[LINUX] [SSH] About public key authentication and EC2


There are many articles about SSH, but I just couldn't get it as an image. When I deployed AWS the other day, I had a RUNTEQ instructor explain it and interpreted it in my own way, so I will write it down. Please note that this is a memorandum, not a procedure manual. Some of the actual steps are omitted.

If such a person reads it, it may fall into dismay

--Ssh is something you can do with copy and paste. ――Why do you register your public key in various places? ――I say keys and locks, but I don't understand.

Ssh key start


$ cd ~/.ssh
$ ssh-keygen

This command creates ʻid_rsa and ʻid_rsa.pub in the ~ / .ssh directory (unless otherwise specified). The former is the private key and the latter is the public key. The public key may be registered externally, but the private key is not registered. Or rather, it's dangerous if the private key is leaked.

The relationship between keys and locks

They often say that the public key is a padlock and the private key is that key. Certainly, the image that you can show the lock but not the key fits nicely, but there is no one-to-one relationship between the key and the lock. In fact, the padlock is often duplicated. For example, I have ʻid_rsa.pub registered on GitHub and an EC2 instance. Both can be opened with ʻid_rsa. Also, one door may have multiple padlocks. For example, my GitHub has multiple public keys registered. In this case, it can be opened with either corresponding private key. Untitled Diagram.jpg (Addition) In the comments, you pointed out the image here. The image of the stamp and imprint was very easy to understand, so I would appreciate it if you could refer to it.

Procedures for connecting to EC2

Create a new key pair when you create an EC2 instance. (If you already have the key, you can use it) スクリーンショット 2020-03-23 21.26.02.png Save the private key (pem file) downloaded at this time under ~ / .ssh. When you select the created instance and press the "Connect" button, the procedure will be displayed, so basically you can follow it. Thank you. スクリーンショット 2020-03-23 21.40.49.png

Various SSH authentication errors

I tried various things without following the procedure because it was a big deal, but I was angry so I will introduce it.

If "aws-key.pem" is not specified


$ cd ~/.ssh
$ ssh [email protected]

[email protected]: Permission denied (publickey,gssapi-keyex,gssapi-with-mic).

If no key is specified, authentication is performed using ʻid_rsa. "The public key of ʻid_rsa is not registered. I can't access it."

If the directory does not have "aws-key.pem"


$ ssh -i "aws-key.pem" [email protected]

Warning: Identity file aws-key.pem not accessible: No such file or directory.
[email protected]: Permission denied (publickey,gssapi-keyex,gssapi-with-mic).

"I don't have a file or directory with that name. I don't have the key."

If not chmod 400 aws-key.pem


$ ssh -i "aws-key.pem" [email protected]

Permissions 0644 for 'aws-key.pem' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
Load key "aws-key.pem": bad permissions
[email protected]: Permission denied (publickey,gssapi-keyex,gssapi-with-mic).

"Let's do it! Anyone can see the secret key! I won't accept such a key !!" About permissions

If you follow the procedure


$ ssh -i "aws-key.pem" [email protected]

       __|  __|_  )
       _|  (     /   Amazon Linux 2 AMI

No packages needed for security; 6 packages available
Run "sudo yum update" to apply all updates.
[ec2-user@ip-10-0-11-209 ~]$ sudo yum update

If the SSH authentication is successful, you can enter the EC2 instance and it will be displayed like this. I was told Run" sudo yum update "to apply all updates., so update yum.

Public key location

At startup, the public key content is placed in the entry in ~ / .ssh / authorized_keys. Amazon EC2 Key Pairs-Amazon Elastic Compute Cloud

So, let's actually check it.


[ec2-user@ip-10-0-11-209 ~]$ cd ~/.ssh
[ec2-user@ip-10-0-11-209 .ssh]$ ls
[ec2-user@ip-10-0-11-209 .ssh]$ cat authorized_keys 
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCyZDViLAZcA7F8N8ebO9KlYoKOFC9hlG1y7BB6/R8grwcvKRGVhVCBRrCvLIoijkDfv+NYJnCyPxPb7QWdjQ/apD6FPfdmk9fdunyFRC5IRuFwXW17TUeVnBQwnHmatW/S36ZsDJxiK3O4s+L+WuK8XEriyddEHS1xLZi8+vNaTiSmqhNdPhhP/ocdAE/yWvSQqmdmTL4/HFVqp+Hy4C3v8+sgztj+F2+vpbHMmlb8aArdTMTDKcqPryNtLEN/ib1opqJLv4zhrv7EteqtCeFR6OnQttiAO+32UD0XP2mtj9lzsskCZ1wnNwG38WJbRdgD2mM/Ap8kNx0k/4Tkg7W3 aws-key

It can be seen that the publish key that is a pair of ʻaws-key.pem is registered in ʻauthorized_keys.

