00:11:24,180 --> 00:11:27,180 .ssh authorized keys. You could 244 00:11:27,180 --> 00:11:30,660 actually go into that, that directory 245 00:11:30,690 --> 00:11:34,260 /root/.ssh, do ls -l, and you're 246 00:11:34,260 --> 00:11:35,940 gonna see authorized keys. When you do 247 00:11:35,940 --> 00:11:38,400 cat on that authorized keys, you're 248 00:11:38,400 --> 00:11:41,970 going to see this is this entire key has 249 00:11:41,970 --> 00:11:45,930 been copied. And it's copied as root 250 00:11:46,740 --> 00:11:49,710 from the machine, MyFirstLinuxVM, so 251 00:11:49,710 --> 00:11:51,720 it's already there. Now if I come in 252 00:11:51,720 --> 00:11:54,510 from this machine to this machine, I'm 253 00:11:54,510 --> 00:11:55,920 not going to have any problem or it's 254 00:11:55,920 --> 00:11:57,240 not going to prompt me for using that 255 00:11:57,240 --> 00:11:59,190 password. Let's go ahead and clear the 256 00:11:59,190 --> 00:12:01,350 screen here. And let's go ahead and 257 00:12:01,350 --> 00:12:04,650 clear the screen here. And now let's go 258 00:12:04,650 --> 00:12:08,580 ahead and log into my server ssh root 259 00:12:09,300 --> 00:12:17,100 @192.168.1.58, 58 is the IP of my 260 00:12:17,100 --> 00:12:22,770 server. Let's try again to confirm you 261 00:12:22,770 --> 00:12:25,830 see 58. Okay, now let's go ahead and 262 00:12:25,830 --> 00:12:30,270 enter. Bingo. See I am logged in. It 263 00:12:30,270 --> 00:12:32,040 didn't prompt me for any username. It 264 00:12:32,040 --> 00:12:34,200 didn't prompt me for any password. And 265 00:12:34,200 --> 00:12:37,110 I'm logged in. And if you do hostname, 266 00:12:37,800 --> 00:12:39,635 you're going to see I am in, 267 00:12:39,635 --> 00:12:43,920 LinuxCentOS7, which is this machine. You 268 00:12:43,920 --> 00:12:46,440 could also do the other command exit 269 00:12:46,440 --> 00:12:51,286 out. Now you back into your client, 270 00:12:51,286 --> 00:12:53,910 MyFirstLinuxVM , you could do the second 271 00:12:53,910 --> 00:12:56,220 command ssh by the way both commands 272 00:12:56,250 --> 00:13:03,149 performs the same function 192.168.1.58. 273 00:13:03,149 --> 00:13:07,788 And I'm logged in to the LinuxCentOS7 274 00:13:07,788 --> 00:13:11,400 So that's how the logging 275 00:13:11,550 --> 00:13:15,630 into a remote machine without password 276 00:13:15,660 --> 00:13:18,990 works. You have to generate the keys on 277 00:13:18,990 --> 00:13:21,360 the machine that is trying to log in, 278 00:13:21,750 --> 00:13:25,740 give these keys to the server where 279 00:13:25,740 --> 00:13:28,740 you're trying to log into. And then once 280 00:13:28,740 --> 00:13:31,050 these keys are passed over, you could 281 00:13:31,050 --> 00:13:33,090 try next time you log in, it's not going 282 00:13:33,090 --> 00:13:35,100 to prompt you for any username or 283 00:13:35,100 --> 00:13:37,800 password. And then you can run many many 284 00:13:37,800 --> 00:13:39,480 different automated scripts and commands 285 00:13:39,840 --> 00:13:41,760 without the nuisance of going in and 286 00:13:41,760 --> 00:13:42,990 putting in the username password. 287 00:13:43,500 --> 00:13:45,750 Anyway, I hope this lecture serves this 288 00:13:45,750 --> 00:13:47,460 purpose. If you have any questions, let 289 00:13:47,460 --> 00:13:49,674 me know. Good luck.