DEV Community: Chirag NK

A quick guide to SSH & Solutions to some Common SSH errors

Chirag NK — Sun, 19 Mar 2023 15:52:56 +0000

Imagine you are debugging a Prod issue, you try to ssh into the Linux server where the services are running, and the connection fails, throwing an error "Permission denied!" despite providing the right key/credentials to access it.!
and we will be like "Idella ivagle agbekitta!?/ abhi hi hona tha kya".
we the Op's guys have faced it several times, so here in this article, I've covered the concepts such as, How SSH works, followed by what are some of the common connectivity errors, How to debug it, & what are the best practices to work with remote servers.

What is SSH? and How does it work?

SSH (short for Secure Shell) is a network protocol that provides a secure way for two computers to connect remotely. SSH employs encryption to ensure that hackers cannot interpret the traffic between two connected devices. Main use cases for SSH are: Remote access & File Transfer(SFTP)
If you’re using Linux or Mac, SSH comes preinstlled(OpenSSH), & for windows it requires an SSH client like PuTTY.

What are SSH keys?

SSH keys always come in pairs, and every pair is made up of a private key and a public key. Who or what possesses these keys determines the type of SSH key pair. If the private key and the public key remain with the user, this set of SSH keys is referred to as user keys.
If the private and public keys are on a remote system, then this key pair is referred to as host keys. Another type of SSH key is a session key. When a large amount of data is being transmitted, session keys are used to encrypt this information.
Functionally SSH keys resemble passwords.
An SSH key is an access credential in the SSH protocol. Its function is similar to that of user names and passwords, but the keys are primarily used for automated processes and for implementing single sign-on by system administrators and power users.
The authorized_keys file in SSH specifies the SSH keys that can be used for logging into the user account for which the file is configured(public key of host). This file is usually found in the user's home directory under /. ssh/authorized_keys

What do SSH keys look like

An authorized key can look like this:
ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBN+Mh3U/3We4VYtV1QmWUFIzFLTUeegl1Ao5/QGtCRGAZn8bxX9KlCrrWISIjSYAwCajIEGSPEZwPNMBoK8XD8Q= CN@CI-serv

An identity key can look like this:
-----BEGIN EC PRIVATE KEY----- MHcCAQEEIJWbvSW7h50HPwG+bWR3DXgQ6YhOxYbe0ifr1rRUvsUuoAoGCCqGSM49 AwEHoUQDQgAE34yHdT/dZ7hVi1XVCZZQUjMUtNR56CXUCjn9Aa0JEYBmfxvFf0qU KutYhIiNJgDAJqMgQZI8RnA80wGgrxcPxA== -----END EC PRIVATE KEY-----

Knownhost key in detail

The memorized host keys are called known host keys and they are stored in a file called known_hosts in OpenSSH. As long as host keys don't change, this appoach is very easy to use and provides fairly good security.

Session key in detail

A session key in SSH is an encryption key used for encrypting the bulk of the data in a connection. The session key is negotiated during the connection and then used with a symmetric encryption algorithm and a message authentication code algorithm to protect the data

The SSH command consists of 3 distinct parts:

ssh {user}@{host}

The SSH protocol is based on the client-server model. Therefore, an SSH client must initiate an SSH session with an SSH server. The host (server) listens on port 22 (or any other SSH assigned port) for incoming connections. Most of the connection setup is conducted by the SSH client itself. Public key is used to verify the identity of the SSH server, and then symmetric key encryption and hashing algorithms are used to maintain data transmission in ciphertext. That way, privacy and integrity of data transmission in both directions between the client and server is assured, man-in-the-middle attacks will be mitigated.

