{"id":274,"date":"2015-12-21T08:14:13","date_gmt":"2015-12-21T16:14:13","guid":{"rendered":"https:\/\/cloudinsidr.com\/content\/?p=274"},"modified":"2019-11-04T06:32:22","modified_gmt":"2019-11-04T14:32:22","slug":"how-to-set-up-a-connection-between-two-hosts-using-authentication-based-on-key-pairs-for-remote-access","status":"publish","type":"post","link":"https:\/\/www.cloudinsidr.com\/content\/how-to-set-up-a-connection-between-two-hosts-using-authentication-based-on-key-pairs-for-remote-access\/","title":{"rendered":"How to set up an SSH connection using authentication based on private-public key pairs"},"content":{"rendered":"<p>In order to transfer files from one server to another you can use Unix tools such as rsync with key pairs. Setting up the connection is rather easy once you know how to do it.<\/p>\n<h2>How keys work in public key cryptography<\/h2>\n<p>Public key cryptography relies on the use of a key pair that consists of a private and a public key. These two text strings can be compared\u00a0against one another using a cryptographic algorithm. If the verification succeeds, access is granted.<\/p>\n<p>Think of the <strong>public\u00a0key<\/strong> as the lock on a door. It is technically available\u00a0to everyone, but can only be opened with the corresponding <strong>private key<\/strong>.<\/p>\n<p>In public key cryptography, your <strong>private key<\/strong> is like the master key of an apartment house in the real world: it can open all the locks on any door anywhere (for one and only private key, it is possible to generate many public keys).<\/p>\n<div style=\"width: 624px;\" class=\"wp-video\"><!--[if lt IE 9]><script>document.createElement('video');<\/script><![endif]-->\n<video class=\"wp-video-shortcode\" id=\"video-274-1\" width=\"624\" height=\"352\" loop=\"1\" autoplay=\"1\" preload=\"auto\" controls=\"controls\"><source type=\"video\/mp4\" src=\"https:\/\/www.cloudinsidr.com\/content\/wp-content\/uploads\/2015\/12\/How_a_key_works.mp4?_=1\" \/><a href=\"https:\/\/www.cloudinsidr.com\/content\/wp-content\/uploads\/2015\/12\/How_a_key_works.mp4\">https:\/\/www.cloudinsidr.com\/content\/wp-content\/uploads\/2015\/12\/How_a_key_works.mp4<\/a><\/video><\/div>\n<p dir=\"ltr\" lang=\"en\">Public key cryptography relies on an analogy to a lock and a key in the real world; animation by <a href=\"https:\/\/twitter.com\/ValaAfshar\/status\/668522341262090240\">\u2014 Vala Afshar (@ValaAfshar)<\/a> via <a href=\"https:\/\/t.co\/sqZVsPFd3F\">Twitter<\/a><\/p>\n<p>In order for the origin host (ec-instance-01) to be able to connect to\u00a0the target host (ec-instance-02), you need to follow these steps:<\/p>\n<ul>\n<li>create a key pair in the <strong>.ssh<\/strong> directory on the <b>origin\u00a0<\/b>host (the one that will be initiating the connection); the private key of this key pair should never leave this host!<\/li>\n<li>append\u00a0<strong>only(!) the public key from this pair<\/strong>\u00a0to the <strong>authorized_keys<\/strong> file of your user on the <strong>destination<\/strong>\u00a0host.<\/li>\n<\/ul>\n<p>Here is how to do this in more detail.<\/p>\n<p><!--more--><\/p>\n<h2>Step 1. Check sshd config on each of the\u00a0hosts<\/h2>\n<p>In \/etc\/ssh\/sshd_config, you may\u00a0find these lines:<\/p>\n<pre class=\"lang:sh decode:true\"># RSAAuthentication yes\r\n# PubkeyAuthentication yes<\/pre>\n<p>They indicate the defaults. Leave them alone, unless you want to deactivate RSA authentication. (Should you want to deactivate RSA authentication, make sure you don&#8217;t lock yourself out of your instance!)<\/p>\n<h2>Step 2. Create a new key pair on the server that will initiate the remote connection<\/h2>\n<p>Do NOT use the same key pair that is being used\u00a0for administrative access to either one of the two instances! Generate a new key pair.\u00a0By creating a new key pair for your active user on the source host (ec-instance-01), you will ensure that the private key can remain in place and will not need to be transferred over the network.