So far you've learned about Amazon EC2, and launched your first instance. During that process, you created a "key pair", but what is this exactly? You'll need it to access your instance, but why is it necessary? And what is SSH? Stay tuned, you're about to find out!
What is SSH?
Secure Shell, aka SSH, is a utility that provides the capability to log into another computer over a network. This allows you to execute commands and configure a computer remotely. SSH encrypts all system identities and communications, and is commonly used to access remote servers in the cloud.
SSH Keys
SSH supports authentication based on cryptographic keys, called public key authentication. Key pairs are utilized, each consisting of a public key and a private key. A private key that corresponds to a public key can serve as authentication to the server, and should be considered equivalent to a password. As such, it should be stored securely at all times. Public keys are stored on the server, and can be shared without compromising the private key.
Hint: Keys are typically stored in a hidden .ssh folder within a user's home folder. For example: /Users/Johnny/.ssh
When using SSH key authentication to connect to a server, the server and client compare the public key for the user logging in against the private key provided. If the public key on the server cannot be validated against the private key, authentication fails.
Using key pairs allows for easy and secure access to remote servers, but there are some security concerns as well. Here are some best practices:
- Key management is critical.
- Store private keys securely, and encrypt them if/when possible.
- Never share private keys.
- One key per user. Never generate a single key that is used by multiple users on a server.
- Delete keys that are no longer used, especially when a user no longer requires access.
- Keep records of who creates each key and its purpose.
It should also be noted that private keys are not stored on the server, and cannot be retrieved if you accidentally lose or delete them.
SSH Key Creation
So you've already created a pair of SSH keys when launching your EC2 instance. When doing so, EC2 automatically stored the public key within the home folder on your instance filesystem located @ ~/.ssh/authorized_keys, and prompted you to download the private key.
The private key is generally in the form of a .pem file. The next step is to move this file to your .ssh folder. Specifics vary depending on what OS / CLI you are running, but something like so:
$ mv ~/Downloads/your_key_name.pem ~/.ssh
You'll also need to set proper security permissions on the key file so that only you can read it. For users running macOS or Linux:
$ chmod 400 your_key_name.pem
For Windows users, this may not be necessary - first try to connect as-is. If you have trouble, something like the following (in PowerShell) should do the trick:
$ icacls.exe your_key_name.pem /reset
$ icacls.exe your_key_name.pem /grant:r "$($env:username):(r)"
$ icacls.exe your_key_name.pem /inheritance:r
You can also create SSH keys outside of AWS. These key pairs can then be imported for use in Amazon EC2, or used by any of the multitude of other services that can utilize SSH keys for authentication (GitHub, Google Cloud, Digital Ocean, etc).
To create a pair of SSH keys, run:
$ ssh-keygen -m PEM
Choose a path/name for the key pair, and optionally add a passphrase. This adds another level of security to the key. Once complete, you will find two files - one with the .pub extension is your public key, which you will upload to servers - and the other being your private key.
Hint: For Windows users having trouble, make sure OpenSSH is installed. Open Settings, select Apps > Apps & Features, then select Optional Features. Scan the list to see if the OpenSSH is already installed. If not, at the top of the page, select Add a feature, find OpenSSH Client, then click Install.
Connecting With SSH
Now that your SSH key is in the proper location, with appropriate permissions applied, you can use it to connect to your EC2 instance. The basic syntax for connecting to a server with public key authentication is as follows:
$ ssh -i "your_key_name.pem" [email protected]
EC2 makes this step easy and provides a neatly generated command that includes your key name, username, and host address. To access this, select your instance, then click the Connect button. Now choose the SSH client tab. At the bottom, you'll see your personalized ssh command. Click the button to copy it to your clipboard.
Open your terminal and navigate to your .ssh folder (where your private key is located). Now simply paste and run the command. The first time connecting to a server will prompt for server identity confirmation. The fingerprint is a short version of the server's public key, which can be verified against the public key of your key pair.
Since this pair of SSH keys was generated inside Amazon EC2, and your ssh command was copied directly from the EC2 dashboard, you can trust that this server is legitimate. Answering yes will store the server's fingerprint in your .ssh/known_hosts file, and ssh will not ask you about this server again unless the fingerprint changes.
And with that, you should now be logged in to your instance!
Summary: SSH Key Creation
- Secure Shell, aka SSH, is a utility that can log into another computer over a network.
- SSH supports authentication based on cryptographic keys, called public key authentication.
This lesson was an introduction to SSH, key creation, and how to use SSH to connect to your deployment servers. Now that you've successfully logged in remotely, it's time to learn about Linux package management and how to install software packages that will support your deployment.