0. Overview of lab 3 :
Welcome to 3rd lab. Here the short action list we will do in this lab:
- Accessing ETAIS
- Creating a public/private key pair
- Creating a new Debian 9 virtualmachine in Cloud
- Configuring VPN Client
- Accessing Server over SSH
- Adding TESTER account and its public key with no password for sudo commands
- Update apt configuration
- Submitting your Floating IP (External IP) to be configured in TLD DNS server (Will be used in lab4)
<TO BE ADDED LATER>
- Configuring Machine name and understanding its network
- Firewall
- Backup
1. How to login to ETAIS:
This year we are using new Cloud environment called ETAIS. ETAIS’s main aim is to serve Estonian students and researches. To gain access you have register yourself by creating an account in ETAIS portal. Please read and agree to Terms of Use before continuing http://etais.ee/terms_of_use/.
Also please familiarize yourself with ETAIS MANUAL
http://etais.ee/self_service/
- Log into ETAIS system
- Go to the page: https://minu.etais.ee
- And login by clicking
Sign in with TAAT
- After that choose your institution (University of Tartu) and enter your (UT) username and personal password.
- PS! If you prefer other options might work also ID card, Mobile ID or other institution username:password and so on, but it is up to you to get them working.
- Look for a button called "Select workspace" (up and center)
- Select workspace and your project
- If not available please go to your personal e-mail you provided to University as primary contact e-mail and look for a e-mail from
selfservice@etais.ee
and click on a linkthis page
in it.
- If not available please go to your personal e-mail you provided to University as primary contact e-mail and look for a e-mail from
- If still having problems please contact your lab instructor or Andre Tättar
andre.tattar@ut.ee
- PS! e-groups you will be added to system later so wait till 5th of March before complaining. We want to test lab environment and manual with in-person groups before it is ready for independent use.
If you did successfully login, you should be able to see the ETAIS Dashboard
as follows:
2. Creating a public/private key pair
Before you continue we need to set up public / private key pair so you could use them to connect to machine.
Public key cryptography, or asymmetrical cryptography, is any cryptographic system that uses pairs of keys: public keys which may be disseminated widely, and private keys which are known only to the owner. This accomplishes two functions: authentication, where the public key verifies a holder of the paired private key sent the message, and encryption, where only the paired private key holder can decrypt the message encrypted with the public key.
In a public key encryption system, any person can encrypt a message using the receiver's public key. That encrypted message can only be decrypted with the receiver's private key. To be practical, the generation of a public and private key-pair must be computationally economical. https://en.wikipedia.org/wiki/Public-key_cryptography
Generating key pair and uploading the public key to SSH server
To be done on personal PC/Laptop and
- In Linux and MacOS (Windows manual later):
- Open command line
- Use
ssh-keygen
command to generate the 4096 bit long RSA key (try to figure out the proper command options you want to use. If asked where to store the key use the default location of:${HOME}/.ssh/id_rsa
- If asked about password you may consider protecting the private key using additional pass phrase for stronger security, but it is also OK to leave it empty (in this case the private key has to be kept really secret).
- Now two files should be added into
.ssh/
directory of your home folder:id_rsa
which is a private key and should be kept secret (by the way what are the proper permissions assigned to file ?)id_rsa.pub
which is a public key and may be shared (by the way what are the proper permissions assigned to file ?)
- Once the key pair is generated we may set up the SSH server to use public key authentication:
- Copy public key to memory and then continue with Manual on where to paste it in ETAIS:
$ cat ~/.ssh/id_rsa.pub
- Copy public key to memory and then continue with Manual on where to paste it in ETAIS:
- In Windows:
Use Puttygen application to generate the key pair:
- Download Puttygen
- Set the password for the private key and save it to your hard drive.
- Take the puttygen (public key) output and copy it to the
ETAIS
(next part in manual).
NB! Do not save public key into a file and copy it to the server, it will not work, it has different format.
- Puttygen illustration:
- Puttygen illustration:
- Copy public key to ETAIS.
