DB-hub Technology Cloud Create an SSH key pair

Create an SSH key pair

2021-01-162021-01-16| sophonsophon| 0 Comment| 17:27
Categories:

Alibaba Linux instance SSH key pair

Overview

An SSH key pair is a secure and convenient authentication method provided by Alibaba Cloud for instance logon. An SSH key pair consists of a public key and a private key. You can use SSH key pairs to log on to only Linux instances.

Introduction

An SSH key pair is a pair of public and private keys that are generated based on an encryption algorithm. By default, 2048-bit RSA key pairs are used. Before you log on to a Linux instance by using an SSH key pair, you must first create the SSH key pair. You can specify an SSH key pair when you create an instance, or bind an SSH key pair to an instance after the instance is created. Then, you can use the private key to connect to the instance.
After you create an SSH key pair, take note of the following items:

  • Alibaba Cloud stores the public key of the SSH key pair. After an SSH key pair is bound to a Linux instance, the public key of the key pair is stored in the ~/.ssh/authorized_keys file.
  • You must download and securely lock away the private key. The private key is unencrypted. It is in the PKCS#8 format and Privacy-Enhanced Mail (PEM) encoded.

Benefits

Compared with username and password authentication, SSH key authentication has the following benefits:

  • Security: SSH key pairs provide higher security and reliability for logons.
    SSH key pairs are more secure than general user passwords against brute-force attacks.
    Private keys cannot be deduced even if the public keys are maliciously acquired.
  • Ease of use:
    If you configure a public key on a Linux instance, you can use the corresponding private key to run SSH commands or other tools for passwordless logons to the instance.
    You can log on to a large number of Linux instances at the same time. If you want to manage multiple Linux instances, we recommend that you use this method.

Limits

SSH key pairs have the following limits:

  • If you use an SSH key pair to log on to a Linux instance, the password logon method is disabled for higher security.
  • SSH key pairs apply only to Linux instances.
  • Currently, only RSA 2048-bit key pairs can be created in the ECS console.
  • An Alibaba Cloud account can have a maximum of 500 SSH key pairs in a region.
  • When you bind SSH key pairs to Linux instances in the ECS console, you can bind a single SSH key pair to a Linux instance. If the instance already has a key pair bound, the new key pair replaces the original one. If you want to use multiple key pairs to log on to a Linux instance, you can manually modify the ~/.ssh/authorized_keys file from within the instance to add multiple key pairs.
  • Instances of retired instance types do not support logons based on SSH key pairs. For more information, see Retired instance types.
  • If you bind an SSH key pair to or unbind an SSH key pair from an instance in the Running (Running) state, you must restart the instance for the operation to take effect. This enhances data security.

Creation methods
You can use one of the following methods to create an SSH key pair:

  • Create an SSH key pair in the ECS console. By default, the key pair is generated in the RSA 2048-bit format. For more information, see Create an SSH key pair.
    Notice If you create a key pair in the ECS console, you must download and securely lock away the private key. After the key pair is bound to an instance, you cannot log on to the instance if you do not have the private key.
  • Create an SSH key pair by using a key pair generator and then import the key pair to the ECS console. The imported key pair must support one of the following encryption methods:
    rsa
    ssh-rsa
    ssh-dss
    ecdsa
    ssh-rsa-cert-v00@openssh.com
    ssh-dss-cert-v00@openssh.com
    ssh-rsa-cert-v01@openssh.com
    ssh-dss-cert-v01@openssh.com
    ecdsa-sha2-nistp256-cert-v01@openssh.com
    ecdsa-sha2-nistp384-cert-v01@openssh.com
    ecdsa-sha2-nistp521-cert-v01@openssh.com

配置免密码登录

创建一个 SSH key

在本地主机运行:

$ ssh-keygen -t rsa -C "ted@db-hun.net"
常用参数说明:
-t: 密钥类型, 可以选择 dsa | ecdsa | ed25519 | rsa;
-f: 密钥目录位置, 默认为当前用户home路径下的.ssh隐藏目录, 也就是~/.ssh/, 同时默认密钥文件名以id_rsa开头. 如果是root用户, 则在/root/.ssh/id_rsa, 若为其他用户, 则在/home/username/.ssh/id_rsa;
-C: 指定此密钥的备注信息, 需要配置多个免密登录时, 建议携带;
-N: 指定此密钥对的密码, 如果指定此参数, 则命令执行过程中就不会出现交互确认密码的信息了.

以上代码省略了 -f 参数,运行上面的命令会让你输入一个文件名,用于保存生成的 SSH key。
也可以不输入文件名,使用默认文件名(推荐),生成 id_rsa 和 id_rsa.pub 两个秘钥文件。
接着会提示你输入两次密码,可以不输入密码,直接按回车。

公钥拷贝到阿里主机

scp id_rsa.pub username@ali_host_name_ip_address:/home/username/.ssh/

创建authorized_keys文件:

[:/home/username/.ssh]cat id_rsa.pub >> authorized_keys

文件权限

对于.ssh目录以及其内部的公钥、私钥文件, 当前用户至少要有执行权限, 其他用户最多只能有执行权限.
– 不要图省事设置成777权限: 太大的权限不安全, 而且数字签名也不支持这种权限策略.
– 对普通用户, 建议设置成600权限: chmod 600 authorized_keys id_rsa id_rsa.pub;
– 对root用户, 建议设置成644权限: chmod 644 authorized_keys id_rsa id_rsa.pub.

测试

ssh ali_username@ali_host_name_ip_address

Leave a Reply

您的邮箱地址不会被公开。 必填项已用 * 标注

Related Post