Introduction
2020-7-10 $ ssh-keygen -t rsa -b 4096 -f /.ssh/hostca -C hostca 这一行要加入/.ssh/ 2020年7月15日 01:42 # 引用 无色橘子 说: 不知道什么鬼,一直提示permission denied,重新设置过服务器和本地秘钥对和证书文件的权限600,还是一直提示.
SSH, or secure shell, is an encrypted protocol used to administer and communicate with servers. When working with an Ubuntu server, chances are you will spend most of your time in a terminal session connected to your server through SSH.
In this guide, we’ll focus on setting up SSH keys for a vanilla Ubuntu 16.04 installation. SSH keys provide an easy, secure way of logging into your server and are recommended for all users.
Step 1 — Create the RSA Key Pair
The first step is to create a key pair on the client machine (usually your computer):
By default
ssh-keygen
will create a 2048-bit RSA key pair, which is secure enough for most use cases (you may optionally pass in the -b 4096
flag to create a larger 4096-bit key).- $ ssh-keygen-t rsa I recommend entering a password so that in case someone steals your key, they still cannot use it. This key, found in /.ssh/idrsa.pub can now be added to the /.ssh/authorizedkeys file on the servers on which you want to log into.
- 2015-9-30 ※GitHubに登録しているEmailアドレスを使うのが一般的のようです。 ssh-keygen -t rsa -b 4096 -C '[email protected]' SSH Keysの保存先を聞かれているので、特に気にしなければそのまま Enter を入力 Enter file in which to save the key (/Users/you/.ssh/idrsa): Press enter.
- 2020-4-19 最近在配置一下ssh的公私钥,因为系统需要制定私钥的开头就是begin rsa 的方式,如果是openssh 就不支持,在使用网上的教程直接使用gitbash 然后ssh-keygen但是结果生成的私钥中都是指定了openssh,虽然你使用 -t rsa 的方式,如果希望出现begin.
After entering the command, you should see the following output:
Press
ENTER
to save the key pair into the .ssh/
subdirectory in your home directory, or specify an alternate path.If you had previously generated an SSH key pair, you may see the following prompt:
If you choose to overwrite the key on disk, you will not be able to authenticate using the previous key anymore. Be very careful when selecting yes, as this is a destructive process that cannot be reversed.
You should then see the following prompt:
Here you optionally may enter a secure passphrase, which is highly recommended. A passphrase adds an additional layer of security to prevent unauthorized users from logging in. To learn more about security, consult our tutorial on How To Configure SSH Key-Based Authentication on a Linux Server.
Ssh Keygen Too Many Arguments
You should then see the following output:
You now have a public and private key that you can use to authenticate. The next step is to place the public key on your server so that you can use SSH-key-based authentication to log in.
Step 2 — Copy the Public Key to Ubuntu Server
The quickest way to copy your public key to the Ubuntu host is to use a utility called
ssh-copy-id
. Due to its simplicity, this method is highly recommended if available. If you do not have ssh-copy-id
available to you on your client machine, you may use one of the two alternate methods provided in this section (copying via password-based SSH, or manually copying the key).Copying Public Key Using ssh-copy-id
The
ssh-copy-id
tool is included by default in many operating systems, so you may have it available on your local system. For this method to work, you must already have password-based SSH access to your server.To use the utility, you simply need to specify the remote host that you would like to connect to and the user account that you have password SSH access to. This is the account to which your public SSH key will be copied.
The syntax is:
You may see the following message: Cardshark darwin ortiz pdf creator.
