Key management
In this section, you can find information about SSH keys, how to generate them, and how to rotate them.
Currently, Transfer Family does not accept elliptical curve keys (keys beginning with ecdsa
).
Generate SSH keys
You can set up your server to authenticate users using the service managed authentication method, where user names and SSH keys are stored within the service. The user's public SSH key is uploaded to the server as a user's property. This key is used by the server as part of a standard key-based authentication process. Each user can have multiple public SSH keys on file with an individual server. For limits on number of keys that can be stored per user, see the AWS service quotas in the AWS General Reference.
As an alternative to the service managed authentication method, you can authenticate users using a custom identity provider. This allows you to plug in an existing identity provider using an Amazon API Gateway endpoint. For more information, see Authenticating using an API Gateway method.
A server can only authenticate users using one method (service managed or custom identity provider), and that method cannot be changed after the server is created.
Creating SSH Keys on macOS, Linux, or UNIX
On the macOS, Linux, or UNIX operating systems, you use the
ssh-keygen
command to create an SSH public key and SSH private
key also known as a key pair.
To create SSH keys on a macOS, Linux, or UNIX operating system
-
On macOS, Linux, or UNIX operating systems, open a command terminal.
-
At the prompt, enter the following command:
ssh-keygen -P "" -m PEM -f
.key_name
Note
is the SSH key pair file name.key_name
The following shows an example of the
ssh-keygen
output. -
Navigate to the
.pub file and open it.key_name
-
Copy the text and paste it in SSH public key.
When you run the ssh-keygen
command as shown preceding, it
creates the public and private keys as files in the current
directory.
Creating SSH Keys on Microsoft Windows
Windows uses a slightly different SSH key pair format. The public key must be
in the PUB
format, and the private key must be in the
PPK
format. On Windows, you can use PuTTYgen to create an SSH
key pair in the appropriate formats. You can also use PuTTYgen to convert a
private key generated using ssh-keygen
to a .ppk file.
If you present WinSCP with a private key file not in .ppk format, that client offers to convert the key into .ppk format for you.
For a tutorial on creating SSH keys using PuTTYgen on Windows, see the SSH.com
website
Rotate SSH keys
For security, we recommend the best practice of rotating your SSH keys. Usually, this rotation is specified as a part of a security policy and is implemented in some automated fashion. Depending upon the level of security, for a highly sensitive communication, an SSH key pair might be used only once. Doing this eliminates any risk due to stored keys. However, it is much more common to store SSH credentials for a period of time and set an interval that doesn't place undue burden on users. A time interval of three months is common.
There are two methods used to perform SSH key rotation:
-
On the console, you can upload a new SSH public key and delete an existing SSH public key.
-
Using the API, you can update existing users by using the DeleteSshPublicKey API to delete a user's Secure Shell (SSH) public key and the ImportSshPublicKey API to add a new Secure Shell (SSH) public key to the user's account.