- Log Into ETAIS
- On the left menu (under your name) Click
Details
->SSH keys
- Right side of screen look for
Add SSH key
and click on it - Add a name to your SSH key that should contain your
Last name
Paste your public key
and clickAdd key
Once the public key is successfully add, you should be able to see it in the list of SSH Keys
in left-side menu in ETAIS:
3. Creating a new Debian 9 Virtual Machine
- Log Into ETAIS
- From the top choose your Workspace
System Administration 2018 (UT)
->Your personal project
->Select
- On left menu go to
resources
->Virtual Machines
->+Add virtual machine
- VM name =
<your last name> + vm
- Image =
debian9-minimal-20171105
- Flavor =
m1.xsmall (1 vCPU, 1 GB RAM, 10 GB storage)
- Security Groups = add
SSH
(can be done by clicking in white area afterdefault
) - Networks =
Auto-assign Floating IP
- Description =
Add your Full name and Course name (System Administration 2018)
- VM name =
- Check everything twice and press
Purchase
For example: VM configuration for Alo Peets would look as follows: (WARNING: the Provider value will be specific to your project, so it will be different!)
Once the VM is successfully created it should be visible in list of VM in ETAIS (''Resources -> Virtual Machines in the left-most menu)
General Network Topology
You may notice a VM has Internal and External IP listed. Each project actually suggest a private network of 192.168.42.0/24, this your project private LAN, an IP from this network will be assigned to your VM's eth0 network interface and also listed in the Internal IP column (VM list in ETAIS). Project private LAN is connected to University Campus network (172.17.0.0) through a router device that is specific to your project (each student will get 192.168.42.0/24 private network but this is not the same one!). Router devices are created automatically once project is created and network provider is chosen. The only possible provider for our course cloud is UT Campus (172.17.0.0). Therefore router devices will get the corresponding External IP address assigned, resulting a unique address from 172.17.0.0 subnet. The Internal address of the router is always set 192.168.42.1 and this becomes a default gateway for our VM. As we only create 1 VM in our private network (192.168.42.0/24) the router applies the Source/Destination NAT (network address translation) between the IP address of a VM (192.168.42.a) and the External address of a Router (172.17.x.x). As a result all packets arriving on 172.17.x.x are sent further to 192.168.42.a (called destination NAT). Opposite way around (source NAT): all packets that are passing through router (sent from VM into world) are getting the source address rewritten (192.168.42.a -> 172.17.x.x). The last is actually a default setting for any home/small-office router. If both applied the Router becomes transparent for a VM: VM becomes accessible behind the Router's External address. This is why the Router's External IP is enlisted as VM's External IP (right next VM's Internal IP).
Network topology diagram
Question: What will happen if there is 2 VMs instead of 1 inside a private network 192.168.42.0/24
4.Configuring VPN Client
In order to access your newly created Virtual machine you need to be inside of University of Tartu network. In classroom or in University of Tartu eduroam
network it might be possible to access your machine without VPN, but we do reccomend set ip up for remote access.
A virtual private network (VPN) extends a private network across a public network, and enables users to send and receive data across shared or public networks as if their computing devices were directly connected to the private network. Applications running across the VPN may therefore benefit from the functionality, security, and management of the private network. VPNs may allow employees to securely access a corporate intranet while located outside the office. They are used to securely connect geographically separated offices of an organization, creating one cohesive network. ... https://en.wikipedia.org/wiki/Virtual_private_network
- Please refer to University of Tartu official manual of how to set up VPN in your personal machine:
Once the VPN connection is established, check if the host by the following IP replies, use the following command:
$ ping 172.17.64.203
5. Access machine over SSH
Secure Shell (SSH) is a cryptographic network protocol for operating network services securely over an unsecured network. The best known example application is for remote login to computer systems by users.
SSH provides a secure channel over an unsecured network in a client-server architecture, connecting an SSH client application with an SSH server. Common applications include remote command-line login and remote command execution, but any network service can be secured with SSH. https://en.wikipedia.org/wiki/Secure_Shell
Connecting to Cloud resources (VM-s) over SSH is preferred. Therefore SSH is installed in your system by default, as the cloud infrastructure takes care of bootstrapping your debian OS. In case you would have to the bootstrap manually, you could do it with # apt install openssh-server
command.
Accessing remote shell of the VM over SSH
Command line utilities
ssh
In MacOS and Linux hosts the ssh
client is by default installed and accessible in command line. In order to access remote shell of the example.com host and user test the following command should be provided:
$ ssh test@example.com
Try accessing the remote shell of your VM using the Floating (External) IP address of your machine. You need username (default: debian
) but you do not know password. If you are lucky all worked if not keep reading.
Desktop Applications
Putty
**Download Putty
Putty is an portable executable, so just open Putty.exe
and the following window will open up:
Testing the public key authentication
First of all make sure you know the IP of your newly created VM. Pay attention to the following image:
Instead of username and password let use the key we generated earlier. Now you should be able to login to you VM over SSH using the private key:
- In Linux and MacOS
ssh <user>@172.17.64.X
- Where <user> is the regular user name on your VM (the default one is
debian
) and X is the last octet of the IP of your VM
- Where <user> is the regular user name on your VM (the default one is
- The SSH server should not ask for password anymore in case you did not provide additional pass phrase on your private key
id_rsa
. - If needed use
-i
parameter to specify key file.