Recommended settings to make in an EC2 instance

Add an editing user

It is suitable for many applications to use the default user account. However, you can choose to add a user account so that individuals can have their own files and workspaces. In addition, creating a user account for a new user is much safer than giving multiple users (including inexperienced users) access to the default user's account. Managing User Accounts on Linux Instances-Amazon Elastic Compute Cloud

ʻEc2-user` is the default user, so create a user for editing.


[ec2-user@ip-10-0-11-209 ~]$ sudo useradd username  #username is any name
[ec2-user@ip-10-0-11-209 ~]$ sudo passwd username
Change password for user username.
new password:  #Not displayed, but no problem
Please re-enter your new password:
passwd:All authentication tokens have been successfully renewed.
[ec2-user@ip-10-0-11-209 ~]$ sudo visudo  #The vim editor will open, so add the username line.

  ## Allow root to run any commands anywhere
  root      ALL=(ALL)       ALL
  username  ALL=(ALL)       NOPASSWD: ALL

[ec2-user@ip-10-0-11-209 ~]$ su - username  #Switch to username
password:  # 先ほど設定したpasswordを入力
[username@ip-10-0-11-209 ec2-user]$ cd ~/ 

You have now created an editing user, ʻusername`.

Register public key

However, as it is, the public key information is not registered in ~ / .ssh / authorized_keys of username, so it cannot be accessed directly from the outside. Therefore, it is necessary to register the public key in ʻauthorized_keys`.

You can create a key pair for each user and add the public key information from each key pair to the .ssh / authorized_keys file for each user in your instance. You can then distribute the private key file to your users. This method does not require you to distribute the same private key file you are using for the AWS account root user (supplement: ʻaws-key.pem`) to multiple users. Amazon EC2 Key Pairs-Amazon Elastic Compute Cloud


[username@ip-10-0-11-209 ~]$ mkdir .ssh
[username@ip-10-0-11-209 ~]$ chmod 700 .ssh
[username@ip-10-0-11-209 ~]$ touch ~/.ssh/authorized_keys
[username@ip-10-0-11-209 ~]$ chmod 600 ~/.ssh/authorized_keys

ʻAuthorized_key is created and the public key information is registered by describing the public key information in this file. [Manage User Accounts on Linux Instances-Amazon Elastic Compute Cloud](https://docs.aws.amazon.com/ja_jp/AWSEC2/latest/UserGuide/managing-users.html) has a new key in EC2 The procedure for creating it is introduced, but you can also register an existing locally created ʻid_rsa.pub. Now you can access the instance as username next time with $ ssh -i" keyname "[email protected].

in conclusion

This is my own deformation and interpretation of what I was taught about SSH. If you find any mistakes or omissions, please let us know. Also, the EC2 instance and key pair created in this article are currently deleted.

Reference link

-Add a new user account with SSH access to your Amazon EC2 Linux instance -The original form of Amazon EC2 key pair generation -What is the difference between "su" and "su-" on Linux? (I personally have little understanding here)

Recommended Posts

[SSH] About public key authentication and EC2
Ssh login with public key authentication quickly
How to set up public key authentication in ssh
Ubuntu (18.04.3) SSH edition Key authentication
Stop SSH password authentication and switch to key authentication completely
Ssh connection using public key
Set public key authentication when connecting with SSH in Teraterm
Use ssh with private key public key authentication. Connect from wan.
SSH public key authentication was set for Sakura VPS Cent OS 7.7
About _ and __
AWS EC2 instance launch and ssh connection
[Linux setting series] How to set public key authentication / ssh-keygen / ssh key / authorized_keys
Until you can borrow VPS with Conoha and authenticate public key with SSH
Setting new user and authentication key when ssh-copy-id command fails on ec2 etc.
[Amazon Linux 2] Change from public key authentication to password authentication
About Class and Instance
About cumprod and cummax
About cross-validation and F-number
How to generate a public key from an SSH private key