Ubuntu/Lubuntu --- How to securely access Linux VM on Azure or GCE by Remmina

The RSA key is the private encryption key that it can encode/decode sensitive information.

For enhancing security to access cloud server, we will use a public/private key pair on securing SSH channel. That is a public key is placed on cloud server and a private key is located on personal computer. So does that it will deny password-based authentication on SSH access.

How to do it ?

To generate a SSH Key Pair on Windows platform

For creating a SSH Key on Windows platform, we can download the “PuTTY & PuTTY Key Generator” source from PuTTY Download Page  and install these utilities on Windows Platform.

Once the installation completes, we will launch PuTTYgen tool, select the type of key (# 1) and set the number of bits as 1024,2048… bit encryption next to click Generate button for generating a public/private key pair.

In the key generation process, we need to move the mouse over the blank area (as yellow area) for making some randomness.

When the key generation completes, we may customize the key comment and set the key passphrase for security.

Of course, we should save a public/private key on safety location by clicking Save private key and Save public key button.

To generate PuTTY key (PPK) on Windows

On Windows Platform with PuTTYGen, we can launch PuTTYGen and click Load button for browing/opening the location of the existing private key file (.ppk extension).

If there is the passphrase setting, it will prompt to type in the password.

In the menu, we will click the “Conversions” and “Export OpenSSH Key” option next to type/save a filename for the private key.

As to the public key, we will directly copy/paste the following content and save as a filename.

To convert PuTTY key (PPK) to OPENSSH key (SSH) on Lubuntu

On Lubuntu/Ubuntu, we will use the PuTTY tools for converting key so that it will be installed by using the sudo apt-get install putty-tools command at the terminal prompt. (# 2)

Then we will copy a private key pair on /tmp from Windows to Linux and prepare to convert the public key by typing the puttygen privatekeyfilename.ppk -o id_rsa.pub -O public-openssh command at the terminal prompt.

To convert private key by typing the puttygen privatekeyfilename.ppk -o id_rsa -O private-openssh command at the terminal prompt.

After finish the above convertion, we will move these keys to ~/.ssh and make sure the permissions are set for the private/public key by typing the following command.

mkdir -p ~/.ssh

mv -i ./id_rsa* ~/.ssh

chmod 600 ~/.ssh/id_rsa

chmod 666 ~/.ssh/id_rsa.pub

To convert RSA key(SSH) to PKCS12 certificate(PFX) on Linux

If we only have a RSA key on Linux, we firstly need to generate a PEM certificate by using the openssl req -new -x509 -key id_rsa -out id_rsa.pem command.

After fill in the interactive item, we will generate a PFX by using the cat id_rsa id_rsa.pem | openssl pkcs12 -export -out id_rsa.pfx command.

To set up the private key on Remmina Remote Desktop Client

Please open Remmina and click New icon for creating a new remote desktop file.

In Remote Desktop Preference dialog, we will write down some information as Name, Group, Server, Character set, User name and so on. The connection protocol need to choose “SSH - Secure Shell” due to we will contact Linux platform. As to SSH Authentication, we will choose “Identity file” option because a private/public key pair will be used in the connection

In the moment, we will choose a private key from ~/.ssh folder that its source is from convert PuTTY key (PPK) to OPENSSH key (SSH).

Finally, click Save button for keeping this Remote Desktop profile.

To insert the SSH keys on Google Cloud Engine

To login Google Developers console and choose the project, we will click Compute -> Compute Engine -> VM Instance and choose a specific Instance for inserting the SSH key to the instance-level metadata. (# 3)

In SSH Key section, click the Add SSH Keys link

and open the public key file and copy/paste the content on the ssh key textbox next to save this change.

Please notes the format in the ssh key textbox is “ ” or “ @” (# 4)

Once the key is inserted into the instance, we need to reset this VM by clicking Reset button.

To wait a moment, we will connect this VM with SSH Keys by Remmina Utility.

We have to trust the new public key when we conect to VM at the first time.

To key in the passphrase of the private key

So do that we will log in the Ubuntu console now.

To insert the SSH keys on Microsoft Azure

There is some method to upload/insert SSH key for authentication.

In creating a Linux VM process, we can enable “UPLOAD COMPATIBLE SSH KEY FOR AUTHENTICATION” checkbox and select a certificate file with extension .pem or .cer format.

If a public key has already existed on local client, we can add the content of local client’s ~/.ssh/id_rsa.pub to the Azure VM’s ~/.ssh/authorized_keys by using the ssh-copy-id -i ~/.ssh/id_rsa.pub @ -p command.

