I have successfully created Infra on AWS using boto3 where I created "MyKeyPair"
Now I am trying when I try to use the import keypair feature, under "ec2-> Network & Security", it is asking for the public part of the key to download.
I have the private part of the key printed on the terminal, where can I find the public key part
Regards
Surya
The public key is part of the private key file.
Save your private key and name it "privkey.pem" or anything you want.
AWS wants the public key in SSH format. This command will extract the public key:
ssh-keygen -y -f privkey.pem > pubkey.pem
Now you can upload pubkey.pem using the console or the CLI.
aws ec2 import-key-pair --key-name "MyPubicKey" --public-key-material file://pubkey.pub --region 'us-west-2'
Of course modify the command line with your keyname, filename, region.
This worked for me:
ssh-keygen -m PEM -f key.pem
ssh-keygen -y -f key.pem > key.pem.pub
aws ec2 import-key-pair --key-name AwsKeyName \
--public-key-material $(openssl enc -base64 -A -in key.pem.pub)
Related
I have the following challenge.
A private ssh-key is stored in aws secretmanager as secret.
Now I want to get this secret with cli and use it directly in ssh-keygen to get the corresponding public key
ssh-keygen can do that with -y parameter, but has to get a file as input.
Now the problem is, that the output is not usable when I pipe it to a file OR stdin
Examples:
Doesn´t work:
ssh-keygen -yf /dev/stdin <<<$(aws secretsmanager get-secret-value --secret-id <secretname> --region <secret> --output text --query SecretString)
Nor this:
aws secretsmanager get-secret-value --secret-id <secretname> --region <secret> --output text --query SecretString > tempfile.key
chmod 600 tempfile.key
ssh-keygen -yf tempfile.key
Both commands result in an interactive "Enter passphrase" (the key has no passphrase, so it seems to be that the contents are messed)
When I copy / paste the output manually to file and use the file it works.
So, what´s my problem here ?
Many thanks in advance and Greetings,
JP
UPDATE:
vimdiff shows me a difference in whitespace, but I have no clue how to solve this :-(
Can anyone explain why I cannot connect to my ec2? I have tried to solve the problem by myself but without success.
Firstly, created the key :
aws ec2 create-key-pair --key-name mykeys --region eu-central-1 --output text > mykeys.pem
Then created ec2 instance:
aws ec2 run-instances --image-id ami-06ec8443c2a35b0ba --count 1 --instance-type t2.micro --key-name mykeys --security-group-ids sg-xxx --subnet-id subnet-xxx
Every now and then I get permission deny when trying to connect to the ec2;
The authenticity of host 'ec2-18-185-248-81.eu-central-1.compute.amazonaws.com (18.185.248.81)' can't be established.
ED25519 key fingerprint is SHA256:SbRamk5HTetJT6ysgqq3MLdsUU6Ehi/kYRWXtgwS3q4.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'ec2-18-185-248-82.eu-central-1.compute.amazonaws.com' (ED25519) to the list of known hosts.
Load key "mykeys.pem": invalid format
ec2-user#ec2-18-185-248-81.eu-central-1.compute.amazonaws.com: Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
It isn't also possible to connect via EC2 Instant Connect from within AWS
ec2-user#ec2-3-67-176-40.eu-central-1.compute.amazonaws.com: Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
Is it possible that the key was created wrongly?
Load key "mykeys.pem": invalid format
Try checking step by step to create pem.
In your cli, it seems --query is missed. ref
Create pem:
aws ec2 create-key-pair \
--key-name mykeys \
--query "KeyMaterial" \
--output text > mykeys.pem
Permission change:
chmod 400 mykeys.pem
(Create EC2 wit pem.)
Connect ssh:
ssh -i mykeys.pem ec2-user#<YourServerIP>
Does this help:
https://sjsadowski.com/invalid-format-ssh-key/
While literally true, it is a pretty poorly written error message. What it actually means is that the key is a deprecated format, and
what it does not tell you is that in the future the format will become
completely unsupported.
The solution here is to replace your rsa-sha1 keys with either ecdsa
or ed25519 keys, distribute those keys, and then remove the old ones.
