SSH and SSL With HostGator Shared Web Hosting

Linux No Comments

Surprisingly, I found that a Hostgator shared web hosting account supports secure shell (SSH) access and a shared secure sockets layer (SSL) certificate. For those who might not be familiar with them, SSH provides interactive terminal access to your account and SSL supports secure HTTPS browsing to your website.

Note: Most instructions below are not specific to a Hostgator shared web hosting account. They may work with your shared web hosting account also.

Enable SSH Access

To enable SSH access for your Hostgator shared web hosting account, do the following:

  1. Browse to Hostgator’s Billing/Support System page.
  2. Log in using your billing/support email address and password (this may be different from your cPanel administrative password).
  3. Click on the “View Hosting Packages” link under “Hosting Packages”.
  4. Click on the “Enable Shell Access” link near the top of the middle content pane.

Note: Hostgator SSH uses port 2222, instead of the standard SSH port 22. So when running the SSH client, make sure to use port 2222.

SSH Into Your Hostgator Account

Mac OS X comes with a built-in SSH client. To connect to Hostgator, launch the Terminal application and run ssh with port 2222 with this command:

ssh -p 2222 myusername@mydomainname.com

Windows does not come with a built-in SSH client, so I recommend using the free Putty SSH client. Browse to the PuTTY Download Page and download the “putty.exe” file. Run it and input the following:
putty_2222

  1. Under Session (selected by default under the Category panel on the left), input the “Host Name” and the Port 2222.
  2. Under Connection and then Data, input your username in the “Auto-login username” field.
  3. Optional: To avoid having to re-input these values the next time you run Putty, go back to Session, input a name in the “Saved Sessions” field, and click the Save button. The next time, just select the session you saved and click Load to automatically re-populate the fields.
  4. Click on the Open button to make the SSH connection.

Your website files are located under the “~/www” directory which is soft-linked to the “~/public_html” directory.

SSH With Public Key Authentication

If you SSH into Hostgator often, it may be worthwhile to use public key authentication to avoid having to input your password. Public key authentication consists of two steps: (a) generate a public and private key pair on the client and (b) copy the public key to the server into a trusted location. After those steps, instead of asking for a password, the server will authenticate the SSH connection by matching its trusted copy of the client’s public key against the client’s private key.

Before we start, SSH into your Hostgator account and make sure that the “~/.ssh” directory exists on the server by running these commands:

mkdir -p ~/.ssh
chmod 700 ~/.ssh

The mkdir command above will create the “~/.ssh” directory if it does not already exist. The “~/.ssh” directory is the server’s default location for trusted public and private key files. The chmod command sets the permission on the “~/.ssh” directory to only allow access for the user and no one else. We will copy the client’s public key to this “~/.ssh” directory on the server.

SSH Public Key Authentication on Mac OS X

Mac OS X comes with the built-in “ssh-keygen” and “scp” (secure copy) utilities which we can use to generate a public and private key pair, and to copy the public key to the server.

ssh-keygen -t rsa
scp -P 2222 ~/.ssh/id_rsa.pub myusername@mydomainname.com:~/.ssh/authorized_keys
ssh -p 2222 myusername@mydomainname.com 'chmod 600 ~/.ssh/authorized_keys'

The ssh-keygen command above will generate a public and private key pair using RSA protocol 2 with 1024 bits. It will prompt you to input a passphrase (to protect access to the private key) which I recommend you leave blank; otherwise, you will be prompted for the passphrase each time you connect, which would defeat the purpose of avoiding password input. The private and public key files are created in the client’s “~/.ssh” directory as “id_rsa” and “id_rsa.pub” respectively. The scp command copies the public key to the server as “~/.ssh/authorized_keys”, which is the server’s default trusted public key file. The chmod command sets permission on the “~/.ssh/authorized_keys” file to only allow access for the user and no one else.

To test, run the SSH command and you should automatically be authenticated using the public key. You should not be prompted to input the password.

ssh -p 2222 myusername@mydomainname.com

If you are tired of having to input the port 2222, you can set it as the default by creating the “~/.ssh/config” file with the following content:

Host mydomainname.com
  Port 2222
  PreferredAuthentications publickey,password

When connecting to your hosting server, the SSH client will use port 2222 by default and either public key authentication (publickey) or password authentication (password).

Once the file above is created, you should be able to SSH without having to input the port 2222:

ssh myusername@mydomainname.com

SSH Public Key Authentication on Windows

Because Windows does not have the built-in “ssh-keygen” and “scp” utilities, you will need to download the following files from PuTTY Download Page: “puttygen.exe” (ssh-keygen), “pscp.exe” (scp), and “plink.exe” (SSH command line).

