ssh
When it comes to ssh, anyone who has used linux should be familiar with it. In layman's terms, a key pair is generated by a tool, the Linux server side stores the public key, and the client side retains a private key. Through the client tool (putty, tera term) or command line tool (ssh) that supports the ssh protocol, when logging in to the server, you need to enter the linux user name and select a file to save the private key. The login succeeds only if the private key and the public key match successfully.
aws key pairs
The key pairs in aws are actually the public key and private key of ssh. It's just that aws can be generated and managed through the console interface, shielding users from the complex technical details of ssh, which is also a reflection of the service-oriented idea.
When creating an ec2 instance, you will be prompted to create a key pair, so the key pair resource is used to bind to the ec2 instance.
The same key pair can be bound to multiple ec2 instances. Moreover, multiple os users within an instance can also use the same key pair. Although from a security point of view, AWS does not recommend sharing key pairs in this way.
However, through the console of ec2, only one key pair can be bound. What if each ec2 os user needs to use its own separate key pair? Don't worry, there are several ways to do it.
1> The most direct method
Manually edit the ~/.ssh/authorized_keys file. Append each user's public key configuration information.
2> When creating an ec2 instance, configure the cloud-init directive script through the User Data interface in Advanced instance options. However, the script in user data is only executed once when the instance is created.
In addition to cloud-init directive, User Data also supports shell script. If you use aws cli to create an instance, you can also specify a local script file. Of course, the content of the file can be either shell script or cloud-init directive.
In fact, aws ec2 and key pairs, to put it bluntly, are just service-oriented packaging of traditional linux os and ssh.
Some commonly used tips
1> Obtain the public key through the private key
ssh-keygen -y
Enter file in which the key is:my-private.pem
ssh-rsa xxxxxxxxxxxxxxyyyyyyyyyyyyyyyyyyyyyyzzzzzzzzzzzzzzzzzz
2> aws cli to get key pairs information
>set http_proxy=myproxy.com:9999
>set https_proxy=myproxy.com:9999
>aws configure
AWS Access Key ID [****************xxxx]:
AWS Secret Access Key [****************yyyy]:
Default region name [None]: ap-northeast-1
Default output format [None]: json
View all key pair information
>aws ec2 describe-key-pairs
View the specified key pair information
>aws ec2 describe-key-pairs --key-name mykey
从返回结果中可以发现有一个KeyFingerprint(通过aws console查看也可以发现),这个fingerprint是针对public key生成的一个指纹信息,用于辅助校验key pair的安全性。一般在在第一次发起ssh连接的时候,server端会把这个fingerprint信息存储在client端,ssh客户端以后每次连接的时候会比较一下本地cache的fingerprint与server端返回的是否一致,如果不一致,会提醒用户核实情况再发起连接。
查看public key的fingerprint的方法
--client端
ssh-keygen -lf authorized_keys
--sshd daemon
ssh-keygen -lf /etc/ssh/ssh_host_rsa_key.pub