[LINUX] [SSH] About public key authentication and EC2
Introduction
There are many articles about SSH, but I just couldn't get it as an image. When I deployed AWS the other day, I had a RUNTEQ instructor explain it and interpreted it in my own way, so I will write it down. Please note that this is a memorandum, not a procedure manual. Some of the actual steps are omitted.
If such a person reads it, it may fall into dismay
--Ssh is something you can do with copy and paste. ――Why do you register your public key in various places? ――I say keys and locks, but I don't understand.
Ssh key start
local
$ cd ~/.ssh
$ ssh-keygen
This command creates ʻid_rsa and ʻid_rsa.pub in the ~ / .ssh directory (unless otherwise specified). The former is the private key and the latter is the public key.
The public key may be registered externally, but the private key is not registered. Or rather, it's dangerous if the private key is leaked.
The relationship between keys and locks
They often say that the public key is a padlock and the private key is that key. Certainly, the image that you can show the lock but not the key fits nicely, but there is no one-to-one relationship between the key and the lock.
In fact, the padlock is often duplicated. For example, I have ʻid_rsa.pub registered on GitHub and an EC2 instance. Both can be opened with ʻid_rsa.
Also, one door may have multiple padlocks. For example, my GitHub has multiple public keys registered. In this case, it can be opened with either corresponding private key.
(Addition) In the comments, you pointed out the image here.
The image of the stamp and imprint was very easy to understand, so I would appreciate it if you could refer to it.
Procedures for connecting to EC2
Create a new key pair when you create an EC2 instance. (If you already have the key, you can use it)
Save the private key (pem file) downloaded at this time under ~ / .ssh.
When you select the created instance and press the "Connect" button, the procedure will be displayed, so basically you can follow it. Thank you.
Various SSH authentication errors
I tried various things without following the procedure because it was a big deal, but I was angry so I will introduce it.
If "aws-key.pem" is not specified
local
$ cd ~/.ssh
$ ssh [email protected]
[email protected]: Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
If no key is specified, authentication is performed using ʻid_rsa. "The public key of ʻid_rsa is not registered. I can't access it."
If the directory does not have "aws-key.pem"
local
$ ssh -i "aws-key.pem" [email protected]
Warning: Identity file aws-key.pem not accessible: No such file or directory.
[email protected]: Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
"I don't have a file or directory with that name. I don't have the key."
If not chmod 400 aws-key.pem
local
$ ssh -i "aws-key.pem" [email protected]
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: UNPROTECTED PRIVATE KEY FILE! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0644 for 'aws-key.pem' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
Load key "aws-key.pem": bad permissions
[email protected]: Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
"Let's do it! Anyone can see the secret key! I won't accept such a key !!" About permissions
If you follow the procedure
local
$ ssh -i "aws-key.pem" [email protected]
__| __|_ )
_| ( / Amazon Linux 2 AMI
___|\___|___|
https://aws.amazon.com/amazon-linux-2/
No packages needed for security; 6 packages available
Run "sudo yum update" to apply all updates.
[ec2-user@ip-10-0-11-209 ~]$ sudo yum update
If the SSH authentication is successful, you can enter the EC2 instance and it will be displayed like this.
I was told Run" sudo yum update "to apply all updates., so update yum.
Public key location
At startup, the public key content is placed in the entry in
~ / .ssh / authorized_keys. Amazon EC2 Key Pairs-Amazon Elastic Compute Cloud
So, let's actually check it.
instance
[ec2-user@ip-10-0-11-209 ~]$ cd ~/.ssh
[ec2-user@ip-10-0-11-209 .ssh]$ ls
authorized_keys
[ec2-user@ip-10-0-11-209 .ssh]$ cat authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCyZDViLAZcA7F8N8ebO9KlYoKOFC9hlG1y7BB6/R8grwcvKRGVhVCBRrCvLIoijkDfv+NYJnCyPxPb7QWdjQ/apD6FPfdmk9fdunyFRC5IRuFwXW17TUeVnBQwnHmatW/S36ZsDJxiK3O4s+L+WuK8XEriyddEHS1xLZi8+vNaTiSmqhNdPhhP/ocdAE/yWvSQqmdmTL4/HFVqp+Hy4C3v8+sgztj+F2+vpbHMmlb8aArdTMTDKcqPryNtLEN/ib1opqJLv4zhrv7EteqtCeFR6OnQttiAO+32UD0XP2mtj9lzsskCZ1wnNwG38WJbRdgD2mM/Ap8kNx0k/4Tkg7W3 aws-key
It can be seen that the publish key that is a pair of ʻaws-key.pem is registered in ʻauthorized_keys.
Recommended settings to make in an EC2 instance
Add an editing user
It is suitable for many applications to use the default user account. However, you can choose to add a user account so that individuals can have their own files and workspaces. In addition, creating a user account for a new user is much safer than giving multiple users (including inexperienced users) access to the default user's account. Managing User Accounts on Linux Instances-Amazon Elastic Compute Cloud
ʻEc2-user` is the default user, so create a user for editing.
instance
[ec2-user@ip-10-0-11-209 ~]$ sudo useradd username #username is any name
[ec2-user@ip-10-0-11-209 ~]$ sudo passwd username
Change password for user username.
new password: #Not displayed, but no problem
Please re-enter your new password:
passwd:All authentication tokens have been successfully renewed.
[ec2-user@ip-10-0-11-209 ~]$ sudo visudo #The vim editor will open, so add the username line.
## Allow root to run any commands anywhere
root ALL=(ALL) ALL
username ALL=(ALL) NOPASSWD: ALL
[ec2-user@ip-10-0-11-209 ~]$ su - username #Switch to username
password: # 先ほど設定したpasswordを入力
[username@ip-10-0-11-209 ec2-user]$ cd ~/
You have now created an editing user, ʻusername`.
Register public key
However, as it is, the public key information is not registered in ~ / .ssh / authorized_keys of username, so it cannot be accessed directly from the outside.
Therefore, it is necessary to register the public key in ʻauthorized_keys`.
You can create a key pair for each user and add the public key information from each key pair to the
.ssh / authorized_keysfile for each user in your instance. You can then distribute the private key file to your users. This method does not require you to distribute the same private key file you are using for the AWS account root user (supplement: ʻaws-key.pem`) to multiple users. Amazon EC2 Key Pairs-Amazon Elastic Compute Cloud
instance
[username@ip-10-0-11-209 ~]$ mkdir .ssh
[username@ip-10-0-11-209 ~]$ chmod 700 .ssh
[username@ip-10-0-11-209 ~]$ touch ~/.ssh/authorized_keys
[username@ip-10-0-11-209 ~]$ chmod 600 ~/.ssh/authorized_keys
ʻAuthorized_key is created and the public key information is registered by describing the public key information in this file. [Manage User Accounts on Linux Instances-Amazon Elastic Compute Cloud](https://docs.aws.amazon.com/ja_jp/AWSEC2/latest/UserGuide/managing-users.html) has a new key in EC2 The procedure for creating it is introduced, but you can also register an existing locally created ʻid_rsa.pub.
Now you can access the instance as username next time with $ ssh -i" keyname "[email protected].
in conclusion
This is my own deformation and interpretation of what I was taught about SSH. If you find any mistakes or omissions, please let us know. Also, the EC2 instance and key pair created in this article are currently deleted.
Reference link
-Add a new user account with SSH access to your Amazon EC2 Linux instance -The original form of Amazon EC2 key pair generation -What is the difference between "su" and "su-" on Linux? (I personally have little understanding here)