Then, launch “puttygen.exe” to generate the public and private key pair:

    puttygen_1024

  1. RSA Protocol 2, “SSH-2 RSA”, should be selected by default.
  2. Leave the “Number of bits in a generated key” as 2048 or change it to 1024. (I used 1024 bits which is adequate for my purpose.)
  3. Click the Generate button.
  4. Move the mouse inside the dialog window until the key pair is generated.
  5. I recommend that you leave the “Key passphrase” blank; otherwise, you will be prompted for the passphrase every time you connect.
  6. Copy the contents of the “Public key for pasting into OpenSSH authorized_keys file” textfield to a file named “id_rsa.pub”.
  7. Click the “Save private key” button and name the private key file “id_rsa.ppk”.
  8. Click the “Save public key” button and name the public key file “id_rsa.publickey”. Note that the contents of this public key file is different from that of the “Public key for pasting into OpenSSH authorized_keys file”.

Finally, copy the the “Public key for pasting into OpenSSH authorized_keys file” to the server using the Window’s Command Prompt shell and the Putty versions of scp and SSH command line utilities:

pscp -scp -P 2222 id_rsa.pub myusername@mydomainname.com:~/.ssh/authorized_keys
plink -P 2222 myusername@mydomainname.com chmod 600 ~/.ssh/authorized_keys

Configure the Putty SSH client to use public key authentication:

  1. Per the previous Putty instructions, input the server’s hostname, port 2222, and your username. Or if you have a saved session, under Session, select your session name, and click the Load button.
  2. Under Connection, SSH, and Auth, click on the “Browse…” button at the bottom and locate the private key file “id_rsa.ppk”.
  3. Optional: You can update your saved session by going to Session, selecting your named session, and clicking the Save button.
  4. Click the Open button to connect to your server by SSH. You should not be prompted to input the password.

Troubleshoot SSH Public Key Authentication

If the above does not work (you are still prompted for the password), then it may be that the server has its own generated public and private key pair installed. For my Hostgator account, I found that the public key authentication failed because my server had its own public and private key files in the “~/.ssh” directory.

To fix this issue, SSH into your Hostgator account and delete all files under the “~/.ssh” directory except the “authorized_keys” file. Try to SSH from your client again and hopefully you won’t need to input the password.

Using Shared SSL Certificate

SSL certificates are used to encrypt the web traffic between your browser and the server. On your browser, the URL will start with “https” (instead of the unsecured “http”), with perhaps a lock icon visible, when SSL is in use. Normally, you would buy a SSL certificate that is linked directly to your domain name; if the domain name doesn’t match the name in the SSL certificate, the browser would display a warning. Purchasing a SSL certificate can be expensive because you must renew it every year; for example, a SSL certificate costs $69/year from GoDaddy.

Hostgator provides a free shared SSL certificate for your use. It is less secure than your own personal SSL certificate because it is shared by all accounts hosted on the same Hostgator server. (Conceivably, another account holder on the same Hostgator server could decrypt the encrypted web traffic to your server, but that requires a lot of know-how and a ton of trouble.)

Because the shared SSL certificate is tied to the Hostgator server’s hostname, you cannot use it when browsing to your domain name. Instead, you would browse to the Hostgator server’s hostname with a relative path to your username, which corresponds to your primary domain website directory.

https://secureXXXX.hostgator.com/~myusername/

To find the hostname of the Hostgator server which your account is hosted on, do the following:

  1. Browse to Hostgator’s cPanel interface using “http://mydomainname/cpanel”.
  2. Log in using your Hostgator administrative username and password.
  3. Look for the “Account Information” panel in the bottom-left corner.
  4. The “Server Name” field contains your hosted server’s hostname (ex: “gator3141”). To get the secured hostname, replace “gator” with “secure” (ex: “secure3141.hostgator.com”).

Instead of using the cryptic secured URL above, you can create a more friendly redirect from your website. You could browse to your domain name and automatically be redirected to the secured URL. I don’t recommend redirecting from your website’s root address (unless that is what you want); instead, I suggest creating a directory called “secure” under the website’s root directory, which will hosts the content to be accessed by SSL.

To create the redirect, SSH into your Hostgator account and create a file with this path and name, “~/www/secure/.htaccess”, and the following content:

RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteCond %{REQUEST_URI} register
RewriteRule ^(.*)$ https://secureXXXX.hostgator.com/~myusername/secure/$1 [R,L]

Please make sure that the “.htaccess” file has 644 permission. When you browse to any file under “http://mydomainname/secure/”, you will be redirected to “https://secureXXXX.hostgator.com/~myusername/secure/”.

