- OpenSSH vs PuTTY
- pem VS ppk，两种格式的证书
- SCP vs SFTP
常用的就是putty、plink、puttygen。plink常用于非交互数据传输的通道，puttygen可用于生成证书、证书格式转换（pem <-> ppk）等。
- putty.exe (the SSH and Telnet client itself)
- pscp.exe (an SCP client, i.e. command-line secure file copy)
- psftp.exe (an SFTP client, i.e. general file transfer sessions much like FTP)
- puttytel.exe (a Telnet-only client)
- plink.exe (a command-line interface to the PuTTY back ends)
- pageant.exe (an SSH authentication agent for PuTTY, PSCP, PSFTP, and Plink)
- puttygen.exe (a RSA and DSA key generation utility)
What is PuTTY Plink?
Plink (PuTTY Link) is a command-line connection tool similar to UNIX ssh . It is mostly used for automated operations, such as making CVS access a repository on a remote server. Plink is probably not what you want if you want to run an interactive session in a console window.
ssh-keygen is a tool for creating new authentication key pairs for SSH. Such key pairs are used for automating logins, single sign-on, and for authenticating hosts.
ssh-agent is a program that can hold a user’s private key, so that the private key passphrase only needs to be supplied once. A connection to the agent can also be forwarded when logging into a server, allowing SSH commands on the server to use the agent running on the user’s desktop.
OpenSSH vs PuTTY
Why do you recommend using Putty over OpenSSH to connect to a git server from windows?
We recommend PuTTY because it’s Windows-native. If you use passphrases with your keys (and really, you should – if you don’t your keys are very insecure) then you need to run an agent to avoid typing those passphrases more than once per login. OpenSSH’s agent is a command-line affair and can only easily be used from inside the same command line prompt, so it doesn’t play very nicely with using a mixture of command line and a GUI tool like SourceTree. In contrast, PuTTY uses a Windows system tray tool called Pageant which can serve any number of apps and sits in your tray for your Windows session. Many people also prefer the GUI tools for generating keys since they’re a bit more user-friendly.
SourceTree jumps through the hoops required to make OpenSSH work with passphrases outside a terminal so it’s fine if you want to use it, but OpenSSH was designed for Unix/Linux terminals and has to be somewhat shoehorned into working nicely in a Windows GUI setup, hence why we suggest the native tool as a preference. Many people will have already set up their systems for OpenSSH which is fine, but PuTTY can do everything OpenSSH does while being a bit more of a natural fit, so we tend to recommend it to brand new users since they’ll probably have an easier ride.
Windows 10 SSH vs. PuTTY: Time to Switch Your Remote Access Client?
One of the most common methods to communicate between computers, particularly Linux machines and web servers, is SSH. When it comes to establishing this sort of communication in Windows, the default option has been to install PuTTY.
PuTTY has long been the preferred choice for SSH on Windows. Whether controlling web servers, accessing Internet of Things devices or remotely administering a Linux PC, it’s a lightweight, easy to use app.
One of the reasons for PuTTY’s endurance is its wide selection of features. So, can SSH on Windows PowerShell compete with PuTTY?
There is a reason why PuTTY remains popular. Not only does it allow you to save (and name) your connections, the app also supports connections over Telnet, Serial, and other protocols. PuTTY’s appearance is also configurable, can it be quickly launched from the desktop. All in all, PuTTY is a solid utility that handles pretty much anything that you can throw at it.
SSH is easy to use in Windows 10’s PowerShell. However, its lack of features, along with requiring a few more clicks to load up, mean you might prefer to stick with PuTTY. Either way, the fact that Windows 10 has two good options for SSH is worth celebrating.
pem VS ppk，两种格式的证书
While the data stored in Public/Private Key pairs is standardized, the storage format is not. Two common formats are available – OpenSSH and PuTTY style keys. Programs that rely on PuTTY cannot use OpenSSH style keys, and vice versa. Serv-U uses OpenSSH style keys only, and does not support PuTTY. It can be necessary to convert key formats in order to support specifc clients.
