Jul 30, 2015 RSA is the only recommended choice for new keys, so this guide uses 'RSA key' and 'SSH key' interchangeably. Key-based authentication uses two keys, one 'public' key that anyone is allowed to see, and another 'private' key that only the owner is allowed to see.
Generating SSH key pair consists of two basic phases. The first phase is generating the key pair on the local side, the second phase is copying it to the remote host, registering in the server and configuring the ssh daemon to make it useful. A key pair consists of two files, id_rsa and id_rsa.pub which are private and public keys respectively. The public key resides on the server side, whereas the private key is used when accessing it over SSH protocol.
In the following example ssh-keygen command is used to generate the key pair. When generating the key pair, the command prompt asks a name for a key, if it’s omitted the default name – id_rsa is used instead.
Once the key pair is generated on the local side through terminal window, the next step is to prepare them for employing for authentication purpose. The most convenient way to upload and register the public key in the server is using the ssh-copy-id command, what it does is copy the public key to the given user account located in the given host. As seen in the following example when the ssh-copy-id, username, the host name along with the password are all given the public key is copied and registered on the server side. If the username is root, the public key is uploaded to /root/.ssh/ on the server.
That being said, the server still isn’t protected with the SSH key pair as it’s not configured properly. Anyone can still access to the server if the password of the user account is known; hence the password has to be disabled while enabling the key pair verification. To disable the password authentication, edit /etc/ssh/sshd_config file where the settings for the SSH daemon are contained. In the file, the PasswordAuthentication has to be altered to NO, ChallengeResponseAuthentication should be altered to No as well. As the next step the sshd daemon has to be restarted for changes to take effect, which can be done with sudo systemctl reload sshd. Finally, the new key pair authentication method can be tested by giving ssh username@username in the terminal window.
The key pair is a part of the SSH standard which is used to connect to a remote host over an unsecured network. As stated earlier, the key pair consists of two keys – public and private keys which are uploaded to the server side and kept on the client side respectively. The public key is denoted by .pub extension, and the private key doesn’t have any extension.
When the user is accessing the server, the SSH daemon installed on the server side requests the user for the SSH private key, if it’s provided the private key is compared against the public key in the server. If the private key corresponds to the public key, authentication is successful, otherwise it rejects the login request. By default, the key pair uses RSA which is a cryptographic algorithm to generate the keys. But there are other popular algorithms as well, such as DSA and ECDSA.
ssh-keygen is used to generate keys and it provides a number of options to ease the key pair management, tighten the security and increase the flexibility. The following options are some of the prominent options which may come handy when managing a server.
The Passphrase option is used to provide a secondary protection when a key pair is used to authenticate the user. What it does is to secure the private key with a password and consequently the user is required to provide the passphrase when logging in to the remote host. It asks during the key pair creation.
Bit strength refers to the key pair’s key size which defines how strong the key pair is. Nowadays the standard size is 2048 bits, but it used to be 1024 bits and is no longer acceptable as it’s speculated that many powerful hardware are capable of cracking anything up to 1024 bits or even above given the right amount of time. Fortunately, ssh-keygen currently supports higher bit strength values such as 2048 and its next fashionable number 4096 which is recommended if it’s possible due to the large bit strength. The bit strength value can be adjusted with –b command, if it’s omitted the default value – 1024 or 2048 depending on the ssh-keygen is used.
Commenting is applicable to the public key, and is useful in organizing the keys if there are a large number of keys involved. The typical usage of commenting is when multiple admins use a server, but still want to distinguish one key from another. The following format is used to add a comment when generating a key pair.
Like adding a passphrase when generating a key pair, the existing passphrase can also be changed. Since the passphrase is applicable to the private key which resides on the client side, the command has to be executed on the client side along with the name of the private key. This option takes 3 parameters, old password, new password and the private key to apply the changes.
The Algorithm defines how the information in the key pair is encrypted in order to verify each other when the connection is being established. Ssh-keygen supports several popular algorithm types which are RSA, ECDSA, DSA, ED25519 and RSA1. Nowadays the popular algorithm among many servers is RSA due to its wide spread usage and relatively good security, however it’s currently being upgraded to the newer version ECDSA which is much lighter, and has a low bit value with a high security compared to RSA. ED25519 is the newest version among these, and therefore not many clients support it, but still server side implementation is possible at the moment. DSA is the oldest version among all these algorithms, and is no longer employed in most of the hosts as it’s not secure anymore. According to OpenSSH 7 standard the support for DSA will no longer be given. The format to use the algorithm is as following.