The steps involved in creating an SSH session go like this:

1.Connection establishment: The SSH server listens to a connection request sent by the client on a specific port. After the client sends a connection request to the server, a TCP connection is set up between the client and server.
2.Version negotiation: The SSH server and client negotiate with each other to determine an SSH version to be used.
3.Key exchange: The server and client use a key exchange algorithm to dynamically generate a shared session key and session ID used to establish an encrypted channel. The session key is used to encrypt subsequent data for transmission, and the session ID is used to identify the related SSH connection during authentication.
4.User authentication: The client sends an authentication request to the server, and then the server authenticates the client. SSH supports the following authentication modes:
•Password authentication: The client sends the encrypted username and password to the server. The server decrypts the username and password, compares them with the locally stored username and password, respectively, and returns an authentication success or failure message to the client.
•Public key authentication: The client uses the username, public key, and public key algorithm to exchange data with the server for authentication.
•Password+public key authentication: The client can log in to the system only after being authenticated by the server using both password authentication and public key authentication.
5.Session request: After the authentication succeeds, the SSH client sends a session request to the server, requesting the server to provide a certain type of service. That is, the SSH client requests to establish a session with the server.
6.Session interaction: After a session is established, the SSH server and client can exchange data.

I suggest you to try the verbose mode -v which will show the step-by-step process for connecting to a remote computer,(use -vvv for more details from both ends),This further helps in debugging the connectivoty issues.

Some common ssh errors and solutions:

"Permission denied (publickey)"
This error comes when you messed up with the authorized_keys of the User in the Host, May the entry is not exist, or the permission & ownership to the .ssh directory isnt correct
sol: login as root > switch to user account > check for the above said file.
Second possibility is when you are using password-based authentication, you must set PasswordAuthentication to yes
Log as as a root to the Host
vi /etc/ssh/sshd_config
make changes as said above and restart the sshd service
service sshd reload

"Host key verification failed"
this error means that the host key of the remote host was changed.
SSH stores the host keys of the remote hosts in ~/.ssh/known_hosts. You can either edit that text file manually and remove the old key (you can see the line number in the error message), or use
ssh-keygen -R hostname

"No route to host"
possibilities would be,
•host is unreachable, check using ping command
•If you have a firewall service running on your host machine,check if is blocking the ssh port

"connection refused"
possibilities would be,
•Your SSH Service Is Down
•You Have the Wrong Credentials
•The Port You’re Trying to Use Is Closed
use this command to check sudo lsof -i -n -P | grep LISTEN
•Firewall Settings Are Preventing an SSH Connection

"Too many authentication failures"
if you are trying to login to root user, Check sshd_config and verify that root login is permitted. sshd will need to be restarted if the setting changes.
another possibility is that Your SSH server's MaxAuthTries limit was exceeded. It happens so that Your client is trying to authenticate with all possible keys stored in /home/USER/.ssh/ .
This situation can be solved by these ways:
•ssh -i /path/to/id_rsa root@host
•Specify Host/IdentityFile pair in /home/USER/.ssh/config

Troubleshooting:

use "-vvv" option
Make sure your IdentiyFile points to your right PRIVATE key.
Suppose you are able to login to the Host by any other means then switch to the required User (using sudo su - username) and check if it contains the .ssh directory,authorized_keys, and right public key in it.
Sometimes the issue comes from permissions and ownership. Verify the ownership of .ssh directory under the home folder, if you have messed up with it, change the ownership back, chown -R your_user:your_user .ssh Permissions should be 700 for .ssh and 600 for the files within (authorized_keys) chmod 700 .ssh chmod 600 .ssh/authorized_keys (ssh-keygen will create files and directories for you with the proper permissions)
tail -f /var/log/auth.log (on the server) and monitor errors when you attempt to login (if you were able to login via any other methods, such as aws ssm)
If you have many key files, try IdentitiesOnly yes to limit the authentication to use the single, specified key.
check value of PasswordAuthentication in /etc/ssh/sshd_config if you require password-based authentication(not recommended) then it to yes. Don't forget to restart ssh service after that. service sshd reload

This ends up the oobjective of this article, :) If you wants to read further, Here are details of some more ssh commands and their functionalities.

