I'd like to SSH into my EC2 instance with a password protected pem file. How do I password protect a pem file? I've done this in the past but can't remember how I did it. I took a pem file generated by AWS and ran some command on it and it generated something that looked like this:
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,<BlahBlahBlah>
<encrypted stuff is here>
-----END RSA PRIVATE KEY-----
Then when I SSH into the box, i'm specifying my password protected pem file and it asks me to enter the password before decrypting and sshing in.
I found this: https://martin.kleppmann.com/2013/05/24/improving-security-of-ssh-private-keys.html
Which tells me to use this command
ssh-keygen -t rsa -N 'super secret passphrase' -f test_rsa_key
But the resulting encrypted file (that has the correct header i'm looking for) doesn't seem to work. I'm getting "Permission denied (publickey)." when I try to ssh using that encrypted pem file. I am able to SSH into the box with the unencrypted pem file.
It is because the command you are using generates a new key pair instead of protecting your existing private key.
Try using -p option of ssh-keygen
ssh-keygen -p -f my_private_key
It will prompt you for passphrase and protect your private key.
Enter new passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved with the new passphrase.
Now if you use my_private_key in ssh, it will prompt for passphrase and it will succeed.
-p Requests changing the passphrase of a private key file instead of
creating a new private key. The program will prompt for the file
containing the private key, for the old passphrase, and twice for
the new passphrase.
You can install and use the puttygen:
sudo apt install putty
And to generate your key protected, execute this:
puttygen KEY_PAIR_PRIVATE.pem -O private-openssh -o KEY_PAIR_PRIVATE.key -P
The option -P is to set a new passphrase to private key.
P.S: You will probably need to set a permission to use the key, like this:
sudo chmod 755 KEY_PAIR_PRIVATE.key
And finally you can access your aws instance safely:
ssh -i KEY_PAIR_PRIVATE.key ubuntu#IP_EC2_INSTANCE_OR_HOSTNAME
Related
thank you for your time.
I have an EC2 instance, but for security reasons i need to change the pem files associated in .ssh/authorized_keys. I do understand that the public pem file goes into authorized_keys.
I do not want to mount the volume of the ec2 instance to a new one. I am considering as a last option since I do have access to the EC2 instance.
How can this be done?
I have tried:
This post Change key pair for ec2 instance the answer by Pat Mcb, but no luck.
Run this command after you download your AWS pem.
ssh-keygen -f YOURKEY.pem -y Then dump the output into
authorized_keys.
Or copy pem file to your AWS instance and execute following commands
chmod 600 YOURKEY.pem and then
ssh-keygen -f YOURKEY.pem -y >> ~/.ssh/authorized_keys
But that didn't work for me. If i follow it exactly download aws key pair key, and follow the instructions by coping the key when ssh into the instance, when i do ssh-keygen -f YOURKEY.pem -y >> ~/.ssh/authorized_keys It asks for a passphrase (never had to input one)
What i am doing is the following.
I create a new key with
ssh-keygen newpem.pem
and the .pub file i copy it in .ssh/authorized_keys
Can someone explain what i am doing incorrectly?
Note the authorized_keys file has the correct permissions.
Seems like you want to deprecate the old key and use a new key instead. These steps may help you -
Create a new key pair using the aws console and download it onto your system.
Retrieve the public key from the private key(.pem) file using the command - "ssh-keygen -y"
SSH into the instance using the old key.
Once you have access to the instance add the public key you got in step 2 into the "~/.ssh/authorized_keys" files and then save the file.
Log out of the instance and then try accessing the instance with the new key.
Hope it helps. Thank You !
You Don't even need to do all of this just mind few things with AWS EC2 you get a private key for default users . like ec2-user /ubuntu etc.
You are doing the right step
ssh-keygen -t rsa -C "your_email#example.com"
if it ask for entering any paraphrase leave it blank.
Just press to accept the default location and file name. If the .ssh directory doesn't exist, the system creates one for you.
Enter, and re-enter, if passphrase prompted
you have that key now .
Copy that key
Login to your Ec2 server.
sudo su
vim ~/.ssh/authorized_keys
paste the key.
