There are many articles about SSH, but I just couldn't get it as an image. When I deployed AWS the other day, I had a RUNTEQ instructor explain it and interpreted it in my own way, so I will write it down. Please note that this is a memorandum, not a procedure manual. Some of the actual steps are omitted.
--Ssh is something you can do with copy and paste. ――Why do you register your public key in various places? ――I say keys and locks, but I don't understand.
$ cd ~/.ssh $ ssh-keygen
This command creates ʻid_rsa
and ʻid_rsa.pub in the
~ / .ssh directory (unless otherwise specified). The former is the private key and the latter is the public key.
The public key may be registered externally, but the private key is not registered. Or rather, it's dangerous if the private key is leaked.
They often say that the public key is a padlock and the private key is that key. Certainly, the image that you can show the lock but not the key fits nicely, but there is no one-to-one relationship between the key and the lock.
In fact, the padlock is often duplicated. For example, I have ʻid_rsa.pub
registered on GitHub and an EC2 instance. Both can be opened with ʻid_rsa.
Also, one door may have multiple padlocks. For example, my GitHub has multiple public keys registered. In this case, it can be opened with either corresponding private key.
(Addition) In the comments, you pointed out the image here.
The image of the stamp and imprint was very easy to understand, so I would appreciate it if you could refer to it.
Create a new key pair when you create an EC2 instance. (If you already have the key, you can use it) Save the private key (pem file) downloaded at this time under ~ / .ssh. When you select the created instance and press the "Connect" button, the procedure will be displayed, so basically you can follow it. Thank you.
I tried various things without following the procedure because it was a big deal, but I was angry so I will introduce it.
$ cd ~/.ssh $ ssh [email protected] [email protected]: Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
If no key is specified, authentication is performed using ʻid_rsa
. "The public key of ʻid_rsa is not registered. I can't access it."
$ ssh -i "aws-key.pem" [email protected] Warning: Identity file aws-key.pem not accessible: No such file or directory. [email protected]: Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
"I don't have a file or directory with that name. I don't have the key."
chmod 400 aws-key.pem
$ ssh -i "aws-key.pem" [email protected] @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: UNPROTECTED PRIVATE KEY FILE! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ Permissions 0644 for 'aws-key.pem' are too open. It is required that your private key files are NOT accessible by others. This private key will be ignored. Load key "aws-key.pem": bad permissions [email protected]: Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
"Let's do it! Anyone can see the secret key! I won't accept such a key !!" About permissions
$ ssh -i "aws-key.pem" [email protected] __| __|_ ) _| ( / Amazon Linux 2 AMI ___|\___|___| https://aws.amazon.com/amazon-linux-2/ No packages needed for security; 6 packages available Run "sudo yum update" to apply all updates. [[email protected] ~]$ sudo yum update
If the SSH authentication is successful, you can enter the EC2 instance and it will be displayed like this.
I was told
Run" sudo yum update "to apply all updates., so update yum.
At startup, the public key content is placed in the entry in
~ / .ssh / authorized_keys. Amazon EC2 Key Pairs-Amazon Elastic Compute Cloud
So, let's actually check it.
[[email protected] ~]$ cd ~/.ssh [[email protected] .ssh]$ ls authorized_keys [[email protected] .ssh]$ cat authorized_keys ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCyZDViLAZcA7F8N8ebO9KlYoKOFC9hlG1y7BB6/R8grwcvKRGVhVCBRrCvLIoijkDfv+NYJnCyPxPb7QWdjQ/apD6FPfdmk9fdunyFRC5IRuFwXW17TUeVnBQwnHmatW/S36ZsDJxiK3O4s+L+WuK8XEriyddEHS1xLZi8+vNaTiSmqhNdPhhP/ocdAE/yWvSQqmdmTL4/HFVqp+Hy4C3v8+sgztj+F2+vpbHMmlb8aArdTMTDKcqPryNtLEN/ib1opqJLv4zhrv7EteqtCeFR6OnQttiAO+32UD0XP2mtj9lzsskCZ1wnNwG38WJbRdgD2mM/Ap8kNx0k/4Tkg7W3 aws-key
It can be seen that the publish key that is a pair of ʻaws-key.pem
is registered in ʻauthorized_keys.
It is suitable for many applications to use the default user account. However, you can choose to add a user account so that individuals can have their own files and workspaces. In addition, creating a user account for a new user is much safer than giving multiple users (including inexperienced users) access to the default user's account. Managing User Accounts on Linux Instances-Amazon Elastic Compute Cloud
ʻEc2-user` is the default user, so create a user for editing.
[[email protected] ~]$ sudo useradd username #username is any name [[email protected]209 ~]$ sudo passwd username Change password for user username. new password: #Not displayed, but no problem Please re-enter your new password: passwd:All authentication tokens have been successfully renewed. [[email protected] ~]$ sudo visudo #The vim editor will open, so add the username line. ## Allow root to run any commands anywhere root ALL=(ALL) ALL username ALL=(ALL) NOPASSWD: ALL [[email protected] ~]$ su - username #Switch to username password: # 先ほど設定したpasswordを入力 [[email protected] ec2-user]$ cd ~/
You have now created an editing user, ʻusername`.
However, as it is, the public key information is not registered in
~ / .ssh / authorized_keys of username, so it cannot be accessed directly from the outside.
Therefore, it is necessary to register the public key in ʻauthorized_keys`.
You can create a key pair for each user and add the public key information from each key pair to the
.ssh / authorized_keysfile for each user in your instance. You can then distribute the private key file to your users. This method does not require you to distribute the same private key file you are using for the AWS account root user (supplement: ʻaws-key.pem`) to multiple users. Amazon EC2 Key Pairs-Amazon Elastic Compute Cloud
[[email protected] ~]$ mkdir .ssh [[email protected] ~]$ chmod 700 .ssh [[email protected] ~]$ touch ~/.ssh/authorized_keys [[email protected] ~]$ chmod 600 ~/.ssh/authorized_keys
is created and the public key information is registered by describing the public key information in this file. [Manage User Accounts on Linux Instances-Amazon Elastic Compute Cloud](https://docs.aws.amazon.com/ja_jp/AWSEC2/latest/UserGuide/managing-users.html) has a new key in EC2 The procedure for creating it is introduced, but you can also register an existing locally created ʻid_rsa.pub.
Now you can access the instance as username next time with
$ ssh -i" keyname "[email protected].
This is my own deformation and interpretation of what I was taught about SSH. If you find any mistakes or omissions, please let us know. Also, the EC2 instance and key pair created in this article are currently deleted.
-Add a new user account with SSH access to your Amazon EC2 Linux instance -The original form of Amazon EC2 key pair generation -What is the difference between "su" and "su-" on Linux? (I personally have little understanding here)