FreeBSD is an free and open source advanced computer operating system used to power modern servers, desktops and embedded platforms.
Amazon Elastic Compute Cloud (“EC2″) provides resizable computing capacity in the Amazon Web Services (“AWS”) cloud. Amazon EC2 can be used to launch as many or as few virtual servers as you need, configure security and networking, and manage storage. An Amazon Machine Image (AMI) is a template that contains a software configuration (for example, an operating system, an application server, and applications). From an AMI, you launch an instance, virtual servers that can run applications. They have varying combinations of CPU, memory, storage, and networking capacity, and give you the flexibility to choose the appropriate mix of resources for your applications.
This post describes how to create and configure a FreeBSD instance in Amazon EC2. Then goes on to explain how to connect to the new instance using SSH from a machine running a BSD, Linux or Windows operating system.
The steps discussed in this post assume you have an active AWS account. If you do not, you can sign up for one at Amazon Web Services.
Let’s get started…
Create and Configure the FreeBSD Instance
Fire up your web browser and navigate to Amazon Web Services. Login to the AWS Management Console by selecting “AWS Managment Console” from among the options in the drop down list under “My Account/console” (See Figure 1).
Once you’ve successfully logged in, select “EC2 Virtual Servers in the Cloud” from among the options listed under the “Compute & Networking” section (See Figure 2).
Next you’ll choose the Amazon EC2 “region” under which the FreeBSD instance will be created. In this example we’ll select the Oregon region (See Figure 3).
Now select “Instances” from among the options under the “Instances” category on the left side of the page. If this is the first time you’ve created an instance in this Amazon EC2 region you’ll be greeted with a message indicating “you do not have any running instances in this region” and a button to launch one (See Figure 4).
Select “Launch Instance” and you’ll be greeted with Amazon’s quick start guide for creating a new AMI. Select “Community AMIs” from among the choices on the left side of the web page where you will be offered the ability to search for and select an AMI from the AWS user community. Great, but what do we search for? Fortunately Colin Percival, FreeBSD developer, member of the FreeBSD Core team, and the FreeBSD Security Officer, has created a number of FreeBSD AMIs and has graciously provided a handy matrix listing those AMIs as well as their associated numbers. At the time of this post, the FreeBSD 9.2-RELEASE for 64-bit Windows AMI will be the most appropriate one to use for most users and applications and this will be the one we’ll use in our example. Make a note of the AMI number corresponding to the Oregon region and enter that number in the search box. Amazon will search for this AMI and return the correct result (See Figure 5).
Next, select “Select” where you’ll be asked to choose an instance type. Amazon EC2 provides several instance types optimized to fit different use cases. In our example we’ll use a “Micro” instance. a low-cost (often free) instance type, providing a small amount of CPU and memory resources. Micro instances are suited for lower throughput applications, including low traffic websites or blogs, and small administrative applications (See Figure 6).
After choosing an EC2 instance that best meets your requirements, select “Next: Configure Instance Details” where you will be presented with a list of default options that can be modified, if desired, to better suite your needs. Hovering your mouse over the “i” icon near an option will describe its purpose in greater detail. One option that may prove helpful is the termination protection. Enabling this will prevent the instance from being accidentally “terminated” (i.e., deleted). Once enabled, you will not be able to delete the instance through the AWS Management Console until this option is once again disabled. For our example, however, we’ll simply retain the default options (See Figure 7).
Now select “Next: Add Storage” where you can adjust the size of the default or “root” Elastic Block Store (“EBS”) volume. You can also attach additional EBS volumes to your instance, or edit the settings of the root volume. You can also choose to delete the volume should you decide to terminate the instance. For our example, we’ll retain the 10GB root EBS volume and all default settings (See Figure 8).
After configuring storage, select “Next Tag Instance” where you be given the option of creating a “Tag” for your instance (See Figure 9). Tags enable you to categorize your AWS resources in different ways, for example, by purpose, owner, or environment. Each tag consists of a key and a value, both of which you can define. Uniquely tagging instances can be beneficial, particularly if you plan on creating many of them. Again, this is an optional step, and since we’re creating a single instance, we’ll forgo tagging for the moment and move on to the next step: create configure the security group.
