When using public and private keys to connect to an SSH server from Linux device where must your public key be placed before you can connect?

A key pair, consisting of a public key and a private key, is a set of security credentials that you use to prove your identity when connecting to an Amazon EC2 instance. Amazon EC2 stores the public key on your instance, and you store the private key. For Linux instances, the private key allows you to securely SSH into your instance. As an alternative to key pairs, you can use AWS Systems Manager Session Manager to connect to your instance with an interactive one-click browser-based shell or the AWS Command Line Interface (AWS CLI).

Anyone who possesses your private key can connect to your instances, so it's important that you store your private key in a secure place.

When you launch an instance, you are prompted for a key pair. If you plan to connect to the instance using SSH, you must specify a key pair. You can choose an existing key pair or create a new one. When your instance boots for the first time, the public key that you specified at launch is placed on your Linux instance in an entry within ~/.ssh/authorized_keys. When you connect to your Linux instance using SSH, to log in you must specify the private key that corresponds to the public key. For more information about connecting to your instance, see Connect to your Linux instance. For more information about key pairs and Windows instances, see Amazon EC2 key pairs and Windows instances in the Amazon EC2 User Guide for Windows Instances.

Because Amazon EC2 doesn't keep a copy of your private key, there is no way to recover a private key if you lose it. However, there can still be a way to connect to instances for which you've lost the private key. For more information, see I've lost my private key. How can I connect to my Linux instance?

You can use Amazon EC2 to create your key pairs. You can also use a third-party tool to create your key pairs, and then import the public keys to Amazon EC2.

Amazon EC2 supports ED25519 and 2048-bit SSH-2 RSA keys for Linux instances.

You can have up to 5,000 key pairs per Region.

Contents

• Create key pairs
• Tag a public key
• Describe public keys
• Delete your public key on Amazon EC2
• Add or remove a public key on your instance
• Verify keys

Introduction

Public Key Authentication is a secure logging method using SSH. Instead of a password, the procedure uses a cryptographic key pair for validation. Although using a strong password helps prevent brute force attacks, public key authentication provides cryptographic strength and automated passwordless logins.

This guide gives step-by-step instructions on how to implement public key authentication from scratch.

Prerequisites

• Command line/terminal access with administrator privileges.
• SSH enabled. Follow our guides to turn on SSH on Linux: Ubuntu 18.04, Debian 9 or 10.
• A local and remote server.

Using SSH Key for authentication

The SSH public key authentication has four steps:

1. Generate a private and public key, known as the key pair. The private key stays on the local machine.

2. Add the corresponding public key to the server.

3. The server stores and marks the public key as approved.

4. The server allows access to anyone who proves the ownership of the corresponding private key.

The model assumes the private key is secured. Adding a passphrase to encrypt the private key adds a layer of security good enough for most user-based cases. For automation purposes, key management software and practices apply since the private key stays unprotected otherwise.

Generating SSH Key Pair

Generate the SSH key pair on the local server using OpenSSH. The basic instructions for Linux, macOS, and Windows are outlined below.

Linux and macOS

1. Open the terminal (CTRL+ALT+T).

2. Check for existing keys with:

ls -l ~/.ssh/id*

If there are keys already, the output shows the directory contents:

Generating new keys overwrites the current ones by default. However, stating a new name for the keys saves them to different files.

If there are no existing keys, the output indicates the folder does not exist:

3. Create the directory using the mkdir command for storing the new key pair:

mkdir ~/.ssh

4. Change the permissions to 700:

chmod 700 ~/.ssh

5. The following command starts the key generator:

ssh-keygen

The output prints out a message, indicating the command ran successfully. Next, the program asks where to save the file:

The default directory and file for key storage is /home/<username>/.ssh/id_rsa. If you have existing keys you want to keep, enter a new file name. Otherwise, press Enter to save in the default location. If any keys already exist in this location, the program overwrites the data.

6. Finally, enter a passphrase to secure the key. Press Enter and confirm the passphrase once more when requested. The password is required any time you use the key for authentication.

7. Lastly, the program prints out information about where the keys are stored. Additionally, a digital and a graphic representation print to the console too.  

8. Confirm the keys are in the directory by checking the contents:

 ls -l ~/.ssh/

The directory now contains two files:

• id_rsa is the private key.
• id_rsa.pub is the public key.

Windows

1. Use the Windows search box to find cmd and open the Command Prompt window.

2. In the prompt, type:

ssh-keygen

The command starts the program for generating the key pair.

3. If you set up a specific location for the keys, type in the path now. Otherwise, press Enter to save the keys in the default path.

If keys exist in this location, the output asks to confirm the overwrite. Type Y to confirm and press Enter to continue the setup.

4. Enter the passphrase to encrypt the private key. Re-enter the same passphrase and press Enter to finish generating the key pair.

Configuring one or multiple SSH/SFTP Users for Your Key

After generating a key pair, the next step is to configure the server machine for SSH and SFTP users for the key.

1. On the server machine, check if the ~/.ssh folder exists:

ls -l ~/.ssh/

If the directory is non-existent, create the folder:

mkdir ~/.ssh

Next, change the permissions with:

chmod 700 ~/.ssh

2. Create a file called authorized_keys in the ~/.ssh directory:

touch authorized_keys

Change the permissions:

chmod 600 ~/.ssh/authorized_keys

3. Next, open the authorized_keys file using a text editor. Copy the public key contents into the authorized_keys file. For multiple users and keys, copy each new key onto a new line. Save the file and close.

In Linux, use this command to copy the key automatically:

ssh-copy-id <username>@<host>

The output shows the number of keys automatically copied to the server along with further instructions.

For transferring files via SSH, multiple solutions exist:

• Use SSHFS for Linux, macOS, or Windows
• Use RSync as an alternative for Linux.

Logging in

After generating and copying the keys, log into your server from the local machine using the following command:

ssh <username>@<host>

Note: If you do not specify a username, SSH uses the currently logged in user.

The command brings up a prompt for entering the private key password:

Lastly, enter the password to unlock the key:

Once verified, the command logs you into the server via SSH.

Why should you use Public Key Authentication with SSH?

Public key authentication is a safer and recommended way to connect with SSH instead of a regular password login.

Some benefits are:

• The SSH key pair is harder to hack. Since most SSH keys are at least 1024 bits long, which is equivalent to a password with 12 characters, the connection is secure. To improve security even further, increase the number of bits when generating the keys.
• The contents of the keys are generated using a computer algorithm, making them harder to predict.
• Only the machine where the private key resides has access.
• Public key authentication never shows the contents of the private key to the server. In case of server compromise, the local machine stays safe.
• An added password to the private key adds multi-factor authentication.

Conclusion

At the end of this tutorial, you should have set up public key authentication for SSH. Whether you're accessing a remote server via SSH or using SFTP to transfer files between two locations, the key pair provides additional security.

For further details about SSH, read about the 5 Linux SSH Security Best Practices to Secure Your Systems.

When using public and private keys to connect to an SSH server where must your public key be placed?

What statement regarding the SSH Secure Shell collection of protocols is accurate?

At what layer of the OSI model does the IPSec encryption protocol operate a application layer B transport layer C physical layer D network layer?

At what layer of the OSI model does the IPSec encryption protocol operate quizlet?