To establish the ssh-connection between local and remote machines there are two main ways possible to pass the authentication:
Classic – login/password pair
A little more complicated, but safe and reliable – using a pair of RSA keys to introduce youself
Setup the remote side
Password login
Some linux images, e.g. from OCI have the access via login/password disabled by default, so the OS demands the key file to let the user log in. To open the possibility of such kind authentication the corresponding parameter in the config file has to be added/modified:
sudo nano /etc/ssh/sshd_config
Find PasswordAuthentication parameter and change the value to yes. If you are too lazy to enter the password and want to make a security breach in your system, refer also to PermitEmptyPasswords parameter and google “linux user with empty password”. Restart sshd service to implement the settings.
sudo systemctl restart sshd
OK, from now any user with defined password may log in with his own account credentials.
Permissions: home dir – rwxr-*r-* (chmod go-w <home dir>); .ssh dir – 700; key file – 600; on the serverside – authorized_keys – 600;
Registering keys in the system
Remote access procedure
Initial data for remote login
To connect to the remote Linux system there are some credentials are needed to be known in all the cases:
IP-address of the PC or server you are going to connect to
The username existing on the remote system to log in with
Some secret like password or the private key if RSA key pair is registered in remote host system
Connect via Windows or Linux command shell
Here is one general utility is in use calling ssh for both Windows 10-11 cmd/Power Shell and Linux command shell. The command format depends on the access method:
ssh <IP address/domain name> – simple form, which leads to the sequential prompt of the username and password.
ssh <username>@<IP address/domain name> – log in with a defined user name, the only password will be requested.
ssh <username>@<IP address/domain name> -i <private key / key filename> – log in using RSA-key authentication. If all the credentials are alright, the log-in procedure proceeds instantly without any input. If something wrong with keys, but the password authentication is allowed, the user password is prompted.
During the first login there is the need for the confirmation of the trust to the remote host, just type “yes” if you’re sure, that you connect to the proper host.
Didn’t mind the mentioning of MS products here, but the office PC with Windows 11 onboard gets me to write down a case about.
The Problem: PC’s cooling fan goes on full speed with the only office apps run, the CPU load ~18%, most of caused by some “Windows Mini Apps” group with several instances of MS Edge WebView2 inside.
I don’t use any widgets and dynamic menu plates, so it’s preferable for me to make the system as lightweight as I can. Moreover, there are a lot of bugs in that package had been found, as googling results say.
The Solution: Remove the package completely from cmd launched as Administrator:
Here is a very simple operation to create and attach the Block Volume to the Compute instance in the framework of Oracle Cloud Infrastructure.
However, the shared connection of many instances to conventional Block Volume may cause data corruption due to concurrent access to the same data blocks. In order to prevent kind of “accidents” here is the feature to deploy the OCFS2 file system available, which works correctly with multiple instances access.
Actually, here is the first “long-read” instruction I face during my short IT life, which led to the desired result just being followed step-by-step carefully with no “if”, “when”, and exhausting chain-googling.
So, thanks to Mr.Melo – the author, the instruction is here:
cat – concatenate files to standard output chgrp – change file group ownership chmod – change file access permissions chown – change file owner and group cp – copy files and directories date – print or set the system data and time dd – convert and copy a file df – report filesystem disk space usage dmesg – print or control the kernel message buffer echo – display a line of text false – do nothing, unsuccessfully hostname – show or set the system’s host name kill – send signals to processes ln – make links between files login Utility to begin a session on the system ls – list directory contents mkdir – make directories mknod – make block or character special files more – page through text mount – mount a filesystem mv – move/rename files ps – report process status pwd – print name of current working directory rm – remove files or directories rmdir – remove empty directories sed – The `sed’ stream editor sh – POSIX compatible command shell stty – change and print terminal line settings su – change user ID sync – flush filesystem buffers true – do nothing, successfully umount – unmount file systems uname – print system information
Command binaries that are not essential enough to place into /bin must be placed in /usr/bin, instead. Items that are required only by nonroot users (the X Window System, chsh, etc.) are generally not essential enough to be placed into the root partition.
