How can I able to use PEM file in aws again? - amazon-web-services

Currently, I am facing an issue related to AWS. A project is already uploaded on AWS server and always connect to that Project by using PEM key of that particular project. But from last week I am not able to connect with the AWS server by using the PEM key. I got one solution for this, as by creating new instance i will be able to got my access on the project but this will make me lose of my whole data & database as a result. Is this occurred due to virus or any thing else? Got stuck over here badly. Any help will be appreciable.

I think the authorized_keys file has some incorrect entries. Let's remove the key from the file and add it again.
remove the host key
ssh-keygen -R [hostname]
ssh again
ssh -Tv ec2-user#example.com -i ~/mykey.pem

In order to use existing EBS volume with data in a new ec2, with a new ssh key:
Create a snapshot of the current instance's EBS, and create a volume.
Create a new instance with a new ssh key.
Stop the new instance and attached the previously created volume as the boot volume.
Start the new instance and you should be able to login with the new ssh key.

The log indicates that you do not have any networking issues. It is the ssh server on the instance that is rejecting your connection.
The first thing to confirm is that you are connecting to the correct Amazon EC2 instance. If an EC2 instance is stopped and started again, it might change public IP address (depending how it is configured). Therefore, make sure that you are connecting to the right instance.
Next, confirm that you are using the correct username. You are using ubuntu#, which is correct if the instance is using an Ubuntu AMI. However, it is possible to create additional users on a Linux computer and the PEM files are associated with specific users. Therefore, confirm that this is the correct username for use with that PEM file.
Next, confirm that you are using the correct PEM file. The PEM file should contain the private half of a keypair that matches the public half that is stored on the instance in the user's ~.ssh/authorized_keys file. The log indicates that the instance is rejecting the provided keypair. Therefore, you might be using the wrong one.
Failing all this, there are some recommended steps available on: Walkthrough: Reset Passwords and SSH Keys on Amazon EC2 Instances - AWS Systems Manager
However, they might not work since you are using an Ubuntu instance, which might not have standard AWS software installed.
Let us know how you go!

Related

how to recover lost AWS .pem file and putty key, which are lost due to any virus

Yesterday I downloaded Filezilla, after the downloading, I got warn message from my computer, and when I checked the download folder, all data were deleted including putty key and .PPM file. could anyone explain me please, how can I recover these files?
Once you download an AWS pem you can never redownload it again (this is for security purposes if your account was compromised).
Best practice would be store anything of value in an external storage, rather than on a single users machine.
Unfortunately as it stands the instances will not be connectable over SSH without having a PEM. This isn't to say you have lost access to these instances however.
If the individual host is not of importance or can be recreated very easily, you could simply create a new SSH key within AWS and launch new instances using this configuration. You can always create an AMI of the current instances to launch ew one that is identical but specify your new SSH key when you launch.
If the hosts are important AWS support to allow you access the host via a terminal. Before accessing generate a new private/public key and then add the public key to the hosts .ssh/authorized_keys file once you have gained access.
The simplest solution would be to use Sessions Manager to allow you to access the host either via the console or the CLI.
For sessions manager the instances IAM role will need to grant permissions as well as the agent being previously installed.

Download EC2 instance contents with only aws login info and no pem key

I've been given access to an aws account and asked to extract all the data stored on it so that it can be deleted. My issue is that I don't have a pem key because I didn't create the instance, the only thing I have is the email and password of the aws account itself.
I know there is data stored on an ec2 instance and on s3
I've tried logging in using the browser-based ssh that is an option when you select connect for an instance, but I get the error There was a problem setting up the instance connection and a retry button but retrying does nothing
I don't have access to the pem key because I didn't set up the instance, and the person that set up the instance can't send it to me because I don't have their contact info
Everything I try to connect doesn't work because I'm missing the Pem key.
Any ideas? or any ideas how to pull the data from a server (that wasn't set up with version control so i can't do that either) without being able to ssh into it?
If the data is stored on an EBS volume you can detach it from the existing instance and attach it to a new instance, for which you have the key. Otherwise I don't think you are going to be able to get it.
I'm a little confused by "the person that set up the instance can't add me to it." A PEM isn't something you have to be added to. If you have it you can use it. Is there a reason that person can't share it with you?