A security group is a set of firewall rules that control the traffic for your instance. For example, if you want to set up a web server and allow traffic to reach your instance, you would add rules that permit unrestricted access to HTTP and HTTPS ports.
You can create a new security group or select from an existing one. In our example we’ll create a new security group. Ensure that “Create a new security group” is selected, then choose a name. Other than the total number of characters (maximum of 255), there are no restrictions. You can also add a description for the security group if desired.
With the exception of Remote Desktop Protocol (TCP port 3389), there are no incoming ports open for a new instance by default (Amazon EC2 instances requires port 3389 to be open to permit access to the instance via the web). For our example, we’d like to connect to the new FreeBSD instance using SSH so we’ll need to create a new rule allowing incoming port 22 connections. Select “Add Rule”, then select “SSH” from among the options in the drop down list under “Protocol”. TCP and port 22 will be automatically assigned to this selection. If you would like to use a TCP port other than 22 for SSH connections, you should select “Custom TCP Rule” instead and enter the desired port number under “Port Range (Code)”.
Next, determine if and how you’ll filter incoming SSH connections to your FreeBSD instance. If you’d like to connect from any network, then select “Anywhere” from among the options in the drop down list under “Source”, else you can limit incoming connections to the IP your currently using or to a custom IP address or IP subnet. For our example, we’ll allow incoming SSH connections on port 22 from anywhere (See Figure 10). Repeat these steps to create additional rules to meet your requirements.
When complete, select “Review and Launch”, where you’ll be given one last opportunity to modify your settings. When complete, select “Launch” where a pop up screen will provide the opportunity to select an existing key pair or create a new key pair. A key pair consists of a OpenSSL public key, which Amazon AWS retains and copies to your instance, and a private key that you download and retain. Together, they allow you to connect to your FreeBSD instance securely. If this this is first time you’ve created an instance you’ll likely not have an existing key pair from which to chose. If this is the case, select “Create a new key pair” from among the options in the drop down list and enter a name for your new key pair. In our example we’ll use the name “ec2-or-freebsd.” Now select “Download Key Pair” and save the file in a secure and accessible location (See Figure 11).
Next, select “Launch Instances”, followed by “View Instances” and you’ll be taken to a page showing your FreeBSD instance launching. After a minute or two, the “Instance State”
will change from “pending” to “running” (See Figure 12). You can stop your instance by selecting “Stop” from among the options in the drop down list under “Actions” located at the top of the page.
Finally, let’s get the host name of our FreeBSD instance. Select “Connect” at the top of the instance page. The host name is contained next to the field “Public DNS”. In this example the host name is: firstname.lastname@example.org. (See Figure 13) As you can see, these host names are typically very long. Instead of trying to memorize it, write it down, or simply highlight it and copy it to file you can access later. Note: if you stop your instance a new host name will be assigned to it when it’s restarted. Consequently, you’ll have to repeat these steps.
Connect to the instance from Windows
Now that we have our new FreeBSD instance up and running under Amazon EC2 let’s turn our attention to connecting to it using SSH under Windows. Since Windows doesn’t support SSH natively, we’ll need an SSH client. There are many out there to choose from, but the one I typically use is PuTTY, a free implementation of Telnet and SSH for Windows and Linux/BSD platforms.
PuTTY does not natively support the private key format *.pem generated by Amazon EC2, so we’ll also need a way to convert this key file to a key format that the PuTTY application can use. For this we’ll use PuTTYgen, a free RSA and DSA key generation utility, which can convert keys to *.ppk, the file format required by PuTTY. You can download standalone versions of PuTTY and PuTTYgen, or simply download the Windows installer version of PuTTY, which will also install PuTTYgen, as well as Pageant, an SSH authentication agent for PuTTY.