This means that your local computer does not recognize the remote host. This will happen the first time you connect to a new host. Type “yes” and press
ENTER
to continue.Next, the utility will scan your local account for the
id_rsa.pub
key that we created earlier. When it finds the key, it will prompt you for the password of the remote user’s account:Type in the password (your typing will not be displayed for security purposes) and press
ENTER
. The utility will connect to the account on the remote host using the password you provided. It will then copy the contents of your ~/.ssh/id_rsa.pub
key into a file in the remote account’s home ~/.ssh
directory called authorized_keys
.You should see the following output:
At this point, your
id_rsa.pub
key has been uploaded to the remote account. You can continue on to Step 3.Copying Public Key Using SSH
If you do not have
ssh-copy-id
available, but you have password-based SSH access to an account on your server, you can upload your keys using a conventional SSH method.We can do this by using the
cat
command to read the contents of the public SSH key on our local computer and piping that through an SSH connection to the remote server. On the other side, we can make sure that the
~/.ssh
directory exists and has the correct permissions under the account we’re using.We can then output the content we piped over into a file called
authorized_keys
within this directory. We’ll use the >>
redirect symbol to append the content instead of overwriting it. This will let us add keys without destroying previously added keys.Secure Ssh Keygen
The full command looks like this:
You may see the following message:
This means that your local computer does not recognize the remote host. This will happen the first time you connect to a new host. Type “yes” and press
ENTER
to continue.![Ssh Keygen 4096 Rsa Ssh Keygen 4096 Rsa](https://gbbolivar.files.wordpress.com/2019/08/procesogenerarkey.png)
Afterwards, you should be prompted to enter the remote user account password:
After entering your password, the content of your
id_rsa.pub
key will be copied to the end of the authorized_keys
file of the remote user’s account. Continue on to Step 3 if this was successful.Copying Public Key Manually
If you do not have password-based SSH access to your server available, you will have to complete the above process manually.
We will manually append the content of your
id_rsa.pub
file to the ~/.ssh/authorized_keys
file on your remote machine.To display the content of your
id_rsa.pub
key, type this into your local computer:You will see the key’s content, which should look something like this:
Access your remote host using whichever method you have available.
Once you have access to your account on the remote server, you should make sure the
~/.ssh
directory exists. This command will create the directory if necessary, or do nothing if it already exists:Now, you can create or modify the
authorized_keys
file within this directory. You can add the contents of your id_rsa.pub
file to the end of the authorized_keys
file, creating it if necessary, using this command:In the above command, substitute the
public_key_string
with the output from the cat ~/.ssh/id_rsa.pub
command that you executed on your local system. It should start with ssh-rsa AAAA..
.Finally, we’ll ensure that the
~/.ssh
directory and authorized_keys
file have the appropriate permissions set:This recursively removes all “group” and “other” permissions for the
~/.ssh/
directory.If you’re using the
root
account to set up keys for a user account, it’s also important that the ~/.ssh
directory belongs to the user and not to root
:In this tutorial our user is named sammy but you should substitute the appropriate username into the above command.
We can now attempt passwordless authentication with our Ubuntu server.
Step 3 — Authenticate to Ubuntu Server Using SSH Keys
If you have successfully completed one of the procedures above, you should be able to log into the remote host without the remote account’s password.
The basic process is the same:
If this is your first time connecting to this host (if you used the last method above), you may see something like this:
This means that your local computer does not recognize the remote host. Type “yes” and then press
ENTER
to continue.If you did not supply a passphrase for your private key, you will be logged in immediately. If you supplied a passphrase for the private key when you created the key, you will be prompted to enter it now (note that your keystrokes will not display in the terminal session for security). After authenticating, a new shell session should open for you with the configured account on the Ubuntu server.
If key-based authentication was successful, continue on to learn how to further secure your system by disabling password authentication.
Step 4 — Disable Password Authentication on your Server
If you were able to log into your account using SSH without a password, you have successfully configured SSH-key-based authentication to your account. However, your password-based authentication mechanism is still active, meaning that your server is still exposed to brute-force attacks.
Before completing the steps in this section, make sure that you either have SSH-key-based authentication configured for the root account on this server, or preferably, that you have SSH-key-based authentication configured for a non-root account on this server with
sudo
privileges. This step will lock down password-based logins, so ensuring that you will still be able to get administrative access is crucial.Once you’ve confirmed that your remote account has administrative privileges, log into your remote server with SSH keys, either as root or with an account with
sudo
privileges. Then, open up the SSH daemon’s configuration file:Inside the file, search for a directive called
PasswordAuthentication
. This may be commented out. Uncomment the line and set the value to “no”. This will disable your ability to log in via SSH using account passwords:Save and close the file when you are finished by pressing
CTRL
+ X
, then Y
to confirm saving the file, and finally ENTER
to exit nano. To actually implement these changes, we need to restart the sshd
service:As a precaution, open up a new terminal window and test that the SSH service is functioning correctly before closing this session:
Once you have verified your SSH service, you can safely close all current server sessions.
The SSH daemon on your Ubuntu server now only responds to SSH keys. Password-based authentication has successfully been disabled.