pwd – print current directory cd ~ or cd – home directory cd .. – one directory tree level up cd - – go back to previous working directory popdpushd – ??? tree (-d) – print the directory subdirectories (and files) structure tree ls (-l) [-a] {-i} – lists the files in present working directory (including hidden) [with files/directories info] { with files IDs (different links to one file have same ID)}
Aliases
nano ~/.bash_aliases
Lines syntax: alias <command>=’bash command’. Spaces are not allowed. E.g.: alias update=’sudo dnf upgrade’
source ~/.bash_alias – apply alias’s list
Hard and soft (symbolic, sym-) links
ln <file> <file_sc> – create hard link (shortcut) – alternative reference to the same file, same ID ln -s <file> <file_sc> – create symbolic link (different object with new ID)
Default $PATH set (not user-related): PATH=/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin
System information
uname -a – info of Linux version, core etc.
lshw [-short] – full hardware configuration tree [brief overview] lscpu lsmem lsblk [-a], fdisk -l additional info blkid check UUID lsusb
top [-i] – CPU utilization [hide idle processes]
Volume blocks management
Display current info: mount Mount sdb1 block to /mnt/media as ext4 volume: mount /dev/sdb1 /mnt/media -t ext4 Automount on startup: add record to /etc/fstab: <volume device path>/UUID=<uuid> <mount path> <filesystem> <options> 0 0 example: UUID=9898b394-874b-46fd-afd7-087c91987bfa /data ocfs2 _netdev,defaults, uid=0, gid=0, umask=0077, shortname=winnt 0 0
Add to File managementsetuid (chmod u+s), setgid (chmod u+s), Sticky bit (chmod +t)
rm – remove file(s) (-i – confirm for every file) rm -r – remove directory with all content recursively rmdir – remove empty directory
mv – move/rename file/directory
Here and further: > – overwrite file; >> – append to the end of file ' ' may also be used instead of " ".
echo "Some text here." >> myfile.txt
> myfile.txt – erase all data in myfile.txt
Write command output to file (e.g. full directory content with permissions): ls -la >> myfile.txt
Write to file from console line by line until ‘EOF’ typed in cat > outfile.txt <<EOF some text to save EOF
Files search
Find files by name: find <path> -name "<name wildcard>"
System and apps search: which <file> – basic check in $PATCH directories whereis <file> – more deep search
Find files with string content grep -Ril "text-to-find-here" / i stands for ignore case (optional in your case). R stands for recursive. l stands for “show the file name, not the result itself”. / stands for starting at the root of your machine.
< changes the stdin source; > redirects stout (by default or 1>) or stderr (2>); e.g.: [program/command] > [output_file] 2> [err_log]
2>&1 or shorthand >& – send everything written to stderr to the same destination as stdout
cat [file1] > [file2] – take the content of [file1] to the output stream and redirect it to [file2] – as result the content of [file1] is copied to [file2], replacing its content
Pipeline
command1 | command2 | command 3 … The output (stdout) of the previous command is passed to the next one, the last command sends its output to the stdoud destination (console by default).
timedatectl status set-time YYYY-MM-DD hh:mm:ss (ether one or both date and time) set-date list-timezones set-timezone set-local-rtc 0/1 – set hardware clock to a local TZ (1) or UTC (0) set-ntp true/false – synchronize time with NTP-server
date – display current day and time in active timezone
List file(s) permissions: ls -la <filename/wildcard>
Following commands with -R mean recursive action along the directory tree.
Set file(s) permissions: chmod <object><modifier><digits/symbols> <filename/wildcard> <object> (if no – set every field): u – owner; g – owners group; o – others; <modifier>: ‘+’ – set; ‘-‘ – reset;
Set owner: chown <new owner> <filename/wildcard> Set group ownership: chgrp <new group> <filename/wildcard>
Permissions designations:
Digits
Symbols
Description (files/folders)
0
—
no permissions
1
–x
execute / get metadata
2
-w-
write / modify (with –x only)
4
r–
read / get files list
The mask byte: sum of mask numbers.
Permissions structure
owner (user) | owners group | others, e.g. 7(4+1+2) 6(4+2) 4(4); symbols -rwxrw-r–
The tirck: here are different requirements for files and folders. Files have mostly no eXecutable attribute, but directories (folders) have to have this attribute set, another way it is not allowed to enter it at all. To be more fast with automatic separation of files and directoties, the commands below are useful.
Attention: it works recursively, DO NOT RUN IT ON / OR ANY SYSTEM DIRECTORY: all the files will get unexecutable and system may lost controlability at all.