Fire up PuTTYgen and select “Load”. Navigate to where you downloaded the ec2-or-freebsd.pem file and select “Open” (Note: you may have to change the search filter from “PuTTY Private Key Files (*.PPK)” to “All Files (*.*)” in order to readily locate the file). Once ec2-or-freebsd.pem has been successfully loaded into PuTTYgen, you can modify the “Key comment” field if desired, as well as add a passphrase to protect your private key. While optional, I strongly suggest you add a passphrase. Electing not to means that anyone gaining access to your private key will also quite easily be able to access your FreeBSD instance (See Figure 14). Once complete select “Save private key” and select a name (for our example, we’ll use the same name: ec2-or-freebsd) and a location to save the new key file.
Exit out of PuTTYgen and fire up PuTTY. Navigate to Connection->SSH->Auth. Under Authentication parameters select the Browse button and select the ec2-or-freebsd.ppk file you saved in the previous step. Navigate back up to Session and copy and paste the host name for your FreeBSD instance in the “Host Name (or IP address)” field. You’ll connect as “ec2-user” so prepend this user name to the host name so that the entire field looks like this: “email@example.com”. If you chose a different SSH port number other than the default 22 when setting up your instance’s security group, ensure that number is reflected in the “Port” field.
Now select “Open” and the PuTTY client will connect to your FreeBSD instance. If this is the first time you’ve connected to it, you’ll receive a warning concerning the authenticity of the host you’re trying to reach. If you’re sure this is the correct instance and you want to continue connecting, select “Yes” to add the key to PuTTY’s cache and carry on connecting. If you want to carry on connecting just once, without adding the key to the cache, select “No”. You’ll be asked to provide the passphrase (if you created one) for your private key and you’ll be connected to the instance. You can now use your FreeBSD instance like any other FreeBSD system, with the exception that on versions prior to 10.0-BETA1 you can’t use FreeBSD Update to fetch kernel security updates.
Connect from BSD or Linux
Connecting to your FreeBSD EC2 instance via SSH is significantly easier in Linux or BSD. Start by checking to see if the .ssh directory exists in your home directory. If it does not, create it and set it’s permissions appropriately:
chmod 700 ~/.ssh
Now move the ec2-or-freebsd.pem file you downloaded to ~/.ssh and modify its permissions appropriately:
chmod 600 ~/.ssh/<your-pem-file>
As an optional step you can add a passphrase to your key. I strongly suggest you do, else anyone gaining access to your key will also quite easily be able to access your FreeBSD instance:
openssl rsa -in ec2-or-freebsd.pem -des3 -out ec2-or-freebsd.pem
Now let’s connect to our FreeBSD instance:
ssh -i ~/.ssh/ec2-or-freebsd.pem firstname.lastname@example.org
If you chose a different port number than the default when setting up the instance’s security group, then you’ll need to specify that on the command line as well:
ssh -p <your-port-number> -i ~/.ssh/ec2-or-freebsd.pem email@example.com
If this is the first time you’ve connected to it, you’ll receive a warning concerning the authenticity of the host you’re trying to reach. If you’re sure this is the correct instance and you want to continue connecting type “yes” at the prompt. The public key of your FreeBSD EC2 instance will be added to ~/.ssh/known_hosts and you will be connected.
Well, that’s it. Thanks to some fine work by Colin Percival, you can easily create, configure and connect to your own FreeBSD instance in Amazon EC2. Now that you know that your *.ppk and/or *.pem private key works, you should back it up to offline media such as a flash drive or CD and keep it someplace secure.
Issues to note
Amazon does not provide a easy way to verify the key fingerprint – the one listed in the EC2 Management Console. I did manage to find this rather obscure command that will work from Linux/BSD, but I have yet to find an easy way to perform this task under Windows, outside of installing and setting up the the Amazon EC2 command line interface tools.
openssl pkcs8 -in ec2-or-freebsd.pem -nocrypt -topk8 -outform DER | openssl sha1 -c