:wq!
You'll see a key there copy it and save it as a backup somewhere.
Now paste your newly generated key in that file
and save the file.
now final step to take care is the permission, so run the following command.
sudo chmod 700 .ssh && chmod 600 .ssh/authorized_keys
Now you're good to go you.
Following are the steps to change your keypair on AWS EC2.
Login to AWS Console. Go to the Network and Security >> Keypair.
Give the name of your keypair (mykeypair) and keytype (RSA) and Private
keyformat (.pem). and click on the create keypair. It will ask you to
download .pem file in your local machine. Save it at and remember the
location.
Login to your EC2 instance and go to the .ssh. location. Create a new file called
(mykeypair.pem) and paste the content from the file we downloaded in step no.2
Run the command: sudo chmod 600 mykeypair.pem
Run the command: ssh-keygen -f mykeypair.pem -y and it will generate some
content. Copy that content. Open the file called autherized_keys and
remove all the content from it.
Paste the copied content that we have generated in the previous step. Also enter your file name (mykeypair) in last after entering space.
Reboot your instance. Go to the puttygen and generate the .ppk file
using the pem file you have downloaded from the keypair. You will be able to login your ec2 with the newly generated .ppk from putty.
Okay I figured out my problem. First of all I had been hacked by a hacker apparently because I didn't know that permitpasswordlogin: yes DISABLES pubkey authentication.... I thought it was additional security. So i used a very loose password that could be easily guessed. Anyways, I believe this because I went to the root folder and found that there was actually a new key in the root named "el patrono 1337" which actually means "the master/boss" in spanish... LOL. Anyways... So i changed that back to my secure key (made a new one actually) and then I went to login as ec2-user and couldnt, but could as root. was driving me crazy for 30 minutes or so until I realized I had accidentally changed the owner of my ec2-user folder to root and therefore ssh was not searching the ec2-user .ssh/authorized_keys when I tried to log in. Wow very glad that's over lol. And just fyi guys I don't think the hacker installed anything malicious, but I did get tipped off that he tried to ssh into other people's servers (who claim they get attacked by ssh alot according to the aws abuse report) from my machine. I'm running a very simple website with zero sensitive data etc. He didn't even block me out of the machine by disabling password authentication.(i guess he didn't want me to know?). I will build a new instance from scratch next time I want to add anything(will be pretty soon) just to be on the safe side.
I'm trying to follow along the Upskillcourses.com web dev online course. In lesson 11 I'm supposed to link up cloud9 to github.
I'm trying to get the SSH key. But it's not working:
ec2-user:~/environment $ cat ~/.ssh/id_rsa.pub
cat: /home/ec2-user/.ssh/id_rsa.pub: No such file or directory
I've copied it exactly like the instructor did. I'll be honest in that I don't really know what I'm doing or how to fix. Seems like no one else is having this problem. Thanks for any help
Use ssh-keygen to create a default ssh key pair, for now without passphrase:
ssh-keygen -t rsa -C "MyEmailAddress" -f ~/.ssh/id_rsa -P ""
Then any ssh command will use by default that key.
First, check for existing SSH Key using the following command:
ls -al ~/.ssh
Check the directory listing to see if you already have a public SSH key. By default, the filenames of the public keys are one of the following: id_xxxx.pub (ex: id_rsa.pub). If you don't have an existing public and private key pair, create one using this command:
ssh-keygen -t rsa -b 4096 -C "your_email#example.com"
This creates a new ssh key, using the provided email as a label. When you're prompted to "Enter a file in which to save the key," press Enter. This accepts the default file location. At the prompt, type a secure passphrase.
If you see an existing public and private key pair listed that you would like to use to connect to GitHub, or once you are done with the above key generation step, you can add your SSH key to the ssh-agent with the following commands:
eval "$(ssh-agent -s)"
ssh-add ~/.ssh/id_rsa (Add -K option, if on MAC OS, as it will add the passphrase in your keychain when you add an ssh key to the ssh-agent.)
Source: https://docs.github.com/
This happened to me when I was simply in a directory other than the one where the SSH key was.