In addition to the ssh executable, SSH has other executable commands used for additional functions, including the following:
-sshd initiates the SSH server, which waits for incoming SSH connection requests and enables authorized systems to connect to the local host.
-ssh-keygen is a program to create a new authentication key pair for SSH, which can be used to automate logins, to implement SSO and to authenticate hosts.
-ssh-copy-id is a program used to copy, install and configure an SSH key on a server to automate passwordless logins and SSO.
-ssh-add is used to add a key to the SSH authentication agent and is used with ssh-agent to implement SSO using SSH.
-scp is a program used for copying files from one computer to another and is an SSH-secured version of rcp.
-sftp is a program used to copy files from one computer to another and is an SSH-secured version of ftp, the original File Transfer Protocol.

Thanks! for reading, leave a comment and let me know what you have felt about the article, and feedbacks on the same. :)

Clear up the confusions with Dockerfile instructions

Chirag NK — Sun, 19 Mar 2023 07:04:18 +0000

Yes, We all get confusions while writing the Dockerfile for the first time on our own(without copying from internet ¯(°_o)/¯ ). People usually get confused with CMD vs RUN, ENTRYPOINT VS CMD etc, So in this article we will try to resolve all the confusions.

Let's start with some basics,
A Dockerfile contains a set of instructions that are executed step by step when you use the docker build command to build the docker image. It contains certain instructions and commands that decide the structure of your image, contains information related to the packages and libraries to be installed in the container and many more.

Here is a list of all the important instructions that are extensively used in a Dockerfile and their functions.

Example:

#To deploy a simple node.js app
FROM node:10
LABEL authors="Username"
# update dependencies and install curl
RUN apt-get update && apt-get install -y \
    curl \
    && rm -rf /var/lib/apt/lists/*
# Create app directory
WORKDIR /usr/app
# Install app dependencies
# A wildcard is used to ensure both package.json AND package-lock.json are copied
COPY package*.json ./
# update each dependency in package.json to the latest version
RUN npm install -g npm-check-updates \
    ncu -u \
    npm install \
    npm install express 
# If you are building your code for production
RUN npm ci --only=production
# Bundle app source
COPY . .
EXPOSE 3000
CMD [ "node", "server.js" ]

Now let's learn more about each instruction,

FROM
The FROM instruction initializes a new build stage and sets the Base Image for subsequent instructions. The FROM command is of the form −
FROM <image name>:<tag name>
A FROM command allows you to create a base image which is actually an operating system, comes with necessary tools preinstalled. All the instructions executed after this command take place on this base image. It contains an image name and an optional tag name.
Example:
FROM ubuntu FROM centos:7 FROM python:3

RUN
A RUN instruction is used to run specified commands. Suppose,
we may need to install a bunch of packages & libraries which we will be required by our application to start, these can be installed using RUN.
A Dockerfile can have many RUN steps that layer on top of one another to build the image. But the efficient approach is to combine all the RUN instructions into a single one.
Some example of RUN commands are −
RUN apt−get −y install vim RUN apt−get −y update
we can chain multiple RUN instructions in the following way −
RUN apt−get −y update \ && apt−get −y install firefox \ && apt−get −y install vim

CMD
If you want to run a docker container by specifying a default command that gets executed for all the containers of that image by default, you can use a CMD command. In case you specify a command during the docker run command, it overrides the default one. Specifying more than one CMD instructions, will allow only the last one to get executed.

Example of a CMD command −
CMD echo "Container is ready"
If you specify the above line in the Dockerfile and run the container using the following command without specifying any arguments, the output will be “Container is ready”

sudo docker run −it <image_name>
Output − “Container is ready”
Note: In case you try to specify any other arguments such as /bin/bash, etc, the default CMD command will be overridden.