If there is a public key on local client, we will directly copy the id_rsa.pub content from ~/.ssh folder on local client and save as a authorized_keys filename on remote Azure VM.

The related permissions are set for a authorized_keys by typing the following command.

mkdir -p ~/.ssh

chmod 700 ~/.ssh

chmod 600 ~/.ssh/authorized_keys

Once the public key is installed on Azure VM and the right permission is set, the SSH access will be granted with no password now.

At this point, we should lock this account for password authentication by using the passwd -l command.

So does that the key authentication will still be possbile but the password authentication will fail now.

Reference:

(# 1)   For Key compatiblity, pleaes select the SSH-1(RSA) type if the private key will want to use on other SSH Client as OpenSSH in the future.

(# 2)   If we ever generate a pubic key by PuTTYGen on Windows platform, we can copy/pase this file to /tmp location on Linux platform next to do the ssh-keygen -i -f /tmp/publickeyfilename > /tmp/id_rsa.pub command.

Even we only have a exported private key by PuTTYGen, we still can generate a public key by doing the  ssh-keygen -e -f /tmp/privatekeyfilename > /tmp/id_rsa_com.pub &&  ssh-keygen -i -f /tmp/id_rsa_com.pub > /tmp/id_rsa.pub command

(# 3)   GoogleComputeEngineSSHKeys

(# 4)   At first, we will connect with SSH into an instance from the browser by selecting Compute -> Compute Engine -> VM Instance -> SSH in the Google Developer Console.

By default, a username generated from the email address logged into the account. In the moment, we will change the default username by clicking the Setting icon and select Change Linux Username

On Linux system, we will assign a new username that its maximum length will be a 32 character limit.

Microsoft Azure --- how to move VM from one cloud service to another

In the same Azure Subscription, each VM will build into a new cloud service if we create a new VM by taking the default set of options in the wizard. So do that we will reach the limit of 20 cloud service and the next new VM cannot be created besides apply for the request to Microsoft Cloud Help Desk.

“Whether VMs can move between different cloud services?” The following process will finish this thought.
Get the VM information by using the Get-AzureVM -servicename “<old cloud service name>” -name “<VM name>” command

Export this VM config by using the Export-AzureVM -ServiceName “<old cloud service name>” -name “<VM name>” -path “<.xml file>” command

Remove this VM from Azure but doesn’t delete the VHD file on disk (# 1) by using the Remove-AzureVM -ServiceName “<old cloud service name>” -Name “<VM name>” command

Edit the .xml file if we want to change local port number or Subnet Name for being compatible with the destination cloud service.

Ensure the current storage account is accessible by executing the Get-AzureSubscription command. If we find out the CurrentStorageAccount is blank, please choose what storage account this VMis in by using the set-AzureSubscription -SubscriptionName “<Azure Subscription>” -CurrentStorageAccount “<new Storage Account>” command. (# 2)

Import the VM config for creating this VM back to Azure by using the Import-AzureVM -path “<.xml file>” | New-AzureVM -ServiceName “<new cloud service name>” -VNetName “<virtual network name>” command.

So does that the VM has already been moved to another cloud service.

Reference :
(# 1)   Click on the Storage Icon on the left、select a storage account to open the Storage Main Page、click on the Containers tab and vhds item. We can see the removed VHD file in the list.

(# 2)   If the CurrentStorageAccountName is not defined, we will get the following error message when execute the Import-AzureVM powershell command.

Microsoft Azure --- how to move the machine from one to another subnet in the same region

If the Azaure VM locates on the wrong virtual network but on the same region, whether there is a method to move this VM from bad to right Subnet?

Yes, we can do it!
To log in to Azure subscription by executing the Add-AzureAccount powershell command. if the authentication is successful, we will collect some information for the VM will be moved later.
What information do we want to get? It will be the Cloud Service Name and VM Name by using the Get-AzureVM powershell command.

So do that we will know the maz-dc-05 VM belong to the xxx02 ServiceName.
At first, we will shutdown this VM by using the Start-Azure -ServiceName “Cloud Service Name” -Name “VM Name” powershell command.

And realize the original Subnet Name is “Subnet-FrontEnd” by executing the following command.

To move a VM to another subnet by using the Start-Azure -ServiceName “Cloud Service Name” -Name “VM Name” | Set-AzureSubnet –SubnetNames “the destination Subnet Name” | Update-AzureVM powershell command

So does that the VM has already been on the “Subnet-DMZ” now.


Reference:
(# 1). Move a VM or Role Instance to a Different Subnet