<\/p>\n<pre class=\"\"><\/pre>\n<p>Here is the basic syntax of the command to generate a key pair:<\/p>\n<pre class=\"\">ssh-keygen -t 'ecdsa|rsa|ed25519' -f \/path\/to\/file<\/pre>\n<p>The -t flag specifies the type of key (pick one!); the -f option specifies the file name. Both <strong>ECDSA<\/strong> (<em>Elliptic Curve Digital Signature Algorithm<\/em>) and <strong>ED25519<\/strong> use signatures based on elliptic curve cryptography and are much safer than RSA. ED25519 is immune to a broken random number generator, but newer than ECDSA and less widely supported.<\/p>\n<p>The default location is\u00a0<span style=\"color: #ff0000;\"><strong>$HOME\/.ssh<\/strong><\/span> of the active user. The key size is specified with the\u00a0<strong>-b<\/strong> parameter.<\/p>\n<p>To generate\u00a0a host ECDSA key pair in 256 bit inside of the directory you just created, use this command:<\/p>\n<pre class=\"\">ssh-keygen -t ecdsa -f $HOME\/.ssh\/ecdsa_key_file\r\nEnter passphrase (empty for no passphrase):\r\n<\/pre>\n<p>Unless you use a passphrase, the mere possession of the private key will grant any user access to\u00a0that key and with it the access to remote servers that have the public key installed; if you do use a passphrase for the private key you will need to enter it whenever you use they key to initiate a connection otherwise\u00a0it won&#8217;t work.<\/p>\n<p>When done, you will find two files in the directory you specified<\/p>\n<pre class=\"\">ls -l $HOME\/.ssh\/\r\n-rw------- 1 root root 556 Dec 21 09:29 ecdsa_key_file\r\n-rw-r--r-- 1 root root 180 Dec 21 09:29 ecdsa_key_file.pub<\/pre>\n<p>The file ecdsa_key_file contains your top-secret private key (.pem). The file ecdsa_key_file.pub contains your public key. The recommended privileges on the private key are 600 (- rw- &#8212; &#8212;).<\/p>\n<h2>Step 3. Verify placement and permissions on the private key on the host that will be initiating the connection<\/h2>\n<p>Make sure that your private key is located in the appropriate directory on the origin host (the host that will be initiating the connection).<\/p>\n<p>The private key belongs either in \/home\/user1\/.ssh\/ (this is where most ssh-capable tools will look for it by default) or in a\u00a0subdirectory within this path.<\/p>\n<p>If you need to adjust permissions on the private key file and its parent directory, use:<\/p>\n<pre class=\"\"><strong><span style=\"color: #ff0000;\">chmod 700 ~\/.ssh\r\n<\/span><\/strong><span style=\"color: #ff0000;\"><span style=\"color: #000000;\">chmod 600 ~\/.ssh\/ecdsa_key_file<\/span><\/span><strong><span style=\"color: #ff0000;\">\r\n<\/span><\/strong><\/pre>\n<h2>Step 4. Place the public key on the target host (the &#8220;lock in the door&#8221;)<\/h2>\n<p>Append the public key onto the authorized_keys file on the target instance (ec-instance-02) that is found inside the .ssh directory in the home directory of the user that will run the process.<\/p>\n<p>Should there be no such file, create it:<\/p>\n<pre class=\"\">touch .ssh\/authorized_keys<\/pre>\n<p>and save the key inside: one key per line, followed by space, followed by an optional comment on the location of the corresponding private key.<\/p>\n<p>After creating the authorized_keys file, make sure you also adjust access privileges on it:<\/p>\n<pre><strong><span style=\"color: #ff0000;\">chmod 700 .ssh\r\n<\/span><\/strong><strong><span style=\"color: #ff0000;\">chmod 600 .ssh\/authorized_keys<\/span><\/strong><\/pre>\n<p>It should be owned by the user and the user&#8217;s primary group:<\/p>\n<pre>chown username:username .ssh\/authorized_keys<\/pre>\n<p>The result will look somewhat like this:<\/p>\n<pre>[root@ip-10-0-0-243 <strong><span style=\"color: #ff0000;\">.ssh<\/span><\/strong>]# ls -lat\r\ntotal 12\r\n<strong><span style=\"color: #ff0000;\">drwx<\/span><\/strong>------  2 fedora fedora 46 Nov 4 04:25 .\r\n-<span style=\"color: #ff0000;\"><strong>rw<\/strong>-<\/span>------  1 fedora fedora  526 Nov  4 06:06 authorized_keys<\/pre>\n<p>(For more on access restrictions, see\u00a0<a href=\"https:\/\/cloudinsidr.com\/content\/understanding-and-settingchanging-access-privileges-on-unixlinux-files-and-directories-mode-bits-and-alternative-access-methods-explained\/\">this post on Unix\/Linux privileges and alternative access methods<\/a>.)