Conclusion
You should now have SSH-key-based authentication configured on your server, allowing you to sign in without providing an account password.
If you’d like to learn more about working with SSH, take a look at our SSH Essentials Guide.
-->With a secure shell (SSH) key pair, you can create a Linux virtual machine that uses SSH keys for authentication. This article shows you how to create and use an SSH RSA public-private key file pair for SSH client connections.
If you want quick commands, see How to create an SSH public-private key pair for Linux VMs in Azure.
To create SSH keys and use them to connect to a from a Windows computer, see How to use SSH keys with Windows on Azure. You can also use the Azure portal to create and manage SSH keys for creating VMs in the portal.
Overview of SSH and keys
SSH is an encrypted connection protocol that provides secure sign-ins over unsecured connections. SSH is the default connection protocol for Linux VMs hosted in Azure. Although SSH provides an encrypted connection, using passwords with SSH connections still leaves the VM vulnerable to brute-force attacks. We recommend connecting to a VM over SSH using a public-private key pair, also known as SSH keys.
- The public key is placed on your Linux VM.
- The private key remains on your local system. Protect this private key. Do not share it.
When you use an SSH client to connect to your Linux VM (which has the public key), the remote VM tests the client to make sure it has the correct private key. If the client has the private key, it's granted access to the VM.
Depending on your organization's security policies, you can reuse a single public-private key pair to access multiple Azure VMs and services. You do not need a separate pair of keys for each VM or service you wish to access.
Your public key can be shared with anyone, but only you (or your local security infrastructure) should have access to your private key.
Supported SSH key formats
Azure currently supports SSH protocol 2 (SSH-2) RSA public-private key pairs with a minimum length of 2048 bits. Other key formats such as ED25519 and ECDSA are not supported.
SSH keys use and benefits
When you create an Azure VM by specifying the public key, Azure copies the public key (in the
.pub
format) to the ~/.ssh/authorized_keys
folder on the VM. SSH keys in ~/.ssh/authorized_keys
are used to challenge the client to match the corresponding private key on an SSH connection. In an Azure Linux VM that uses SSH keys for authentication, Azure configures the SSHD server to not allow password sign-in, only SSH keys. By creating an Azure Linux VM with SSH keys, you can help secure the VM deployment and save yourself the typical post-deployment configuration step of disabling passwords in the sshd_config
file.If you do not wish to use SSH keys, you can set up your Linux VM to use password authentication. If your VM is not exposed to the Internet, using passwords may be sufficient. However, you still need to manage your passwords for each Linux VM and maintain healthy password policies and practices, such as minimum password length and regular updates.
Generate keys with ssh-keygen
To create the keys, a preferred command is
ssh-keygen
, which is available with OpenSSH utilities in the Azure Cloud Shell, a macOS or Linux host, and Windows 10. ssh-keygen
Presonus notion 6 studio one 4 professional for mac. asks a series of questions and then writes a private key and a matching public key.SSH keys are by default kept in the
~/.ssh
directory. If you do not have a ~/.ssh
directory, the ssh-keygen
command creates it for you with the correct permissions.Basic example
The following
ssh-keygen
command generates 4096-bit SSH RSA public and private key files by default in the ~/.ssh
directory. If an SSH key pair exists in the current location, those files are overwritten.Detailed example
The following example shows additional command options to create an SSH RSA key pair. If an SSH key pair exists in the current location, those files are overwritten.
Command explained
ssh-keygen
= the program used to create the keys-m PEM
= format the key as PEM-t rsa
= type of key to create, in this case in the RSA format-b 4096
= the number of bits in the key, in this case 4096-C 'azureuser@myserver'
= a comment appended to the end of the public key file to easily identify it. Normally an email address is used as the comment, but use whatever works best for your infrastructure.-f ~/.ssh/mykeys/myprivatekey
= the filename of the private key file, if you choose not to use the default name. A corresponding public key file appended with .pub
is generated in the same directory. The directory must exist.-N mypassphrase
= an additional passphrase used to access the private key file.Example of ssh-keygen
Saved key files
Enter file in which to save the key (/home/azureuser/.ssh/id_rsa): ~/.ssh/id_rsa
The key pair name for this article. Having a key pair named
id_rsa
is the default; some tools might expect the id_rsa
private key file name, so having one is a good idea. The directory ~/.ssh/
is the default location for SSH key pairs and the SSH config file. If not specified with a full path, ssh-keygen
creates the keys in the current working directory, not the default ~/.ssh
.List of the ~/.ssh
directory
Key passphrase
Enter passphrase (empty for no passphrase):
It is strongly recommended to add a passphrase to your private key. Without a passphrase to protect the key file, anyone with the file can use it to sign in to any server that has the corresponding public key. Adding a passphrase offers more protection in case someone is able to gain access to your private key file, giving you time to change the keys.
