I am facing interesting problem. I have launched an ec2 instance which is ubuntu 14.04. I can ssh into it by providing key file like below.
ssh -i "xxxxx.pem" ubuntu#xxxxxxxxxxxx.ap-south-1.compute.amazonaws.com
But I thought of making another account in instance rather than using ubuntu(root) always which is not safe. So I have created another account on my name in server. And for more security I thought of creating private(id_rsa) and public(id_rsa.pub) key files. And put the public key in server .ssh/authorized_keys and I should be able to ssh from my new account from my local machine. Which is also worked. now I can ssh into server like below.
ssh naroju#XXXXXXXXXXXXXXX.ap-south-1.compute.amazonaws.com
Now the problem comes. Although I can ssh into to it from my new account, I cannot ssh into server from my ubuntu(root) account. It gives below error.
Permission denied (publickey).
Why is it giving me this error?
I wonder why did it ssh into server from my new account, does not it require private key file(.pem file of AWS) ?
To create a new user (eg naroju) on the instance, you should create a .ssh/authorized_keys file in the new user's home directory:
$ sudo adduser naroju
$ sudo su - naroju
$ mkdir .ssh
$ chmod 700 .ssh
$ touch .ssh/authorized_keys
$ chmod 600 .ssh/authorized_keys
Then, edit the authorized_keys file and add the public key.
You can then login to the new user:
$ ssh -i naroju.pem naroju#IPADDRESS
Since you have modified the public key in the ubuntu user's home directory, you will need to login as ubuntu using the private half of the keypair you selected. You can then run the above commands.
See Amazon EC2 documentation: Managing User Accounts on Your Linux Instance
Related
I'm trying to set up remote access (with VSCode) to the GCP VM that's setup with Notebooks AI. However, when I ssh into the VM I don't have write permissions for /home/jupyter so cannot edit any of the notebook files.
I have tried both gcloud compute ssh and setting up local aliases with gcloud compute config-ssh.
My best guess is that the users are different. It looks like the terminal on JupyterLab is logged in as jupyter#[instance...] while when I ssh in its myname#[instance...]. Checking permissions of /home/jupyter/, it's owned by user jupyter of group jupyter. I also tried adding users to the jupyter group with sudo usermod -a -G but that didn't do the trick. When I try to ssh in as jupyter#[instance...] from anywhere else I get permission denied (public key).
I can edit files once logged in if I use sudo vim ..., but that won't help for VS code.
EDIT: a partial solution is to open up permissions using sudo chmod 777 /home/jupyter/*. However, that's probably a hackish, unsafe way to do it. Moreover, it only works on existing files -- new files will still only be writable by whichever user created them.
To SSH into the notebook instance as the “jupyter” user, an SSH key should be generated for that user and be added to the notebook VM instance. Also, please make sure that the notebook instance VM has the appropriate firewall rule to allow the SSH connection. The following are the steps that would create an SSH connection to the “jupyter” user which has the write permissions.
Run the following commands on the local machine to generate the required SSH key:
ssh-keygen -t rsa -f ~/.ssh/jupyter-ssh-key -C jupyter
“jupyter-ssh-key” → Name of the pair of public and private keys (Public key: jupyter-ssh-key.pub, Private key: jupyter-ssh-key)
“jupyter” → User in the VM that we are trying to connect to
chmod 400 ~/.ssh/jupyter-ssh-key
In the Compute Engine console, edit the VM settings to add the contents of the generated SSH public key. Detailed instructions can be found here.
Initiate the SSH connection from the local machine to the notebook VM:
ssh -i ~/.ssh/jupyter-ssh-key jupyter#<external-ip-of-notebook-vm-instance>
If the SSH connection succeeds, the same can be followed in VSCode.
In VSCode, select the “Remote-SSH: Connect to Host” option from the command palette. Enter the above ssh -i command to add the notebook VM instance as a recognized host. A new VSCode window will appear where we have been logged in as the “jupyter” user.