If you wish to use SSL with an add-on or sub domain, just append the add-on or sub domain name to the end of the secured URL:

https://secureXXXX.hostgator.com/~myusername/mysubdomainname.com/

Some info above derived from How can I force users to access my page over HTTPS instead of HTTP?.

No Comments

File Upload With PHP

Internet No Comments

I recently needed to handle a file upload using PHP and was pleasantly surprised by how easy it was. I am sharing my file upload test script below.

Create a file named “upload.php” with the following content:

<?php

{
  // Handle GET or POST
  if ($_SERVER['REQUEST_METHOD'] === 'POST') {
    processRequest();
  } else { // GET
    showForm();
  }
}

// GET Handler
function showForm() {
?>
<html>
<body>

<form action="upload.php" method="post" enctype="multipart/form-data" >
<label for="file">Filename:</label><input type="file" name="file" id="file"/><br>
<input type="submit" value="Upload File"/>
</form>

</body>
</html>
<?php
}

// POST Handler
function processRequest() {
  // Check for file upload errors
  if ($_FILES["file"]["error"] > 0) {
    echo "Error on File Upload: error code " . $_FILES["file"]["error"] . "<br>";
    return;
  }

  // Successful upload
  echo "Success on File Upload: Filename: " . $_FILES["file"]["name"] .
    ", Type: " . $_FILES["file"]["type"] .
    ", Size: " . ($_FILES["file"]["size"] / 1024) . " kB" .
    ", Location: " . $_FILES["file"]["tmp_name"] . "<br>";

  // Open the uploaded file (which will be deleted after this script ends)
  $file = fopen($_FILES["file"]["tmp_name"], "r");
  if (!$file) {
    echo "Error on File Read: Unable to open " . $_FILES["file"]["tmp_name"] . "<br>";
    return;
  }

  // Insert your code to consume the file content here!

  fclose($file);
  echo "Success on File Read: Opened and closed " . $_FILES["file"]["tmp_name"] . "<br>";
}

?>

To test, put this PHP file on your web server and browse to it.

Portions of the code above were sourced from W3Schools’ PHP File Upload page.

No Comments

Prevent Google And Youtube From Tracking You

Internet No Comments

google+tubeHave you ever noticed that Youtube’s initial page shows videos that are related to those that you have viewed in the past? While one could argue that it is convenient, I am a bit disturbed that Youtube remembers my past viewing history. Worse, now that Google has purchased Youtube, that viewing history is tied to my user account (which includes Gmail and Google+). I just don’t feel comfortable allowing Google and Youtube to track my searching and viewing habits. Thankfully, there are ways to disable the tracking function.

Note: If you have trouble getting any Youtube functions like adding/deleting channels to work (ex: the page would freeze), make sure to allow third-party cookies on your browser.

Because Google has not fully integrated with Youtube, there are three separate settings that we need to turn off: prevent Google from recording web searches, prevent Youtube from recording video searches, and prevent Youtube from remembering videos watched.

Prevent Google From Recording Web Searches

  1. Browse to Google’s Web History Settings page. Sign into Google if you need to.
  2. Click the “delete all” link in the paragraph to clear the search history. To confirm, click the “Delete all” button.
  3. Click the “Turn off” button to disable web history. The related text will change to “Web History is off”.

Prevent Youtube From Recording Video Searches

  1. Browse to Youtube’s My Search History page.
  2. Click the “Clear all search history” button to delete any remembered video searches. To confirm, click the “Clear all search history” button in the popup window.
  3. Click the “Search History” link again and click the “Pause search history” button to disable recording video searches.

Prevent Youtube From Recording Watched Videos

  1. Browse to Youtube’s Watch History page.
  2. Click the “Clear all watch history” button to delete all the remembered watched videos. To confirm, click the “Clear all watch history” button in the popup window.
  3. Click the “Pause watch history” to prevent Youtube from remembering the videos that you watch.

Doing the above will preserve your privacy. Below are additional security measures concerning Youtube and Google+ which you might want to take.

Keep Youtube Likes And Subscriptions Private

  1. Browse to Youtube’s Account Settings page.
  2. Click the Privacy link on the left.
  3. On the right content pane, check both of these options, “Keep all my likes private” and “Keep all my subscriptions private”.
  4. Click the Save button on the top-right to commit your changes.