Generate keys automatically during deployment
If you use the Azure CLI to create your VM, you can optionally generate SSH public and private key files by running the az vm create command with the
--generate-ssh-keys
option. The keys are stored in the ~/.ssh directory. Note that this command option does not overwrite keys if they already exist in that location.Provide SSH public key when deploying a VM
To create a Linux VM that uses SSH keys for authentication, provide your SSH public key when creating the VM using the Azure portal, CLI, Resource Manager templates, or other methods. When using the portal, you enter the public key itself. If you use the Azure CLI to create your VM with an existing public key, specify the value or location of this public key by running the az vm create command with the
--ssh-key-value
option.If you're not familiar with the format of an SSH public key, you can see your public key by running
cat
as follows, replacing ~/.ssh/id_rsa.pub
with your own public key file location:Output is similar to the following (here redacted):
If you copy and paste the contents of the public key file into the Azure portal or a Resource Manager template, make sure you don't copy any additional whitespace or introduce additional line breaks. For example, if you use macOS, you can pipe the public key file (by default,
~/.ssh/id_rsa.pub
) to pbcopy to copy the contents (there are other Linux programs that do the same thing, such as xclip
).If you prefer to use a public key that is in a multiline format, you can generate an RFC4716 formatted key in a pem container from the public key you previously created.
To create a RFC4716 formatted key from an existing SSH public key:
SSH to your VM with an SSH client
With the public key deployed on your Azure VM, and the private key on your local system, SSH to your VM using the IP address or DNS name of your VM. Replace azureuser and myvm.westus.cloudapp.azure.com in the following command with the administrator user name and the fully qualified domain name (or IP address):
If you provided a passphrase when you created your key pair, enter the passphrase when prompted during the sign-in process. (The server is added to your
~/.ssh/known_hosts
folder, and you won't be asked to connect again until the public key on your Azure VM changes or the server name is removed from ~/.ssh/known_hosts
.)If the VM is using the just-in-time access policy, you need to request access before you can connect to the VM. For more information about the just-in-time policy, see Manage virtual machine access using the just in time policy.
Use ssh-agent to store your private key passphrase
To avoid typing your private key file passphrase with every SSH sign-in, you can use
ssh-agent
to cache your private key file passphrase. If you are using a Mac, the macOS Keychain securely stores the private key passphrase when you invoke ssh-agent
.Verify and use
ssh-agent
and ssh-add
to inform the SSH system about the key files so that you do not need to use the passphrase interactively.Now add the private key to
ssh-agent
using the command ssh-add
.The private key passphrase is now stored in
ssh-agent
.Use ssh-copy-id to copy the key to an existing VM
If you have already created a VM, you can add a new SSH public key to your Linux VM using
ssh-copy-id
. Serato dj lite for mac.Create and configure an SSH config file
You can create and configure an SSH config file (
~/.ssh/config
) to speed up log-ins and to optimize your SSH client behavior.The following example shows a simple configuration that you can use to quickly sign in as a user to a specific VM using the default SSH private key.
Create the file.
Edit the file to add the new SSH configuration
Add configuration settings appropriate for your host VM. In this example, the VM name is myvm and the account name is azureuser.
You can add configurations for additional hosts to enable each to use its own dedicated key pair. See SSH config file for more advanced configuration options.
Now that you have an SSH key pair and a configured SSH config file, you are able to sign in to your Linux VM quickly and securely. When you run the following command, SSH locates and loads any settings from the
Host myvm
block in the SSH config file.The first time you sign in to a server using an SSH key, the command prompts you for the passphrase for that key file.
Next steps
Next up is to create Azure Linux VMs using the new SSH public key. Azure VMs that are created with an SSH public key as the sign-in are better secured than VMs created with the default sign-in method, passwords.