The problem on AWS is that when you generate a key pair, it is still
rsa-sha1 format, and while you can upload rsa-sha2 keys, ecdsa or
ed25519 keys are not acceptable. There are questions about this going
back to 2017 on the AWS forums, asking about other key formats.
How to solve this?
# I used this command to create the key with a password
$ ssh-keygen -b 2048 -t rsa -C "awsfrankfurt" -f ~/.ssh/awsfrankfurt
# Then when I try to import it into AWS EC2, the error appears:
$ aws --region eu-central-1 ec2 import-key-pair \
--key-name "awsfrankfurt" \
--public-key-material ~/.ssh/awsfrankfurt
An error occurred (InvalidKey.Format) when the ImportKeyPair operation:
Key is not in valid OpenSSH public key format
AWS only supports RSA keypairs, it does not support DSA, ECDSA or Ed25519 keypairs. If you try to upload a non RSA public key you will get this error.
This is documented here:
Amazon EC2 does not accept DSA keys. Make sure your key generator is
set up to create RSA keys.
The error message is misleading as you can upload a valid non RSA key and get the error:
Error import KeyPair: InvalidKey.Format: Key is not in valid OpenSSH public key format
This answer should be useful for people who find this page after searching for this error message.
Create your key and then when calling aws's --public-key-material argument, call it with file:// in front of your key path.
Example:
$ aws --region eu-central-1 ec2 import-key-pair \
--key-name "awsfrankfurt" \
--public-key-material file://~/.ssh/awsfrankfurt # <-- this
This is a weird issue, because, file:// prefix is usually used for Windows, but, here with aws, it applies to unix based terminals as well.
I ran into the same situation when I was creating an aws keypair using pulumi. Strangely, it worked when I used the content of the public key rather than the .pub file.
So here is what I changed in my code.
from :
aws.ec2.KeyPair("keypair", public_key="~/.ssh/mykey.pub")
to:
aws.ec2.KeyPair("keypair", public_key="ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC9u37J5tfzmeA8INBCcFSPKnUN8GIjYFdPOOCn8AjUC5iTJX/7TWd3pZ42Z++RCIlvBvKkH7LL1p"
Changed from path to .pub file to the content of .pub file
The official documentation on Importing Your Own Key Pair to Amazon EC2 is lacking in details on how to programmatically generate and import a key pair.
How to do it best?
Create the key pair (max 2048 bits):
ssh-keygen -t rsa -b 2048 -C "ec2#aws" -N "" -f ec2_ssh
chmod 400 ec2_ssh*
Import public key to EC2:
aws ec2 --region=eu-west-1 import-key-pair --key-name ec2_ssh --public-key-material "file://ec2_ssh.pub"
The file://... feature is not mentioned for this command, but it is described here.
Sources:
AWS CLI Reference
Uploading Personal ssh Keys to Amazon EC2
I'm trying to set up an sftp only user for my Amazon EC2 instance. Good tutorial on this here.
I am having a bit of trouble at this step:
Using the AWS Management Console, generate a new key pair for the third-party user.
Using puttygen, import the new key (keyname.pem) and copy its public key.
On the server, create the .ssh directory for the new user:
sudo mkdir /home/newusername/.ssh
Paste the public key into /home/newusername/.ssh/authorized_keys.
Creating the key in AWS Management Console, no problem. It allows me to download and save the private key. I'm understanding the next step to mean import the the key from my EC2 instance to my local machine, copy the public key, and then paste it into the specified file.
Question is, how do I import the keypair using PuttyGen and copy the public key on my local machine? will it be a separate file from the private key?
PS both my local machine and ec2 instance are Ubuntu 12.04
Using puttygen is one of way of doing it, but I believe it's just easier to use ssh-keygen from a linux box to generate the private/public key pair.
From a linux box as 'root':
$ adduser myuser
$ su myuser -
$ ssh-keygen -t rsa
Your private/public key pair will be /home/myuser/.ssh/id_rsa (private) and /home/myuser/.ssh/id_rsa.pub (public)
Now just paste the content of id_rsa.pub into /home/myuser/.ssh/authorized_keys in the machine where you are running your sftp server. Make sure the authorized_keys file has 600 permissions.