In order to fix this: you need to check the path to the directory where the SSH key was saved. Scroll up to where you created the key and you should see:
Your public key has been saved in /Users/userlocation/.ssh/id_rsa.pub
Now check your working directory:
pwd
If your working directory is different from the one that holds the SSH key, change the directory:
cd /Users/userlocation #find yours!
and then run the command (slightly changed):
cat .ssh/id_rsa.pub
This worked for me! (Remember to run ssh-keygen first!)
After taking over a server on EC2 I was given a PEM file to access the instance. For security reasons I would like to generate a new PEM file now, but it looks like you can't create new Key Pairs without creating a new instance. Is there anyways to create a new PEM file?
Assuming Linux, use ssh-keygen to create a new key pair. Let us say new.pem and new.pub
Now ssh into the instance with your old.pem. Open 2 or 3 sessions with the old.pem just in case the new pem fails. Assuming your username is ubuntu
cd /home/ubuntu/.ssh
Make a copy of the existing authorized_keys file
Now open authorized_keys and replace its contents with new.pub
Save authorized_keys
Now ssh into the instance with new.pem
If ssh is successful, then you can use the new.pem from now on and the old.pem is no longer valid. If ssh is not successful, restore the old authorized_keys file in one of the backup sessions and start again from step 1.
Login in to system using the existing key.
$ cd /home/ubuntu/.ssh/
Now there is only one file(authorized_keys) in this folder.
Genereate a new set of keys using the command below
$ ssh-keygen
Once the command is executed, there are two files created as below
?pemnew > This file is the new .pem file to be used by us to ssh
?pemnew.pub > This file has contents which need to be added to authorized_keys in the server.
Copy the content of ?pemnew.pub and add it in authorized_keys and remove the existing entry in authorized_keys.
Testing:
Open new terminal-tab and try to ssh using the new key
generated(?pemnew). Expected behaviour : Connection allowed
Open another terminal-tab and try to ssh using the old key.
Expected behaviour (entry in authorized_keys is removed): Refused
Expected behaviour (entry in authorized_keys is not removed): Allowed
I am trying to launch aws ec2 server. I got a key pair, but my key looks like privatekey.pem.txt.
If I open it with text editor it looks like normal key, but how could I generate .pem file from it?
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAh89 ...
Have you tried simply renaming the file with a .pem extension? i.e. get rid of the .txt? My .pem file is also a text file (though not named as such) and it works just fine.
You can either use AWS generated PEM key or custom PEM key you have on your computer.
When you generate your key from AWS console or CLI, you just get a PEM file which is your private key and you can use this key in your ssh command line for example. If this key is renamed by either you or your OS(add a .txt), you can just get rid of it and rename it to <key>.pem
When you generate your key by yourself(in RSA format), you have to transform your public key to PEM format before uploading it to AWS. You can do it using the following command:
ssh-keygen -f rsa.pub -e -m pem
Of course, wherever your key was generated from, you have to change permission:
chmod 400 <key>.pem
I have a private key file named awskey.ppk and a host ip address (let's call this 123.45.678.910
I am trying to connect to the EC2 instance using the command line command -
ssh -i /Users/ashishagarwal/EC2/awskey.ppk ec2user#123.45.678.910
This is giving me the error:
Permissions 0644 for '/Users/ashishagarwal/EC2/awskey.ppk' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
bad permissions: ignore key: /Users/ashishagarwal/EC2/awskey.ppk
Permission denied (publickey).
How do I fix this ?
Two things.
chmod will fix your permissions. The file needs to be changed to 600 or 400.
ppk format is used by putty, need to convert the key to pem encoded format. You can use the putty keygen tool for this.
The private key files should have file permissions as 400, which could be changed using
chmod 400 file_path
Make sure you are using the correct user name like ec2-user or ubuntu . If you are using unix based system then use .ppk key.
I'm assuming you are using Mac or Unix (based on the command line).
Run this command:
chmod 400 /Users/ashishagarwal/EC2/awskey.ppk
Then run your SSH command again, and it should work.