Hello when creating the instance i have missed to attach a private key to the aws ec2 instance now unable to login via ssh as there is no private key attached
what i did was clone of instance and launched installed and added the key to that instance
added key to it yet dint work
refereed articles https://www.youtube.com/watch?v=XfOsytNUq1w
If you're connecting via the command line ensure that you're specifying the PEM key using the syntax below
ssh -i path/to/key.pem ec2-user#1.2.3.4
Also ensure that the path/to/key.pem has permissions of 400 with the owner as your user.
You can validate this by running ls -lah path/to/key.pem and change the permissions by running chmod 400 path/to/key.pem
I used the following command in the directory where .pem exists to use the Chrome Extension, Secure Shell.
$ sudo chmod 400 myKeyPair.pem
$ ssh-keygen -y -f myKeyPair.pem > myKeyPair.pub
$ touch myKeyPair
$ sudo cat myKeyPair.pem > myKeyPair
And it worked perfectly within the Secure Shell Extension.
And I deleted all the files and created a new key pair (with the same name). And I ssh through the MacOS terminal. However, this will result in "Permission denied (publickey)." I think .pem is a new file, but the previous command still seems to have an effect.
How can I run an existing .pem before the public key conversion and SSH connection through a single .pem?
Ah! And I have another completely different question. For example, after creating EC2 via the WordPress AMI in AWS Marketplace and writing a post, is this stored in EBS?
Thanks in advance to everyone who answers.
When a Keypair is generated, it contains a random key. Therefore, every time a keypair is generated, it is different. The actual name of a keypair is irrelevant.
So if you do the following:
Create a keypair
Launch an EC2 instance providing that keypair
Delete the keypair
then you will never be able to login to the instance because you no longer have the keypair used when the instance was launched.
What actually happens is that when an instance is launched, some code on the instance copies the public half of the keypair to the /users/ec2-user/.ssh/authorized_keys file. Then, when somebody tries to login with the private half of a keypair, Linux compares the two halves of the keypair. If they match, the user is allowed to login.
I'm having some problems using SSH to get into my running AWS EC2 instance. According to the instructions, I need to create a Key Pair, which downloads a .pem private key file, which I have named QARTH.pem. From the directory where this file has been saved, I'm supposed to execute command:
ssh -i "QARTH.pem" ubuntu#ec2-XX-XX-XX-XXX.us-west-2.compute.amazon.com
However, I get the error:
Permission denied (publickey).
I'm using the auto-generated launch-wizard security group, which allows port 22 incoming access to all IPs.
I've also used the example procedure to convert the .pem file to a PuTTy private key .ppk file, and used the PuTTy client. I get the same error.
This seems like a pretty straightforward procedure, so I don't know what I could be doing wrong. If you have any ideas, I'd love to hear them. However, I'm not strong in network security, so please make responses lay-person friendly.
You are either using the wrong key pair (QARTH.pem), the wrong username, connecting to the wrong system or QARTH.pem is not set to be read-only.
STEP 1: Add debugging options to ssh to help determine what is wrong:
ssh -v -i QARTH.pem ubuntu#ec2-XX-XX-XX-XXX.us-west-2.compute.amazon.com
STEP 2: Make sure that the key pair file is read-only.
LINUX:
To make the key pair file read-only execute this command: chmod 400 QARTH.pem while in the same directory as the file.
WINDOWS:
Commands to run on a Windows system (as administrator) to make a key pair read-only and satisfy ssh:
Note replace %USERNAME% with your user name.
REM Disable inheritance on QARTH.pem
icacls QARTH.pem /inheritance:d
REM Delete "NT AUTHORITY\Authenticated Users" from having any rights
icacls QARTH.pem /remove "NT AUTHORITY\Authenticated Users"
REM Delete "BUILTIN\Users" from having any rights
icacls QARTH.pem /remove "BUILTIN\Users"
REM Grant Read-Only rights to me
icacls QARTH.pem /GRANT:R "%USERNAME%:(R)"
STEP 3: Make sure that you are using the correct username for the EC2 AMI:
Usernames for popular EC2 AMIs:
For Amazon Linux 2 or the Amazon Linux AMI, the user name is ec2-user.