I cannot connect to my AWS EC2 instance via SSH clients

Please help me! After reboot my ec2 server, I cannot connect to new AWS EC2 instance via SSH clients
Just print
'Permission denied (publickey).'
I googled really hard. Most people said that it is about problem of username. 3 hours ago, I used 'ec2-user' as my username. Just minutes ago, I also used username 'ec2-user'. But, after reboot my ec2 server I cannot connect with my username 'ec2-user'. What the hell?
Please help me T.T
User: tried "root" and also "ec2-user", "admin" but still I cannot connect
Using .pem keypair that AWS generated and I downloaded
Confirmed security group and Key Pair Name on instance
Instance: ec2-52-78-40-153.ap-northeast-2.compute.amazonaws.com
AMI ID: amzn-ami-hvm-2016.09.0.20161028-x86_64-gp2 (ami-983ce8f6)
OS: OS X el capitan
The fact that you are receiving Permission denied (publickey) means that you have correct network connectivity to your instance and the Security Group is permitting SSH traffic. Therefore, the problem lies with authentication.
Some things to check:
Use ssh -v to turn on verbose debug information
Select the instance in the Amazon EC2 Management Console and look for the Key Pair name. Confirm that it matches the name of the file you are using. (The filename itself is irrelevant, but will be accurate unless files were renamed.)
If you have added/modified users on the instance, you might need to use a different username. If you have not changed users, then ec2-user is the correct username.
If you are unable to connect, then you can follow the directions from pages such as:
How to Recover an Unreachable Linux Instance
Recovering a corrupted EC2 instance
Replace a lost Key Pair on an EC2 instance
Basically, the steps are:
Stop the instance
Detach the boot volume (remember the device identifier, eg /dev/sdf)
Attach the instance to another Amazon EC2 Linux instance
Navigate to the /home/ec2-user/.ssh directory and confirm that the correct public key is inserted into the authorized_keys file. If desired, create a new keypair and put the public key in that file.
Detach the volume
Reattach the volume to the original instance
Start the original instance and attempt to login
Basically, Linux will check the .ssh/authorized_keys file in the home directory of the user being logged-in. If additional users have been created, put their keys in the same location within their home directories.

Restricting access to users with keypair: The .pem conundrum

Here's my issue
I have an ec-2 instance on AWS running Ubuntu Server. During the initial launch of the instance, I generated the key-pair by going to AWS console --> Key Pairs --> Create key pair. It generated a key abcxxxx.pem and I have saved it.
Here's where the issue starts
I head a project where multiple developers come on and off. Without
too much thought, I distributed my .pem file to 2-3 developers. They
have left the project since and I want to restrict AWS access to only active
developers. Basically I don't want the 2-3 developers (with .pem file) to access my machine.
For all the new developers ( I no longer distribute .pem file), I give access to AWS machine by pasting
there public key in /home/ubuntu/.ssh/authorized_keys. This
gives them access to the machine.
My two questions are as follows
How can I restrict access to people who already have .pem file?
Will deleting their public key from /home/ubuntu/.ssh/authorized_keys make a difference? NOTE: I still have the key and only I have the access to AWS console.
How are the new developers able to access the AWS machine without a .pem file? (The only thing I do is paste their public key in the authorized_keys on AWS)
How do I implement a system where I have sole access and I deal with developers coming on/off on the project?
All users(including me) who's public key is in the authorized_keys on AWS machine can login without a .pem file. How is this possible? Doesn't everyone need a .pem file to ssh in?
I'm really confused about this key-pair business (what's the role of .pem file?) and other posts online don't seem to help (even AWS support). Most posts online address scenarios where you lose the key and you have launch a new instance etc. etc. I contacted AWS support and they just sent me this link. I don't understand how this helps.
Any solution/elaborate answer will be really helpful.
For the most part, your question is really about how to administrate users and SSH on Ubuntu. The keypair that you generated using the console is only used when the instance first launches. It is always available via instance metadata; you can see that by running the following command from the shell on the EC2 instance:
$ curl http://169.254.169.254/latest/meta-data/public-keys/0/openssh-key
which outputs:
ssh-rsa ...blah blah blah...
When your EC2 instance first launched, this key was copied into /home/ubuntu/.ssh/authorized_keys because the Ubuntu AMI you're using is set up to do that. But that's just a convention. That's the only time that the key will get automatically copied anywhere, so from there on out you can manage the authorized_keys file however you like.
Regarding your specific questions,
If the original public key you created on the console is still in authorized_keys, then anyone who has the corresponding PEM file can still log in. To correct this, you would need to carefully remove that key from the authorized_keys file (for example, first making absolutely sure that you can log in with a different key).
While they may not have the PEM file you downloaded from the AWS Console, they must somehow have gotten the PEM file (or some rough equivalent) for one of the public keys that you added to authorized_keys.
There are lots of different ways. As mentioned above, it's more of a matter of how you want to administrate users under Ubuntu. Since you seem to want to retain control over the machine, you could create user accounts for each of the developers to log into, and then give them limited rights to use sudo in certain cases (assuming they need that at all). You could then revoke these accounts whenever you wanted.
My understanding is that there are just many different ways to provide the equivalent of a PEM file to ssh, and somehow you (and your developers) must be doing that. I'd recommend perusing the ssh documentation.
I hope this helps!
Taking a stab at this:
1) You cannot remove the key from authorized_keys without losing access yourself to the server. The public key in there proves to the server that you are who you say you are when you auth to the server via SSH using the pem.
2) For the new developers, they do pass in a key when the ssh to the machine. It's just their key and it's implicitely passed in, vs the key you've used to spin up the machine. The presence of their public key in the authorized_keys signals to the server that they are authorized to access the machine once their ssh client proves it has the private key that matches the public key in the authorized file.
3) i would just create additional users on the box and set them up for passwordless login by setting up /home/newusername/.ssh/authorized_keys pretty much the same way you set it up for the ubuntu user today. when they leave the project just disable and/or delete the accounts
4) It's possible to login without specifing a pem, but you still specify a key. To see the key exchange and how the auth takes place do "ssh -vvv user#machinename" and you will see the whole ssh dialogue. When you don't specify a key, the ssh client will look for one in a couple of predefined locations. you will see the client attempt to use each of these keys (you're probably picking something up from ~/.ssh/id_*). A pem is not a magic file. It just keys (it may contain a public key, a public and a private key or a public key and the whole cert chain).
I would recommend you read on public/private key crypto to understand how it works.
https://en.wikipedia.org/wiki/Public-key_cryptography
https://www.youtube.com/watch?v=svRWcx7dT8g
https://staff.washington.edu/dittrich/misc/ssh/