Do RUN and CMD can be used interchangeably?
Answer is NO!,
RUN - command triggers while we build the docker image.
Can be many, e.g. install multiple libraries
CMD - command triggers while we launch the created docker
Can only have 1, which is your execute start point (e.g.
["npm", "start"], ["node", "app.js"])

ENTRYPOINT
The difference between ENTRYPOINT and CMD is that, if you try to specify default arguments in the docker run command, it will not ignore the ENTRYPOINT arguments. The exec form of an ENTRYPOINT command is −
ENTRYPOINT [“<executable-command>”, “<parameter 1>”, “<parameter 2>”, ….]

If you have used the exec form of the ENTRYPOINT instruction, you can also set additional parameters with the help of CMD command. For example −
ENTRYPOINT ["/bin/echo", "Welcome"] CMD ["Hello World!"]

Running docker run command without any argument would output −
Welcome Hello World!

If you specify any other CLI arguments, “Hello World!” will get overridden.

WORKDIR
You can specify your working directory inside the container using the WORKDIR instruction. Any other instruction after that, in the Dockerfile, will be executed on that particular working directory only.

For example,
WORKDIR /usr/src/app
Sets the working directory to /usr/src/app inside the container.

COPY
This instruction allows you to copy a directory from your local machine to the docker container.
For example,
FROM ubuntu WORKDIR /usr/src/app COPY ∽/Desktop/myapp .

This would copy all the files inside the directory ∽/Desktop/myapp in your local machine to your current working directory inside the docker container.

ADD
Similar to COPY instruction, you can use ADD to copy files and folders from your local machine to docker containers. However, ADD also allows you to copy files from a URL as well as a tar file.
For example,
ADD ∽/Desktop/myapp/practice.tar.gz /usr/src/app
Would copy all the contents inside the tar file to /usr/src/app inside the container.

ADD <URL such as a github url> <Destination path inside the container>
This command would copy all the files inside the GitHub URL to the destination.

EXPOSE
The EXPOSE instruction inside the Dockerfile informs that the container is listening to the specified port in the network. The default protocol is TCP.

Example
EXPOSE 8080
Will map the 8080 port to the container.
You can use the −p flag with the docker run command to make the container listen to another container or the host machine.

LABEL
You can use a LABEL instruction to add description or metadata for a docker image. It's a key−value pair.

Example −
LABEL description="This is a sample image"

Right time to get AWS cloud certified, with 50% savings ($150) on Professional Certifications

Chirag NK — Tue, 14 Feb 2023 15:43:18 +0000

For those, who were waiting to get AWS certification, But worrying about its price, Here's a chance to save $150 using the discount voucher,

What actually it is:
AWS gives some discounts for all the aspirants who are planning to advance their career by obtaining a cloud certification,
AWS is conducting a Professional Challenge (so called), for their promotion as well as to grab the users towards the services AWS provides.

So, Here is how to get the discount vouchers,

• click on this link that takes you to the Registration page of AWS Professional Challenge Link
• This Voucher is valid on the below 2 professional certifications,
1.AWS CERTIFIED SOLUTIONS ARCHITECT - PROFESSIONAL
2.AWS CERTIFIED DEVOPS ENGINEER - PROFESSIONAL

Although, These professional certificates doesn't require you to be having an Associate level certificate (Not Mandatory), but it is good to start with the associate level/Foundational level certificate before attending the professional cert exams

• AWS Certified DevOps Engineer - Professional Exam Guide :
• AWS Certified Solutions Architect - Professional Exam Guide :

As you might aware , these professional certifications are not easy to pass, AWS recommends you to should be having experience in the following (But Not Mandatory)

But Wait !, No need to worry if you do not have relevant experience,
As AWS provides many resources that help to get hands on experience to AWS services,

Here are some great resources, that can help you with hands on experience as well as to prepare you to the exam,

🔸 skillbuilder.aws over 500+ digital free training courses
🔸 developer.aws explore hands-on tutorials and events
🔸 repost.aws ask technical questions and get help from experts
🔸 workshops.aws over 100+ detailed free workshops and immersion days

Happy Learning! :)