Disconnect Youtube From Google+

Unfortunately and all too easily, Google will create a Google+ profile for you, a Youtube account for you, a Youtube public channel for you, and link that Youtube channel to your Google+ profile. All you have to do is to click the wrong Google link or browse to the wrong Google page while signed in. Here’s how to undo some of the damage.

google_productsDetermine if you have a Google+ profile and whether a Youtube channel is connected to it or not:

  1. Browse to Google’s Account page Click the “Sign In” button if you are not already logged in.
  2. Click the Products link to the left to view all the Google products your account is using.
  3. If you see a Google+ product icon, then you have a Google+ profile. (If you don’t see the Google+ product icon, then the rest of these instructions are unnecessary.)
  4. Click the Google+ product icon to go to your Google+ account.
  5. On the Google+ account page, there is a drop-down list on the top-left that is labeled Home. Click the drop-down list and select Profile to see your profile.
  6. Under the photo banner, you will see a horizontal list of links starting with the About link. If you see a Youtube link, then your Google+ profile has a Youtube channel connected.

Strangely, the above is not valid for a Google/Youtube identity attached to your Google account which has a linked Google+ page (different from a Google+ profile). That is, the Google+ product icon won’t be visible even if an associated identity has a Google+ page. Supposedly, if you create a Youtube channel with a name different than your suggested Google account name (using the “business or other name” option), Google will create a new identity with a Youtube channel attached to a Google+ page. When you sign into Youtube, Youtube will ask you which identity to use with a “Use Youtube as…” prompt. You can delete the Google+ page only after deleting the Youtube channel; Google does not allow you to unlink a Google+ page from its associated Youtube channel.

Disconnect your Youtube channel from Google+ (to remove the Youtube link from your Google+ profile):

  1. Browse to Youtube’s Account Settings page.
  2. Near the top-middle is your profile with photo and email address. If you don’t see a “Return name to… and disconnect Google+ profile” link next to your profile info, then do the following:
    • Click the Advanced link next to your profile info.
    • Note: If you see a “Delete channel” button near the bottom-middle of the Advanced page, then your Youtube channel is not associated with your Google+ profile. In this case, you don’t need to do anything further. (The “Delete channel” button would not be visible if the Youtube channel is associated to a Google+ profile.)
    • Under “Channel settings”, click the “Create custom URL” link.
    • Input a custom name. If you plan to keep the public Youtube channel even after disconnecting it from Google+, you will want to carefully select an appropriate name. Otherwise, you can just input a random string of letters and numbers.
    • Click the “Create Channel URL” button.
    • When you click the Overview link again, you should now see the “Return name to… and disconnect Google+ profile” link.
  3. Click the “Return name to… and disconnect Google+ profile” link. Click the OK button to confirm.
  4. Click the Overview link again. You will see a new “Link channel with Google+” link on the right of your profile info.

Delete Youtube Channel

  1. Browse to Youtube’s Advanced Account Settings page.
  2. Click the “Delete channel” button. To confirm, click the “Delete channel” button again.
    • If you don’t see the “Delete channel” button, then your Youtube channel is connected to your Google+ profile. Follow the “Disconnect your Youtube channel from Google+” steps above to disconnect your Youtube channel.
    • If you are using an alternate Google identity when signed into Youtube, you will see the “Delete channel” button even if there is a Google+ page attached (your Youtube overview profile info will have an “Edit on Google+” link next to the channel name). You cannot disconnect the Youtube channel from the Google+ page. You will need to delete the Youtube channel first before you can delete the Google+ page.
    • If you see an error message, “You have either created this channel or closed another account too recently, please try again later”, when attempting to delete the Youtube channel, wait 24 hours and try again.

Unfortunately, there is no way to delete the Youtube account without deleting your Google account. However, there is a way to delete the Google+ profile.

Delete Google+ Profile

  1. Browse to Google’s Account page.
  2. Click the “Delete profile and remove related Google+ features” link at the bottom-middle.
  3. Check the two options at the bottom, “Also unfollow me from anyone I am following in other Google products” and “Required: I understand that deleting this service can’t be undone and the data I delete can’t be restored”.
  4. Click the “Remove selected services” button.
  5. If you go back to view the list of Google products attached to your account, you will no longer see the Google+ product icon.

Delete Google+ Page

  1. Note: You must delete the Youtube channel linked to the Google+ page before you can delete the Google+ page.
  2. Browse to the Google+ Dashboard. The top-left dropdown list will have Pages selected by default.
  3. In the middle pane, you should see your Google+ page listed. Click on the “Manage this page” button.
  4. You will be taken to the Overview for the Google+ page.
  5. Click the Settings link at the end of the top horizontal list of options. If you don’t see Settings, click on the More link and then select Settings.
  6. Click the “Delete page” link at the bottom of the Settings page.
  7. On the confirm page, check all three checkboxes and click the DELETE button.

Some info above gotten from How to Remove Your YouTube Viewing and Search History Before Google’s New Privacy Policy Takes Effect.

No Comments