<\/p>\n<h2>Step 5. Unblock access through any firewalls and open up AWS security groups<\/h2>\n<p>Unblock access through firewalls (if any) and open up AWS security groups of both hosts for each of their respective\u00a0IP addresses (the &#8220;external&#8221; ones on each relevant interface that should be able to establish a connection).<\/p>\n<p>You should be good to go now.<\/p>\n<h2>Step 6. Connect<\/h2>\n<p>To connect from the source host to the destination host, use this command at the prompt of the source host:<\/p>\n<pre class=\"lang:sh decode:true\">ssh -v -i \"\/path\/to\/your\/private_key_file\" remote-user@re.mo.te.ip<\/pre>\n<p>This command will generate\u00a0verbose output (-v). As a result, you may see a couple of errors even though the connection may succeed.\u00a0Read the output carefully and troubleshoot if necessary.<\/p>\n<h2>Step 7. Troubleshoot<\/h2>\n<p>On AWS, you may see this warning:<\/p>\n<pre class=\"lang:sh decode:true\">Address 123.345.678.123\u00a0maps to ec2-123-456-789-123.compute-1.amazonaws.com, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!<\/pre>\n<p>This warning reflects\u00a0the way EC2 has been designed. Each network interface of an EC2 instance operates two IP addresses: one private internal IP (this IP is being addressed by internal server processes\u00a0on the\u00a0&#8220;inside&#8221; \u00a0of the instance) and one on the outside (this one can be either a private or a public IP and is accessible from the network). This is simply &#8220;as designed&#8221; and&#8211;in and by itself&#8211;nothing to worry about unless you spot an unfamiliar\u00a0IP. In any case, verify if the IPs match your AWS resources. If they do, proceed. If they don&#8217;t, abort.<\/p>\n<p>The success report should include:<\/p>\n<pre class=\"lang:sh decode:true\">debug1: Offering public key: \/root\/.ssh\/ec2migration.keypair\/ecdsa_key_file\r\ndebug1: Server accepts key: pkalg ecdsa-sha2-nistp256 blen 104\r\ndebug1: read PEM private key done: type ECDSA\r\ndebug1: Authentication succeeded (publickey).<\/pre>\n<p>Once the connection is established,\u00a0you can perform any operation you perform locally. To exit the session, use<\/p>\n<pre class=\"lang:sh decode:true\">exit<\/pre>\n<p>Once you know that ssh works between the two hosts, it is time to set up\u00a0rsync (for file backups and the like). For details on how to do this, read:\u00a0<a href=\"https:\/\/cloudinsidr.com\/content\/how-to-rsync-files-and-directories-between-remote-hosts\/\">How to rsync Files and Directories between Remote Hosts in the Cloud<\/a>.<\/p>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>In order to transfer files from one server to another you can use Unix tools such as rsync with key pairs. Setting up the connection is rather easy once you know how to do it. How keys work in public key cryptography Public key cryptography relies on the use of a key pair that consists [&hellip;]<\/p>\n","protected":false},"author":101011,"featured_media":76,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_genesis_hide_title":false,"_genesis_hide_breadcrumbs":false,"_genesis_hide_singular_image":false,"_genesis_hide_footer_widgets":false,"_genesis_custom_body_class":"","_genesis_custom_post_class":"","_genesis_layout":"","footnotes":""},"categories":[16,17,33],"tags":[68,66,67,42,19],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v14.5 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>How to set up an SSH connection using authentication based on private-public key pairs - CloudInsidr<\/title>\n<meta name=\"robots\" content=\"index, follow\" \/>\n<meta name=\"googlebot\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<meta name=\"bingbot\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.cloudinsidr.com\/content\/how-to-set-up-a-connection-between-two-hosts-using-authentication-based-on-key-pairs-for-remote-access\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"How to set up an SSH connection using authentication based on private-public key pairs - CloudInsidr\" \/>\n<meta property=\"og:description\" content=\"In order to transfer files from one server to another you can use Unix tools such as rsync with key pairs. Setting up the connection is rather easy once you know how to do it. How keys work in public key cryptography Public key cryptography relies on the use of a key pair that consists [&hellip;]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.cloudinsidr.com\/content\/how-to-set-up-a-connection-between-two-hosts-using-authentication-based-on-key-pairs-for-remote-access\/\" \/>\n<meta property=\"og:site_name\" content=\"CloudInsidr\" \/>\n<meta property=\"article:published_time\" content=\"2015-12-21T16:14:13+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2019-11-04T14:32:22+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.cloudinsidr.com\/content\/wp-content\/uploads\/2015\/11\/cloudinsidr_logo_900px-wide.png\" \/>\n\t<meta property=\"og:image:width\" content=\"900\" \/>\n\t<meta property=\"og:image:height\" content=\"326\" \/>\n<meta name=\"twitter:card\" content=\"summary\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.cloudinsidr.com\/content\/#website\",\"url\":\"https:\/\/www.cloudinsidr.com\/content\/\",\"name\":\"CloudInsidr\",\"description\":\"Cyber security, infotech\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":\"https:\/\/www.cloudinsidr.com\/content\/?s={search_term_string}\",\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"ImageObject\",\"@id\":\"https:\/\/www.cloudinsidr.com\/content\/how-to-set-up-a-connection-between-two-hosts-using-authentication-based-on-key-pairs-for-remote-access\/#primaryimage\",\"inLanguage\":\"en-US\",\"url\":\"https:\/\/www.cloudinsidr.com\/content\/wp-content\/uploads\/2015\/11\/cloudinsidr_logo_900px-wide.png\",\"width\":900,\"height\":326,\"caption\":\"cloudinsidr.com logo (900px wide)\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.cloudinsidr.com\/content\/how-to-set-up-a-connection-between-two-hosts-using-authentication-based-on-key-pairs-for-remote-access\/#webpage\",\"url\":\"https:\/\/www.cloudinsidr.com\/content\/how-to-set-up-a-connection-between-two-hosts-using-authentication-based-on-key-pairs-for-remote-access\/\",\"name\":\"How to set up an SSH connection using authentication based on private-public key pairs - CloudInsidr\",\"isPartOf\":{\"@id\":\"https:\/\/www.cloudinsidr.com\/content\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.cloudinsidr.com\/content\/how-to-set-up-a-connection-between-two-hosts-using-authentication-based-on-key-pairs-for-remote-access\/#primaryimage\"},\"datePublished\":\"2015-12-21T16:14:13+00:00\",\"dateModified\":\"2019-11-04T14:32:22+00:00\",\"author\":{\"@id\":\"https:\/\/www.cloudinsidr.com\/content\/#\/schema\/person\/21ce63bea726ea64da1beed97e63ba84\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.cloudinsidr.com\/content\/how-to-set-up-a-connection-between-two-hosts-using-authentication-based-on-key-pairs-for-remote-access\/\"]}]},{\"@type\":[\"Person\"],\"@id\":\"https:\/\/www.cloudinsidr.com\/content\/#\/schema\/person\/21ce63bea726ea64da1beed97e63ba84\",\"name\":\"Anna E Kobylinska\",\"image\":{\"@type\":\"ImageObject\",\"@id\":\"https:\/\/www.cloudinsidr.com\/content\/#personlogo\",\"inLanguage\":\"en-US\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/7a3e9bd152f9d5cd41bf2b92df649857?s=96&d=mm&r=g\",\"caption\":\"Anna E Kobylinska\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","_links":{"self":[{"href":"https:\/\/www.cloudinsidr.com\/content\/wp-json\/wp\/v2\/posts\/274"}],"collection":[{"href":"https:\/\/www.cloudinsidr.com\/content\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.cloudinsidr.com\/content\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.cloudinsidr.com\/content\/wp-json\/wp\/v2\/users\/101011"}],"replies":[{"embeddable":true,"href":"https:\/\/www.cloudinsidr.com\/content\/wp-json\/wp\/v2\/comments?post=274"}],"version-history":[{"count":58,"href":"https:\/\/www.cloudinsidr.com\/content\/wp-json\/wp\/v2\/posts\/274\/revisions"}],"predecessor-version":[{"id":2634,"href":"https:\/\/www.cloudinsidr.com\/content\/wp-json\/wp\/v2\/posts\/274\/revisions\/2634"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.cloudinsidr.com\/content\/wp-json\/wp\/v2\/media\/76"}],"wp:attachment":[{"href":"https:\/\/www.cloudinsidr.com\/content\/wp-json\/wp\/v2\/media?parent=274"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.cloudinsidr.com\/content\/wp-json\/wp\/v2\/categories?post=274"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.cloudinsidr.com\/content\/wp-json\/wp\/v2\/tags?post=274"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}