I want to add new user accounts that can connect to my Amazon Elastic Compute Cloud (Amazon EC2) Linux instance using SSH. How do I do that?
Every Amazon EC2 Linux instance launches with a default system user account with administrative access to the instance. If multiple users require access to the instance, it's a security best practice to use separate accounts for each user.
You can expedite these steps by using cloud-init and user data. For more information, see How can I give a user permissions to connect to my EC2 Linux instance using SSH?
Create a key pair for the new user account
Add a new user to the EC2 Linux instance
1. Connect to your Linux instance using SSH.
2. Use the adduser command to add a new user account to an EC2 instance (replace new_user with the new account name). The following example creates an associated group, home directory, and an entry in the /etc/passwd file of the instance:
Note: If you add the new_user to an Ubuntu instance, include the --disabled-password option to avoid adding a password to the new account:
3. Change the security context to the new_user account so that folders and files you create have the correct permissions:
Note: When you run the sudo su - new_user command, the name at the top of the command shell prompt changes to reflect the new user account context of your shell session.
4. Create a .ssh directory in the new_user home directory:
5. Use the chmod command to change the .ssh directory's permissions to 700. Changing the permissions restricts access so that only the new_user can read, write, or open the .ssh directory.
6. Use the touch command to create the authorized_keys file in the .ssh directory:
7. Use the chmod command to change the .ssh/authorized_keys file permissions to 600. Changing the file permissions restricts read or write access to the new_user.
Retrieve the public key for your key pair
Retrieve the public key for your key pair using the method that applies to your configuration:
Verify your key pair's fingerprint
After you import your own public key or retrieve the public key for your key pair, follow the steps at Verifying Your Key Pair's Fingerprint.
Update and verify the new user account credentials
After you retrieve the public key, use the command shell session that is running under the context of the new user account to confirm that you have permission to add the public key to the .ssh/authorized_keys file for this account:
1. Run the Linux cat command in append mode:
2. Paste the public key into the .ssh/authorized_keys file and then press Enter.
Note: For most Linux command line interfaces, the Ctrl+Shift+V key combination pastes the contents of the clipboard into the command line window. For the PuTTY command line interface, right-click to paste the contents of the clipboard into the PuTTY command line window.
3. Press and hold Ctrl+d to exit cat and return to the command line session prompt.
(Optional) Allow the new user to use sudo
Note: If you don't want to allow the new user to use sudo, proceed to Verify that the new user can use SSH to connect to the EC2 instance.
1. Use the passwd command to create a password for the new user:
Note: You're prompted to reenter the password. Enter the password a second time to confirm it.
2. Add the new user to the correct group.
For Amazon Linux, Amazon Linux 2, RHEL, and CentOS:
Use the usermod command to add the user to the wheel group.
For Ubuntu:
Use the usermod command to add the user to the sudo group.
Verify that the new user can use SSH to connect to the EC2 instance
1. Verify that you can connect to your EC2 instance when using ssh as the new_user by running the following command from a command line prompt on your local computer:
To connect to your EC2 Linux instance using SSH from Windows, follow the steps at Connecting to Your Linux Instance from Windows Using PuTTY.
2. After you connect to your instance as the new_user by using SSH, run the id command from the EC2 instance command line to view the user and group information created for the new_user account:
APB ReloadedBattlefield: Bad Company 2BorderlandsCall of Duty Black OpsCall of Duty Modern Warfare 3Condition ZeroCounter-StrikeCounter-Strike: Global OffensiveCounter-Strike: SourceDay of Defeat: SourceDC Universe OnlineDead IslandDeus Ex – Human RevolutionDota 2Dungeon DefendersEmpire: Total WarFallen EarthFallout New VegasFootball Manager 2012Garry’s ModHalf-Life 2Killing FloorLeft 4 Dead 2Mass EffectMass Effect 2Max Payne 3Napoleon: Total WarPortalPortal 2Realm of the Mad GodRIFTPlants vs. Killing floor steam key generator. ZombiesSaints Row the ThirdSid Meier’s Civilization VSpiral KnightsStar Trek OnlineStronghold KingdomsTerrariaThe Elder Scrolls V: SkyrimThe Sims 3Total War SHOGUN 2.
The id command returns information similar to the following:
3. Distribute the private key file to your new user.
Anything we could improve?
Need more help?