Skip to content

Changes

Page history
Update Configure VPS connection via SSH authored by Ashley Cryan's avatar Ashley Cryan
Show whitespace changes
Inline Side-by-side
Configure-VPS-connection-via-SSH.md 0 → 100644
View page @ 654fa303
##### This document is originally from [here](https://gitlab.tudelft.nl/cornelisdenheijer/datastewardship-ceg/-/wikis/Configuring-VM-connection)
This guide explains how to configure a direct connection to a VPS (Virtual Private Server) from your local machine through a Bastion host using SSH. This simplifies the process of accessing the VPS considerably and allows for secure transfer of files to and from the virtual and local environments.
The directions below are written for Linux and Mac users. Windows users can configure a VPS connection via SSH using a third-party SSH client like [PuTTY](https://www.putty.org/). We are in the process of drafting documentation for this, its current state is at the bottom of this page.
## Step 1: Configure direct connection from local machine to external server (through Bastion host) via SSH
### Configure SSH from local machine to Bastion host
**1. In the terminal, on your local machine, set your cd to .ssh.**
```
username@localmachine ~ % cd .ssh
```
2. **Add `~/.ssh/config` on your local machine/laptop.** You can do this using vi, which is an in-terminal text edit. Customise fields below by using “i” to enter insert mode. The alias can be any term and is used to ssh into the server directly. Make sure to remove <> from all fields. When you are finished, hit “escape” and then type `:wq` to save and quit vi, so you are back to the .ssh cd.
```
username@localmachine .ssh % vi config
Host tu-bastion-ex
HostName linux-bastion-ex.tudelft.nl
User <USERNAME>
Host <server alias>
# comment about server
HostName <server name>
User <USERNAME>
ProxyCommand ssh tu-bastion-ex nc %h %p 2> /dev/null
:wq
```
**3. Make sure your Host (in this case, tu-bastion-ex) is listed in your local machine’s known_hosts.**
```
username@localmachine ~ % cd .ssh
username@localmachine .ssh % ls
known_hosts
username@localmachine .ssh % cat known_hosts
linux-bastion-ex.tudelft.nl,131.180.123.197 ssh-rsa <your ssh key. This will be a lot of numbers followed by your email address.>
```
## Step 2: Configure SSH from local machine to external server
**1. Generate SSH key pair to store on local machine.** This will be used to connect to external server. Choose to leave passphrase settings empty, unless security concerns require.
```
username@localmachine .ssh % ssh-keygen -t rsa -C “youremailaddress@tudelft.nl”
Generating public/private rsa key pair.
Enter file in which to save the key (/Users/username/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /Users/username/.ssh/id_rsa.
Your public key has been saved in /Users/username/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:d90YAdXNXA5x8eolImyTF6B1ajUarxuv94a+4zbc0 youremailaddress@tudelft.nl
```
**5. Check to see that the SSH keys are stored on your local machine.**
```
username@localmachine .ssh % ls
config id_rsa id_rsa.pub known_hosts
```
**6. Copy SSH id from Bastion host.**
```
username@localmachine .ssh % ssh-copy-id tu-bastion-ex
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: “/Users/username/.ssh/id_rsa.pub”
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed —— if you are prompted now it is to install the new keys
username@linux-bastion-ex.tudelft.nl’s password:
Number of key(s) added: 1
```
**7. SSH into the Bastion host and cd into .ssh.** Make sure id_rsa files are there. id_rsa.username is your private key, id_rsa.username.pub is your public key. Copy your authorized key and exit Bastion host.
```
username@localmachine .ssh % ssh tu-bastion-ex
[username@bastionhost ~]$ cd .ssh
[username@bastionhost .ssh]$ ls
authorized_keys config id_rsa.username id_rsa.username.pub known_hosts
[username@bastionhost .ssh]$ cat authorized_keys
ssh-rsa <your ssh key ending in youremailaddress@tudelft.nl>
[username@bastionhost .ssh]$ exit
Connection to linux-bastion-ex.tudelft.nl closed.
```
**8. Examine contents of id_rsa pub from your local machine.** Then, ssh into external server using alias you set earlier. Copy local public copy of SSH key - it is everything from ssh-rsa to your email address\.
```
username@localmachine .ssh % cat id_rsa.pub
ssh-rsa <your ssh key ending in youremailaddress@tudelft.nl>
username@localmachine .ssh % ssh externalserveralias
username@externalserver’s password:
```
**9. SSH into the Bastion host,** and then into your external server using the FQDN.
```
username@localmachine .ssh % ssh tu-bastion-ex
[username@bastionhost ~]$ ssh externalserver.nl
Welcome to Ubuntu 20.04.1 LTS (GNU/Linux 5.4.0-42-generic x86_64)
```
**10. Cd into .ssh on your external server.** Use `ls` to see `authorized_keys`. Use `vi` to open authorized keys in in-terminal text editor. Paste local public key at the end of the authorized_keys file by hitting “o” and ctrl+V.