Create group: sudo groupadd <group> List users in the group: getent group <group> If <group> missing all the groups are listed with users. Attention: the user is not listed if the group is his main group! The only supplementary groups’ members displayed.
List groups, the user is in: groups <user> If <user> is omitted, the groups for the current user are listed.
Change main group: sudo usermod -a -g <new group> <user> Add user to a group: sudo usermod -a -G <supplementary groups list> <user> If -a missed, the user gets removed from any other group, not listed after -G (way to remove user from a group by pointing new groups list for user to stay in). Add/Remove user from group: sudo gpasswd -a/-d <user> <group> More “low-level” way is to edit /etc/group file manually.
Users
List existing users: getent passwd
Create user: sudo useradd <user> -g <main group> -G <supplementary group> The home directory will be created as /home/<user> automatically. -M – don’t create a home directory. If no main group is pointed the user is created within his own group with his name.
Delete user: sudo userdel <username> Use -r to delete the user with a home directory.
Set password for <user>: sudo passwd <user> It’s not recommended to create a user with a password (useradd -p option) due to password visibility in CLI history and logs.
User related actions
Run from the name of user: sudo runuser -l <username> Open root session: sudo runuser
Grant superuser rights to the user:
1st way: to add user to superuser group in /etc/sudoers file, the group is defined as <group> ALL=(ALL) ALL
2nd way: to give full permissions to the user itself: echo "<user> ALL=(ALL) ALL" > /etc/sudoers.d/<user> and restrict access to this file chmod 440 /etc/sudoers.d/<user>
Learn the opposite things at once and place their definitions/descriptions close to each other. Take a look back to be sure you know how to reverse the actions or to notice if it’s impossible.
The first experience with OCI compute instances had been dedicated to how to deploy a simple Hello-world-scale webserver. Now it’s time to play with the toy a little harder. Here is an approach of how to make the simple webserver and have some tools or framework to work with static web content.
What are the main tasks:
Create a simple OCI compute instance ( VM.Standard.E2.1.Micro, Oracle Linux 7.9 )
Setup and configure http – the nginx webserver instead of Apache one
Setup and configure ftp – the vsftpd server
Upload some web site and manage the content
Gain development SSL-Certificate and convert the server to https protocol.
Seems it takes more than one post, so we proceed step-by-step.
The tasks are not guaranteed to be executed one by one strictly, maybe some steps mess up and there will be a need to get to other parts of the entire problem and tinker a little some settings.
This time I use the complete native VCN infrastructure of two subnets (public and private) connected to the internet – it’s the first option, which VCN creation wizard proposes. The compute instance is necessary to place to the public subnet.
After VM deployment and configuring of the VCN security rules as described in the previous topic connect to the instance via CloudShell, PuTTy, or windows command shell (ssh works with cmd as well as in PowerShell); so run any shell from the context menu “Run as administrator” and type in:
ssh opc@<public IP address> -i mykeyname.key
To make the connection process easier, it makes sense to create a simple .bat file for Windows 10/11 in key location folder with one string:
ssh opc@<public IP address> -i mykeyname.key
Important thing: the file has also to be run as administrator: the ssh-key-file has restricted access, as you remember from the previous post, and can’t be handled by any different user.
For other Windows versions, the PuTTy utility may be used. Refer to complete connection manual using ssh keys (coming soon).
In the case of a Linux client machine, the bash script is the way. Create an empty text file nano ws_connect.sh:
#!/bin/bash
sudo ssh opc@<public IP address> -i mykeyname.key
Then Ctrl+X to exit Y and Enter to confirm to write the file.
The permissions are to be modified with chmod u+x ws_connect.sh to make the file executable. Run it anytime you want to connect to the server.
OK, we are going to have the act if we want to live in a different world to set up the server. At first, bring the system to up to date state: sudo yum update
After the system and components update is finished, let’s go to get some fun with repositories:
The initial repository list doesn’t contain nginx (Oracle Linux 7.x; the 8.x contains already the nginx repository predefined) so we add it manually. Create file nginx.repo:
sudo nano /etc/yum.repos.d/nginx.repo
Write the following repository definition (it works for Oracle Linux 7.x OS as the CentOS-like system):
Check the availability from the internet by browsing <public IP addres> via a web browser. The Nginx dummy page has to appear. If not, check the nginx running: systemctl status nginx .
Assume the webserver is running well, so the next topic is to make us able to put some files to the server with FTP.