SCP vs SFTP
SCP是Secure Copy的简称，是用来与远程主机之间进行数据传输的协议，相当于经过加密的Copy命令。SCP数据传输使用 ssh协议，并且和ssh 使用相同的认证方式，提供相同的安全保证。根据实际需要，scp进行验证时会要求你输入密码或口令。
SFTP=SSH File Transfer Protocol ，有时也被称作 Secure File Transfer Protocol。SFTP是用SSH封装过的FTP协议，相当于经过加密的FTP协议，功能与FTP一样，只是传输数据经过加密。
- SFTP Generally slowest (encryption and necessity to wait for packet confirmations).
- FTP Generally fastest file transfer (no encryption and efficient file transfer), yet transfer setup is slow, so transfer of large number of small files can be slow.
- SCP Medium (encryption, but efficient file transfer, yet it does not allow the transfer to be interrupted).
I’m in confusion with key files generated with our beloved LetsEncrypt.
We will get 4 .pem files,
privkey.pem is clear enough to understand that it is Private key. But I don’t understand,
- what are the other files ?
- why it is for or for which we should use that ?
- In AWS Elastic Load balancer, SSL Certificate configuration asks for
- Private key
- Public Key
- Chain (optional)
Which .pem file I should use for Public key, fullchain.pem or chain.pem or cert.pem ? Could anyone help me understanding this ?
The best answer should be provided by your hosting company, in this case Amazon. Anyway, from http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/elb-add-or-delete-listeners.html
If you have an SSL certificate to upload, select Upload a new SSL Certificate to AWS Identity and Access Management (IAM).
Enter the name of the certificate.
In Private Key, copy and paste the contents of the private key file (PEM-encoded).
In Public Key Certificate, copy and paste the contents of the public key certificate file (PEM-encoded).
In Certificate Chain, copy and paste the contents of the certificate chain file (PEM-encoded)
Private Key ——–> privkey.pem
Public Key ———> cert.pem
Certificate Chain –> chain.pem
PGP certificates differ from X.509 certificates, as seen by the general public, in two ways:
PGP certificates are issued (signed) by normal people while the popular impression is that X.509 certificates must be issued by a professional CA, and
PGP implements a security fault tolerance mechanism, called the Web of Trust, that was designed to compensate for the fact that issuers were not specially protected or professional.
|Kind of Certificate||Certification Authority Characteristics||Kind of Identifier|
|X.509||Naming authority hierarchies; cross-certification; CPS||Global by original definition, but local in practice [X.500 Distinguished Name, chosen by and hopefully unique to the issuing CA]|
|PGP||Web of Trust = multiple path of certification, to achieve fault tolerance in compensation for the fact that amateur certifiers are signing certificates||Global [e-mail name, globally unique (thanks to the Domain Name System) but maybe not persistent]|
|SPKI/SDSI||Single naming authority; no CPS necessary||Local [arbitrary]|
|SPKI without names||Authorization authority hierarchies; optional k-of-n subjects||Global [public key or hash of the public key, globally unique (thanks to mathematics) and persistent]|
A CSR or Certificate Signing request is a block of encoded text that is given to a Certificate Authority when applying for an SSL Certificate. … It also contains the public key that will be included in the certificate. A private key is usually created at the same time that you create the CSR, making a key pair.
It also contains the public key that will be included in the certificate. A private key is usually created at the same time that you create the CSR, making a key pair. … A certificate authority will use a CSR to create your SSL certificate, but it does not need your private key.
There’s no sensitive information in the CSR. It’s odd that a certificate authority asks you to send your CSR through email. … That means it’s safe to send this by email because what is important in a PKI infrastructure is the private key, that you must keep to yourself.
Can I reuse a CSR?
4 Answers. The short answer is that while yes you can reuse the CSR, it doesn’t mean you should. … Yes, you will need a new CSR for the domain and your user name/password. Some web servers allow to use old CSR but I recommend to create a new CSR.
How to remove a private key password using OpenSSL?
In some circumstances there may be a need to have the certificate private key unencrypted.
To remove the private key password follow this procedure:
Copy the private key file into your OpenSSL directory (or you can specify the path in the command line).
Run this command using OpenSSL:
openssl rsa -in [file1.key] -out [file2.key]
Enter the passphrase and [file2.key] is now the unprotected private key.