```
username@externalserver: ~ $ cd .ssh
username@externalserver:~/.ssh $ ls
authorized_keys
username@externalserver: ~/.ssh $ vi authorized_keys
```
**11. Exit external server and the Bastion host.**
```
username@externalserver: ~/.ssh $ exit
logout
Connection to externalserver.nl closed.
[username@bastionhost ~]$ exit
logout
Connection to linux-bastion-ex.tudelft.nl closed.
```
**12. SSH into your external directly from your local machine using alias you set earlier.**
```
username@localmachine .ssh % ssh thredds
Welcome to Ubuntu 20.04.1 LTS (GNU/Linux 5.4.0-42-generic x86_64)
```
## Step 3: Request SSL certificate for your server
### Generate .csr file
You can do this either by logging in to external server or on your local machine. To save it on your external server:
**1. Log on to your server using SSH** (see above: if you have followed the process to connect directly, you can use `ssh externalserveralias`
**2. Enter following command at the prompt.** Note: replace mydomain with your actual domain name:
```
openssl eq -new -newkey rsa:2048 -nodes -keyout mydomain.key -out mydomain.csr
```
**3. You will be prompted to answer a series of questions:**
- Country name: 2 letter abbreviation for your country. Netherlands is NL.
- State or Province Name: this is where your org operates from. Zuid-Holland.
- Locality Name - name of the city your org operates from. Don’t use abbreviations in this field.
- Organisation Name - use your (organisation’s) full name.
- Organisational Unit Name - Use a department name ex. “IT Department” or “Library”
- Common Name - the FQDN that you are requesting an SSL certificate for.
- Email address
- Optional password (can skip step)
- Optional company name
**4. Your CSR file has now been generated.** To find your CSR, take a look at the contents of your current working directory with the ls command. You should notice two new files ending with “.key” and “.csr” respectively. For example:
```
ls -l
total 8
-rw-r--r--. 1 root root 1082 Jan 31 12:10 mydomain.csr
-rw-------. 1 root root 1704 Jan 31 12:10 mydomain.key
```
The .key file should be kept private on your server. The .csr file is your certificate signing request, and can be sent to a Certificate Authority. For TU Delft, this is TopDesk via: [TOPdesk](https://tudelft.topdesk.net/tas/public/ssp/content/serviceflow?unid=62aeef08314247f3aba7ff2297d011da) - more on this further below.
_These instructions come from: [Generating a Certificate Signing Request (CSR) in Ubuntu 16.04 | Liquid Web](https://www.liquidweb.com/kb/generating-certificate-signing-request-csr-ubuntu-16-04/)_
### Secure-copy .csr file from server to local machine
This example will cd into home directory to save the file there, but you can also cd into any other project folder on your machine.
** 1. Navigate to cd of choice.** In this case, we'll use home.
```
username@localmachine .ssh % cd ~
```
**2. Use `scp` to secure copy .csr file from your external server**. You can do this using the alias you set earlier, and the .csr file name which should be your external server FQDN.csr. Don’t forget to add the `.` at the end of the command.
```
username@localmachine ~ % scp externalserveralias:~/external-server-FQDN.nl.csr .
```
**3. Check to see that it saved on your local machine by using `ls`:**
```
username@localmachine ~ % ls
Applications Movies
Desktop Music
Documents Pictures
Downloads Public
Dropbox external-server-FQDN.nl.csr
Library surfdrive
```
### Submit Certificate Server Request via TopDesk form
**1. Navigate to TopDesk form for TU Delft.** [TOPdesk SSL certificate server request](https://tudelft.topdesk.net/tas/public/ssp/content/serviceflow?unid=62aeef08314247f3aba7ff2297d011da).
**2. Choose “Attach file” and navigate to directory where .csr file is stored** (in this example, it is in “Home”). Select “external-server-FQDN.nl.csr”.
**3. Submit request.** You can delete this file from your home directory after you submit the form.
## Windows using PuTTY
1. Download PuTTY https://www.putty.org/
2. Add your user@bastionhost name in session
3. Accept the fingerprint
4. Put in your netID password in cmd
5. Now you are in the bastion server
6. use 'ssh yourservername.tudelft.nl
7. accept fingerprint (yes)
8. System restart is required and updates may be installed
9. Run 'sudo apt update' to view updates
10. Run 'sudo apt upgrade' to upgrade packages (install)
11. After the packages are updated, reboot the server by 'sudo reboot'
12. You should always run updates whenever you see them
13. Reboot the server by running 'ssh yourservername.tudelft.nl'
14. Mount drive
_ verify steps in between_
Use PuTTY to save session called youros_bastion