- In Windows
- Use the Putty application and set up a new saved session:
- On the putty startup screen write your External IP address (172.17.64.X) into to
host name
field - this will be the session name (so you can reuse it later). - Click on the
Connection
(in the left vertical panel) then chooseData
.- Write the
login
of your normal user (the default one isdebian
).
- Write the
- On the putty startup screen write your External IP address (172.17.64.X) into to
- Under
Connection
->SSH
->AUTH
, browse for theprivate key
you generated with thePuttygen
. - Go back to the
Session
submenu, add aSA-172.17.64.X
name inSaved Sessions
box and clickSave
.
- Use the Putty application and set up a new saved session:
- Now the saved session can be used:
- Use the Putty application:
- On the putty startup screen, in the
Saved Sessions
box select your saved session, then clickLoad
- Click
Open
on the main window.
- On the putty startup screen, in the
- The SSH server should not ask for password anymore in case you did not provide additional pass phrase on your private key.
- Use the Putty application:
6.Adding tester account
Now we will add a tester user which will be used by our lab instructors and automatic tester virtual machine to log in and check your machine.
- Add new user called
tester
(give it any password you like)
Now let's give our lab instructors and automated tester system access to your VM over SSH using tester account. There is a public key for the tester user available for a download here http://www.ut.ee/~alop/sa18_tester_rsa.pub.
- Now in your VM please login to tester account you have just created, or just switch to it using
su - tester
command. - Now download the tester's public key in your VM, use the
wget
command for that: tester@host:~$ wget <url of sa18_tester_rsa.pub>
If the file was downloaded properly you can check the content of the file
tester@host:~$ cat sa18_tester_rsa.pub
Now let's add the downloaded public key to the list of authorized keys for tester account:
- If directory
.ssh
does not exist in tester's home, please create it.- Make sure the directory is owned by tester user and it can read-write-execute in it
# chown tester:tester .ssh
and# chmod 744 .ssh
- Make sure the directory is owned by tester user and it can read-write-execute in it
- If file
.ssh/authorized_keys
does not exist, please create it (remember what command we did use to create empty files ?).- Make the file to be owned by tester user and it can read it.
- Copy the contents of
sa18_tester_rsa.pub
into.ssh/authorized_keys
- If directory
If everything was done properly a remote tester can now login using its private key. You cannot test it.
The last thing to do is to give the tester rights to execute command in root rights.
We need tester user to be able to run programs that need root access, but we are not going to give root privileges to the tester backend (root password is unknown and root user cannot login over SSH). In order to give a regular user an ability to execute a particular command in super user rights there is a tool called sudo
. sudo
allows to run programs with security privileges of another user, by default the root user.
For more information on sudo read short review on debian wiki.
Check that the package sudo
is installed
- Remember what command we were using for installing packages ?
Rely on sudo documentation and make changes so that the tester user can:
- Execute sudo command without asking for password
Ideally the following should just list files without any additional prompts:
tester@host:~$ sudo ls -l /root
7. Updating apt:
Apt (short for Advanced Package Tool) is a set of core tools inside Debian. Since every program is handled as a package in Linux distributions generally, apt makes it possible to manage the programs, install them, remove them, update them and so on.
Sources.list file contains all the sites that the apt will check to get the necessary updates, programs etc.
Add the following lines to the sources.list file so our virtual machine would use local Estonian mirror instead of global one.
# nano /etc/apt/sources.list
deb http://ftp.ee.debian.org/debian stretch main deb-src http://ftp.ee.debian.org/debian stretch main deb http://ftp.ee.debian.org/debian stretch-updates main deb-src http://ftp.ee.debian.org/debian stretch-updates main deb http://security.debian.org/ stretch/updates main deb-src http://security.debian.org/ stretch/updates main
Get updates and install them:
# apt update
# apt upgrade
8. Submitting your Floating IP (External IP)
Please paste here in submission box (you need to be logged into courses.cs.ut.ee to enable it)your:
- University of Tartu
user_id
also known asusername
(i.e. First part of your project Description in ETAIS) - virtual machine Floating IP also known as
External IP
(172.17.64.X) so we could configure it in TLD DNS for next lab, where you need it.