Home
Contribute Contact Us Browse all meetings
Home Contribute Contact Us Browse all meetings
DFFML / Rolling Alice: Engineering Logs: Volume 0: Architecting Alice / 9 Jul 2022
DFFML / Rolling Alice: Engineering Logs: Volume 0: Architecting Alice / 9 Jul 2022
Previous Meeting Next Meeting
Add meeting Rate page Subscribe
youtube image
From YouTube: Architecting Alice: Volume 0: Part: 81: Manual Spin Up of Digital Ocean VM

Description

https://github.com/intel/dffml/pull/1401#issuecomment-1170489046

A

All right: okay, hello, hello, hello, hello, great, so um we're going to uh we're going to generate an ssh key and launch. I know I just gave a giant speech about how I wanted to automate everything before we launched one vm, but we're just gonna launch the vm and we're going to do this thing, which is a high value target, um because I think that I realized that the length of the amount of stuff that needs to be done from that you know game plan is a lot.

A

So let's focus on something that will get immediate value um and so we'll just spin up some vms and uh we'll just do it on one vm, we'll just crank up the vm, we'll crank up tvx, tbx and ibm we'll just play around okay. So.

A

So.

A

Okay, so let's do pdx johnny for the comment at we'll. Do pdx johnny, we'll see so get log dash.

A

Okay, so here we, I believe we did this on video right. So um in the log um I think last I think I remember uh I haven't said that it's in the notes- okay, um so docs.ci, so this is basically we're doing we're scoping we're scoping the credential here, um the credential being the email that we're associated with here. um Perhaps we should do that not on the domain.

A

Yeah, the domain is a bad place to do that. Let's not do that on the domain.

A

So let's do it can't you do something with emails where it's like, plus.

A

Yeah plus trick is that just gmail.

A

Okay, so this says you can use the plus symbol.

A

Email standard.

A

I don't know if this is standard, I don't think we can rely on that.

A

We could do it based on a username gmail. Has that dot issue.

A

hmm hmm Well, let's not worry about it too much for now so we'll say. um Should I.

A

All right so now, what that tells us is that we're going to run untrusted code, so nadine.com we're going to run untrusted code or potentially there's going to. Potentially things will get popped uh alice. Should I contribute that's the base flow which we're overlaying right, and so this is. The identity is associated with this okay, so the identity is associated with that.

A

Okay, so dude.

A

Which helps us identify uh which scopes, which? Whose domain? Whose email domain we currently play with.

A

As a concept where we are exploring scoping uh identity credentials,.

A

Identities, we'll just say, scoping identities,.

A

To contacts.

A

Okay, so uh alice dot, please, or should I contribute?

A

Let's do baseball, slash system context. This example all right, okay, generate ourselves a little key. There.

A

All right, there's what the key looks like and nist came out with crypto guidelines recently, so uh 4096 rsa keys where possible- and this is where I think we talked about- that the other stuff breaks down post quantum, the what current web five e c d e e e d, ed25519.

A

Keys right so that's where we're hoping that something changes there and that they move.

A

But based on the way the did spec is written, I have faith that the keys can be changed, um different, different curves. I think the spec could be updated in the future. So all right. So this looks good. So let's go ahead and give this to digitalocean and say digitalocean.

A

Please treat this as the key okay, it's poor things that are sketchy. So let's do hostname. So let's do alice.please dot for alice type in please or wait. Should I contribute and we'll just do what? How many zeros should we do? One two, three, four: five: six, seven, eight, nine ten.

A

Let's just put zero.

A

Tags.

A

No tags right now: let's enable ipv6 and.

A

User data, so what does user data do here? It's like uh this is like a okay and I'm just gonna choose this one to give us some power. Actually, let's just choose this one, so let's just do actually they haven't. Given me access to this whoa.

A

Memory, optimized 16 gigabytes.

A

Let's just get this one well I'll, be using it for a few hours create droplet.

A

Okay, let's see.

A

It's gonna spin up the prop up for us.

A

Oh my god, I love digitalocean. This is just this makes us just like a breeze. They've really figured this out.

A

All right, let's pop a show so ipv6, see what happens. Let's give it that key.

A

All right, okay,.

A

Okay, so.

A

I so let's do root, I think it's root at and we can say: oh password.

A

What is it.

A

Okay, so what is this there's something that we want, so uh um uh these are known: host file, user, known host file.

A

Equals devnet.

A

Actually, I think this is in the okay.

A

Okay,.

A

Okay, these are known whole host file, so this says so we're setting a couple options on here, we're going to say uh so: it's user known host file uh and then.

A

It's commonly used with another option.

A

Strict host key checking.

A

Equals no and.

A

Okay, let's just do.

A

Password authentication equals no, so.

A

All right, this is the magic ssh command. This is my favorite ssh command.

A

Okay, so uh what is this? This is uh use ssh key for auth. I don't accept or always accept server key right, so we don't care about the server key because um yeah we, this is a meaningless machine. Obviously, so don't don't put anything you care about on this machine.

A

You don't know what you're liking to.

A

Actually so.

A

How could we we could potentially use the startup thing? We could use the startup thing, so we can use this startup script to do.

A

uh Use vo startup use vm startup script to.

A

Startup script via cloud or otherwise to exfil.

A

The ssh sshds that the ssh daemons public key on.

A

Sshd start um maybe via systemd files, okay, so because you can have systemd files to say start after another thing: okay, start after sshd is up.

A

Okay,.

A

um

A

This way we can.

A

um To do and then we'll say dirty.

A

Okay, so this is- and this is this is needed- this must happen after spin up, so that we can we the so that clients ssh chain in.

A

Are sure they are ssh are not being entity in the middle.

A

Okay, this way we can um verify then give can drop the no host key checking.

A

Machines.

A

Checking equals yes and provide a.

A

Username host file.

A

With the server key in it all right, so that way we verified out a band.

A

um

A

You.