How to secure an AWS EC2 instance when the SSH key is compromised or lost

I'm essentially an AWS noob.
I had a developer set up an EC2 instance with load balancer to host a node.js-based API. He has now moved on from the company but he still have the private key to log in, if he wanted to. I want to change the keys.
From what I have read, I need to relaunch the instance to get a new key pair. However, if I do this will I lose all the node packages, and other SW that has been installed on the current instance? What will happen with the load balancer? Do I need to need to update my DNS info to point to the new IP?
(Once situated, this time around I will create multiple key pairs for the devs to use.)
Thanks,
Steve
EDIT: Yes, I do have the private key and can do everything I need to. I just want to make sure HE no longer has access.
Take a an AMI of the current instance for backup purposes. This will reboot the instance but it will keep the existing IP. You do not need to remove it from your ELB. You may need this AMI if you you cannot connect back in after changing the key.
Login as the root user, with the existing key.
From the shell, run the following commands:
$ ssh-keygen -t rsa -b 2048 -f user - this generates a new key pair
$ sudo su - - if needed
$ cp /home/ubuntu/.ssh/authorized_keys /home/ubuntu/.ssh/authorized_keys.bak - backup the existing public key
$ mv user.pub /home/ubuntu/.ssh/authorized_keys - this replaces the existing public key in the authorized_keys file
$ chmod 600 /home/ubuntu/.ssh/authorized_keys - Change permissions on the file
Copy the private key (file called user) generated from the $ ssh-keygen command to your local machine and delete it from the instance.
Connect to the instance with the new private key to confirm. IMPORTANT: Keep the existing ssh session open and create a new session with the new key.
If you have any problems on step 10 you still have access to the existing session to troubleshoot.
As for cleanup make sure and remove the old key pair from the AWS console, and invalidate any credentials IF(!) they are not required for the existing services to run. If you granted the developer root access to your AWS console, you should reset those credentials.
NOTE: These steps assume an Ubuntu installation. If you are using any other Linux type, replace \ubuntu with the correct AWS username:
Amazon Linux: ec2-user
Ubuntu ubuntu
Debian admin
RHEL 6.4 ec2-user
RHEL 6.3 root
You can create a new Key Pair without creating a new EC2 instance http://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/ec2-key-pairs.html#having-ec2-create-your-key-pair
It still looks like you need to launch a new instance of EC2 (which creates a new key), but if you use the same volume(s) or snapshots to create duplicate volumes you shouldn't have to reload any Software.
https://forums.aws.amazon.com/message.jspa?messageID=245314
As for DNS, I would point it to the load balancer, that way you can add/remove servers from the pool without DNS changes. Otherwise, assign an Elastic IP to the server, that way you can move the Elastic IP to the next server without changing DNS each time. Moving Elastic is instant, where DNS takes time to replicate to rough the network. Hope that helps.
So, I have resolved this issue myself, and I'm posting what I did in case it helps anyone else.
On my local machine I made a new 2048 bit RSA key pair (a new pair can also be generated on AWS)
Import the new public key in the Amazon console.
Create an AMI of the running instance.
Launch an new (ubuntu linux) instance of that AMI, and point it to
the newly uploaded public key for login.
Once the instance is up, update Load Balancer, or DNS entries
to point to the new instance, as appropriate.
Start whatever software the server is intended to run.