The output file: [file2.key] should be unencrypted. To verify this open the file using a text editor (such as MS Notepad) and view the headers.
Encrypted headers look like this:
-----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC, 6AC307785DD187EF... -----END RSA PRIVATE KEY-----
Unencrypted headers look like this:
-----BEGIN RSA PRIVATE KEY----- 6AC307785DD187EF... -----END RSA PRIVATE KEY-----
WARNING: Be aware that having an unencrypted private key adds a security risk by making it easier to obtain your private key if the private key file is stolen.
For more information on OpenSSL please visit: www.openssl.org
The methods available for authentication are: GSSAPI-based authentication, host-based authentication, public key authentication, challenge-response authentication, and password authentication. Authentication methods are tried in the order specified above, though PreferredAuthentications can be used to change the default order.
rsa: 一种基于分解大数字难度的旧算法。RSA建议密钥大小至少为2048位; 4096位更好。RSA正在变老，并且在保理方面取得了重大进展。可能建议选择不同的算法。在可预见的将来，RSA算法很可能会变得切实可行。所有SSH客户端都支持此算法。
Public key authentication works as follows: The scheme is based on public-key cryptography, using cryptosystems where encryption and decryption are done using sepa‐rate keys, and it is unfeasible to derive the decryption key from the encryption key. The idea is that each user creates a public/private key pair for authentication purposes. The server knows the public key, and only the user knows the private key. ssh implements public key authentication protocol automatically, using one of the DSA, ECDSA, Ed25519 or RSA algorithms. The HISTORY section of ssl contains a brief discussion of the DSA and RSA algorithms.
The user creates his/her key pair by running ssh-keygen. This stores the private key in ~/.ssh/id_dsa (DSA), ~/.ssh/id_ecdsa (ECDSA), ~/.ssh/id_ed25519 (Ed25519), or ~/.ssh/id_rsa (RSA) and stores the public key in ~/.ssh/id_dsa.pub (DSA), ~/.ssh/id_ecdsa.pub (ECDSA), ~/.ssh/id_ed25519.pub (Ed25519), or ~/.ssh/id_rsa.pub (RSA) in the user’s home directory. The user should then copy the public key to ~/.ssh/authorized_keys in his/her home directory on the remote machine. The authorized_keys file corresponds to the conventional ~/.rhosts file, and has one key per line, though the lines can be very long. After this, the user can log in without giving the password.
除了最常见的远程连接，ssh提供的加密通道还可以用于 X11 connections, arbitrary TCP ports and UNIX-domain sockets的转发。
ssh (SSH client) is a program for logging into a remote machine and for executing commands on a remote machine. It is intended to provide secure encrypted communi‐cations between two untrusted hosts over an insecure network. X11 connections, arbitrary TCP ports and UNIX-domain sockets can also be forwarded over the secure channel.
- ServerAliveInterval / 心跳监测以保持连接
- ServerAliveCountMax / 心跳监测以保持连接
-X Enables X11 forwarding. This can also be specified on a per-host basis in a configuration file.
X11 forwarding should be enabled with caution. Users with the ability to bypass file permissions on the remote host (for the user’s X authorization database) can access the local X11 display through the forwarded connection. An attacker may then be able to perform activities such as keystroke monitoring.
For this reason, X11 forwarding is subjected to X11 SECURITY extension restrictions by default. Please refer to the ssh -Y option and the ForwardX11Trusted directive in ssh_config for more information.
-Y Enables trusted X11 forwarding. Trusted X11 forwardings are not subjected to the X11 SECURITY extension controls.
- PuTTY : Convert “.pem” file to “.ppk” file
- Using the command-line connection tool Plink
- Converting OpenSSH and PuTTY style keys
- Why do you recommend using Putty over OpenSSH to connect to a git server from windows?
- Windows 10 SSH vs. PuTTY: Time to Switch Your Remote Access Client?
- Converting OpenSSH and PuTTY style keys
- What are those .pem files?
- SPKI/SDSI and the Web of Trust
- Is it typical to create both x509 and OpenPGP key pairs?
- How to remove a private key password using OpenSSL
-- EOF --