Bureaucrats, confirmed, Administrators
4,558
edits
Changes
Adds sections
See the [[Using keys]] article as well
== Best Practices ==
2048 dd:54:23:d4:20:bc:f3:4c:88:a5:af:21:dd:a5:36:5d /etc/ssh/ssh_host_rsa_key.pub (RSA)
</source>
== Public Key ==
Normally, with <code>ssh-keygen -t rsa -C "you@example.com"</code> you get a (private) key file <code>id_rsa</code>, plus a (public) key denoted with the extension .pub <code>id_rsa.pub</code>. But what about formats like .pem? Amazon AWS manages access with "keypairs" and you are prompted to download the private X509 certificate file as a .pem file when you generate the keypair. Where is the public key? Amazon displays the 'fingerprint' for the file which is usually enough to identify the private file, but can you place a fingerprint in the <code>authorized_keys</code> file? If you have a private key file and want to show the public key that corresponds to it, you can do so with <code>ssh-keygen</code>
<source lang="bash">
# show me the public key that corresponds to my private id_rsa key
ssh-keygen -yf /home/greg/.ssh/id_rsa
# show me the public key that corresponds to my private pem file that I got from the Amazon AWS Console
ssh-keygen -yf /home/greg/.ssh/amazon-aws.pem
</source>
This will output something like
<pre>
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCaCu+OVCGMogx12xeX0ZzhVZWML93QCJaV4uilfIsAkizwSHFy/Q5h/JGEYc0l1wwkQ5PENMCQJhBv530h7wQsCE+maqm4lXgFyoDkWLm9N9Oa0fvLuI++WywC12V8HsKcJmDwZtf5zL1o2zB8VY3oqkD2AF/IGccip+aYo9HQ97dyXIRt9m/pFQVNwbRf0uBA0C4b8uQLB2zMCZqGYeUZX65MaplG2NthBHvxsaODX0YeRVdn9bJuujXvXmnlwzl6vF8WgGusYbumxy12QaO//onQJA9y8/gdsggL24VwgBnp4GZiNZBN18dKYL9bGuiQzHPEqfnePARd0gGksz+j
</pre>
You can then append this to the <code>/home/ubuntu/.ssh/authorized_keys</code> file on your AWS linux host to enable another key to login to the host.
== Using Multiple Keys ==
Sometimes you have so many keys, that you can be denied access even when supplying a key file with the <code>--IdentityFile</code> or <code>-i</code> option. The problem is that you would '''assume''' that <code>ssh -i /home/me/.ssh/my_private_key me@example.com</code> is directing ssh to use a specific key. That's not what's happening. Instead, it's adding that key to the list of keys that it would otherwise present to the server. That list of keys (in your ssh-agent, if running) found in your .ssh directory may well contain 3 or more. And thus, you get blocked by authentication failure (using the wrong keys) before your '''added''' key is tried. Use the somewhat misnamed option '''IdentitiesOnly''' (should be named ''ThisIdentityOnly'') to solve this problem. <code>IdentitiesOnly</code> will instruct SSH to use ONLY the keys you tell it to use.
<code>ssh -o IdentitiesOnly=true -i /home/me/.ssh/my_private_key me@example.com</code> will now work
== Reverse Tunnel ==
ubuntu@amazon:/home/ubuntu/wiki-extensions/
</source>
== Logging ==
On the server side, to see what's going on, <code>tail /var/log/auth.log</code>
[[Category:System Adminstration]]