all the last-minute changes before the workshop

presentation/ssh-basics.md

@@ -25,7 +25,10 @@ backgroundImage: ![bg](./img/artbreeder-composer-2024-07-15T00_14_43.169Z.jpeg)
 ---
 # Intro
 ## about me
-I've been doing networks for over 30 years by now. And DevOps stuff before we called it that. 
+I've been doing networks for over 30 years by now. And DevOps stuff before we called it that. I work for Plusnet GmbH as a Solution Architect these days, but I have been a sysadmin, developer, network engineer, network architect and systems architect among other things. 
+
+---
+# Intro continued
 ## about you
 - Which of you...
   * use ssh already?
@@ -36,11 +39,111 @@ I've been doing networks for over 30 years by now. And DevOps stuff before we ca
 
 ---
 # Clients
-## OpenSSH
 - Linux, Mac, Windows
-  - just 
+  - I would always prefer OpenSSH
+  - in a pinch, `git bash` portable is helpful. or `putty` portable, but be careful where you download it.
 ## but I need a GUI
-- A well-maintained ssh_config is usually better. And if you have too many hosts, you want to use ansible etc anyway.
+- Maybe. I believe that a well-maintained ssh_config is usually better. And if you have too many hosts, you want to use ansible etc anyway.
+- useful shells will offer tab-completion for ssh_config etc.
+
+
+---
+# access the lab
+<!-- for the first steps, this will be the standin for your personal machine - we will integrate your actual machine later after covering some of the fundamentals. -->
+- `ssh username@sshworkshop.telefrag.com -p4000+$last_octet`
+
+---
+# access our first system
+## jumphost1
+  * `ssh jumphost1`
+    * `uptime`
+    * `whoami`
+    * `fireworks`
+      * `CTRL-C`
+
+---
+# why is my terminal messed up?
+  * escape codes, binary garbage
+  * unix-like shells: `reset`
+  * powershell: `[Console]::ResetColor()`
+
+--- 
+# run commands remotely
+  * make sure you're still logged into your linux$N lab machine
+  * `ssh jumphost1 uptime`
+  * `ssh jumphost1 whoami`
+  * `ssh jumphost1 fireworks`
+    * `ssh jumphost1`
+      * `alias`
+      * `logout` or `CTRL-D`
+  * `ssh jumphost1 "fireworks.sh Fireworks"`
+  * `ssh -t jumphost1 "fireworks.sh Fireworks"`
+    * `CTRL-C`
+      * `reset`
+
+---
+# I hate typing passwords. 
+  * copy-paste
+    * risky (who never pasted credentials into the wrong chat?)
+  * key-based auth!
+    * what are pub/privkeys
+  * `ssh-keygen`
+    * passphrase? what, why, how?
+    * ED25519, RSA, ...
+
+--- 
+# run commands remotely redux
+  * make sure you're still logged into your linux$N lab machine
+  * `ssh jumphost1 uptime`
+  * `ssh jumphost1 whoami`
+  * `ssh jumphost1 -t fireworks`
+  * Yay, we've made it worse. Now we have to remember/copy-paste a passphrase instead of a password.
+
+---
+# ssh-agent
+  * make sure agent is running
+    * normally, your GUI should do this for you, but this is a crudely simulated personal machine :D
+    * `eval (ssh-agent -s)`
+      * SSH_AGENT_PID
+      * SSH_AUTH_SOCK
+      * nice helper: `keychain`
+        * cleverly finds out if there is already an agent running, updates ENV vars if so, otherwise, starts one
+  * stores your unlocked private keys
+  * `ssh-add /path/to/keyfile` - defaults to `~/.ssh/id_*`
+    * `ssh-add`
+    * asks for passphrase
+  * re-try the commands or logins
+
+---
+# milestone One
+- password login vs key-based
+- run commands remotely
+- ssh-agent
+- terminals, PTY and `-t`
+
+
+---
+# jumphost2
+  * shared user: dbadmin
+  * I need your public keys
+  * stupidly left my keycollector private key (NEVER DO THIS) in `/var/lib/misc/`
+    * seriously, never leave your private keys lying around.
+    * this is just for the sake of labs & stuff
+  * `scp  -i /var/lib/misc/keyuploader-identity /v /etc/passwd keycollector@192.168.0.254:$USER.passwd`
+  * copy, chmod, try again.
+
+---
+# break - 10 mins
+  - give me time to copy keys to jumphost2 etc. 
+  * this is why ssh key management is inherently difficult etc
+
+
+--- 
+# running remote commands advanced
+  * `ssh jumphost1 'if [ -f "/etc/passwd" ]; then echo "Yes"; tail -1 /etc/passwd; else echo "No"; fi'`
+  * `ssh user@host 'bash -s' < local_script.sh`
+  * (instead of copying, running, deleting local_script.sh)
+  * you should really start looking into ansible if you've reached this state
 
 ---
 # Timeline ideas
@@ -61,10 +164,16 @@ I've been doing networks for over 30 years by now. And DevOps stuff before we ca
 ---
 # ideas
 - Im laufenden Lab auf einem jumphost die host_keys ändern, um Warnungen zu produzieren
+  - vorher jumphost2 den link zu jumphost1 auf 100% packet loss einstellen
+    - in containerlab-extension jumphost2 rechtsklicken, packetloss fuer eth0 einstellen
+      - ssh escape chars lernen um aus der session rauszukommen
+        - enter, ~.
+  - jumphost2: `rm /etc/ssh/ssh_host_*; dpkg-reconfigure openssh-server; killall -HUP sshd`
+  - link impairment: clear all
 - agent_forwarding abgreifen und mich als einen der User einloggen
-- Hinterher aufzeigen (frei nach "I've been here the whole time!"), dass man cert-based logins benutzt hat
-- ggfs Stacy Fakename, Joanna Fakename als Easter eggs?
 - wie baue ich eine gute ssh_config
+- change my term local to C to avoid error messages:
+  - `LC_ALL=C LANG=C LC_CTYPE=C`
 ---
 ![bg right](./img/artbreeder-composer-2024-07-14T22_49_42.899Z.jpeg)
 
@@ -83,11 +192,13 @@ I've been doing networks for over 30 years by now. And DevOps stuff before we ca
 Set-Service   ssh-agent -StartupType Automatic
 Start-Service ssh-agent
 ```
-## Mac
+## Mac only
 To add your ssh keys to MacOS Keychain, use `UseKeychain yes` in your ssh_config.
 
 ## Linux
-Generally, ssh- agent "just works". If not, simply 
+Generally, ssh-agent "just works" nowadays, especially on Linux GUI environments. But pay attention, you can easily run too many agents and get confused which one has your keys.
+  * this is usually how tmux & co have problems with ssh-agent - due to stale environment vars.
+
 
 ---
 # ssh_config