For a Centos AMI, the user name is centos.
For a Debian AMI, the user name is admin or root.
For a Fedora AMI, the user name is ec2-user or fedora.
For a RHEL AMI, the user name is ec2-user or root.
For a SUSE AMI, the user name is ec2-user or root.
For an Ubuntu AMI, the user name is ubuntu.
Otherwise, if ec2-user and root don't work, check with the AMI provider.
TL;DR
Try using the manually generated SSH key pair via AWS Console
Well, colleagues, I have NO IDEA WHY exactly (no idea YET), but when I generate the keys with a CLI command, the SSH connectivity does NOT WORK:
aws --region us-east-1 ec2 create-key-pair --key-name "KeyPair"
BUT, when I am creating the SSH key pai manually using the AWS Console it works perfectly fine:
1. Go to AWS Console
2. EC2 :: Network & Security (in left menu) :: Key Pairs :: Create Key Pair
3. <As soon as I am specifying the name of a key pair Amazon downloads the keys into a default download directory>
4. chmod 400 KeyPair.pem
5. ssh -i ./SSHKeys.pem ec2-user#ec2-54-162-166-40.compute-1.amazonaws.com
6. ENJOY!
P.S. I am pretty sure I have messed up something during the response copy-paste from a CLI ¯\_(ツ)_/¯
I was trying to organize how a developer could connect via SSH to an AWS instance that I had launched as an administrator. I notice in the documentation that it says:
you'll need the fully-qualified path of the .pem file for the key pair that you specified when you launched the instance.
Does this mean one can only SSH into an instance that one had launched ? I'd like to just leave the instance running and have others able to SSH in to install software and configure.
Here's how to add new users/developers to an AMAZON EC2 linux instance and give them unique SSH Key access:
Say you are creating "user": Create a key on your own machine by entering the following:
ssh -keygen -b 1024 -f user -t dsa
Don't use a paraphrase -- just hit enter.
You should now have two files compiled: user and user.pub
chmod 600 user.pub
Now transfer the public key file (user.pub) from your computer to the server. For example let us use the /tmp/ directory.
Now SSH into your server using an account with root access, you will now need to create the user and also create the necessary files and ownership for you to use the key you just created:
# sudo su (if needed)
# useradd -c "firstname lastname" user
# cd /home/user
# mkdir .ssh
# chmod 700 .ssh
# chown user:user .ssh
# cat /tmp/user.pub >> .ssh/authorized_keys
# chmod 600 .ssh/authorized_keys
# chown user:user .ssh/authorized_keys
Once you've done this, exit out back to your own machine, then try to SSH using the new credential and user account you've created:
ssh -i user.pem user#ec2-your-instance-name.compute-1.amazonaws.com
When you create an instance, you can specify a key at launch time. What ends up happening is that AWS takes the public key associated with the key pair you created, and puts it into authorized_keys in /home/ec2-user/.ssh/.
So, if this is a one-time thing, you could provide the private key (the .pem file you downloaded when you created the key) to the user that needs access.
If this is an on-going issue - i.e. you will be creating lots of instances and having lots of different people who need to access them - then you need a better solution, but you'll have to figure out what your requirements are.
Some potential solutions would be to get public keys from your users, add them to an instance, and then create an AMI from that instance. Use that AMI to launch future instances. You could also put users public keys into S3, and have a script that pulled them down when the instance was created & either added them to authorized_keys or created individual users. You could pull users keys from IAM if all your users have IAM accounts. Or you could use a directory & configure your instance to use that for authentication.
One way to setup user management is
Ask all the users to create their own public-private key.
Everyone shares/copy/checkin their public key at some location where we can run rsync server to expose all the public keys
On the server, fetch all these keys from rsync server and run a usercreate command.
Another way is, have a base image in AWS with users already created with their public key in authorized_keys. And use this image to create new instances.