After taking over a server on EC2 I was given a PEM file to access the instance. For security reasons I would like to generate a new PEM file now, but it looks like you can't create new Key Pairs without creating a new instance. Is there anyways to create a new PEM file?
Assuming Linux, use ssh-keygen to create a new key pair. Let us say new.pem and new.pub
Now ssh into the instance with your old.pem. Open 2 or 3 sessions with the old.pem just in case the new pem fails. Assuming your username is ubuntu
cd /home/ubuntu/.ssh
Make a copy of the existing authorized_keys file
Now open authorized_keys and replace its contents with new.pub
Save authorized_keys
Now ssh into the instance with new.pem
If ssh is successful, then you can use the new.pem from now on and the old.pem is no longer valid. If ssh is not successful, restore the old authorized_keys file in one of the backup sessions and start again from step 1.
Login in to system using the existing key.
$ cd /home/ubuntu/.ssh/
Now there is only one file(authorized_keys) in this folder.
Genereate a new set of keys using the command below
$ ssh-keygen
Once the command is executed, there are two files created as below
?pemnew > This file is the new .pem file to be used by us to ssh
?pemnew.pub > This file has contents which need to be added to authorized_keys in the server.
Copy the content of ?pemnew.pub and add it in authorized_keys and remove the existing entry in authorized_keys.
Testing:
Open new terminal-tab and try to ssh using the new key
generated(?pemnew). Expected behaviour : Connection allowed
Open another terminal-tab and try to ssh using the old key.
Expected behaviour (entry in authorized_keys is removed): Refused
Expected behaviour (entry in authorized_keys is not removed): Allowed
Related
thank you for your time.
I have an EC2 instance, but for security reasons i need to change the pem files associated in .ssh/authorized_keys. I do understand that the public pem file goes into authorized_keys.
I do not want to mount the volume of the ec2 instance to a new one. I am considering as a last option since I do have access to the EC2 instance.
How can this be done?
I have tried:
This post Change key pair for ec2 instance the answer by Pat Mcb, but no luck.
Run this command after you download your AWS pem.
ssh-keygen -f YOURKEY.pem -y Then dump the output into
authorized_keys.
Or copy pem file to your AWS instance and execute following commands
chmod 600 YOURKEY.pem and then
ssh-keygen -f YOURKEY.pem -y >> ~/.ssh/authorized_keys
But that didn't work for me. If i follow it exactly download aws key pair key, and follow the instructions by coping the key when ssh into the instance, when i do ssh-keygen -f YOURKEY.pem -y >> ~/.ssh/authorized_keys It asks for a passphrase (never had to input one)
What i am doing is the following.
I create a new key with
ssh-keygen newpem.pem
and the .pub file i copy it in .ssh/authorized_keys
Can someone explain what i am doing incorrectly?
Note the authorized_keys file has the correct permissions.
Seems like you want to deprecate the old key and use a new key instead. These steps may help you -
Create a new key pair using the aws console and download it onto your system.
Retrieve the public key from the private key(.pem) file using the command - "ssh-keygen -y"
SSH into the instance using the old key.
Once you have access to the instance add the public key you got in step 2 into the "~/.ssh/authorized_keys" files and then save the file.
Log out of the instance and then try accessing the instance with the new key.
Hope it helps. Thank You !
You Don't even need to do all of this just mind few things with AWS EC2 you get a private key for default users . like ec2-user /ubuntu etc.
You are doing the right step
ssh-keygen -t rsa -C "your_email#example.com"
if it ask for entering any paraphrase leave it blank.
Just press to accept the default location and file name. If the .ssh directory doesn't exist, the system creates one for you.
Enter, and re-enter, if passphrase prompted
you have that key now .
Copy that key
Login to your Ec2 server.
sudo su
vim ~/.ssh/authorized_keys
paste the key.
:wq!
You'll see a key there copy it and save it as a backup somewhere.
Now paste your newly generated key in that file
and save the file.
now final step to take care is the permission, so run the following command.
sudo chmod 700 .ssh && chmod 600 .ssh/authorized_keys
Now you're good to go you.
Following are the steps to change your keypair on AWS EC2.
Login to AWS Console. Go to the Network and Security >> Keypair.
Give the name of your keypair (mykeypair) and keytype (RSA) and Private
keyformat (.pem). and click on the create keypair. It will ask you to
download .pem file in your local machine. Save it at and remember the
location.
Login to your EC2 instance and go to the .ssh. location. Create a new file called
(mykeypair.pem) and paste the content from the file we downloaded in step no.2
Run the command: sudo chmod 600 mykeypair.pem
Run the command: ssh-keygen -f mykeypair.pem -y and it will generate some
content. Copy that content. Open the file called autherized_keys and
remove all the content from it.
Paste the copied content that we have generated in the previous step. Also enter your file name (mykeypair) in last after entering space.
Reboot your instance. Go to the puttygen and generate the .ppk file
using the pem file you have downloaded from the keypair. You will be able to login your ec2 with the newly generated .ppk from putty.
Okay I figured out my problem. First of all I had been hacked by a hacker apparently because I didn't know that permitpasswordlogin: yes DISABLES pubkey authentication.... I thought it was additional security. So i used a very loose password that could be easily guessed. Anyways, I believe this because I went to the root folder and found that there was actually a new key in the root named "el patrono 1337" which actually means "the master/boss" in spanish... LOL. Anyways... So i changed that back to my secure key (made a new one actually) and then I went to login as ec2-user and couldnt, but could as root. was driving me crazy for 30 minutes or so until I realized I had accidentally changed the owner of my ec2-user folder to root and therefore ssh was not searching the ec2-user .ssh/authorized_keys when I tried to log in. Wow very glad that's over lol. And just fyi guys I don't think the hacker installed anything malicious, but I did get tipped off that he tried to ssh into other people's servers (who claim they get attacked by ssh alot according to the aws abuse report) from my machine. I'm running a very simple website with zero sensitive data etc. He didn't even block me out of the machine by disabling password authentication.(i guess he didn't want me to know?). I will build a new instance from scratch next time I want to add anything(will be pretty soon) just to be on the safe side.
This may be an extremely dumb question but I am new to AWS and terminal controls on Mac. I am trying to SSH into my EC2 instance and following the documentation here.
I am perplexed because it is asking for the PATH in order to chmod 400 my private .pem file. I am unsure which path they are asking for here and would love some clarification. I have already downloaded AWS CLI so I am unsure what PATH it is asking for. Any help is very appreciated.
As i checked document link shared by you, here path means the location where you have downloaded .pem key file during launching a instance on AWS.
If you used Safari browser, you can find Download location:-
http://support.topspinmedia.com/hc/en-us/articles/204262743-I-m-on-a-Mac-using-Safari-where-s-my-download-
ssh -i /Users/Onicha/Downloads/my-key-pair.pem ec2-user#ec2-198-51-100-1.compute-1.amazonaws.com
When you created that EC2 instance, you must have downloaded a private key. If not or you do not have the key anymore, I am afraid you must remove that instance and set up a new one.
Once you have the key, in your terminal, change the directory to where the private key is. You must first change the permissions on the key to make it only readable by your user and then you can SSH to it.
chmod 400 key.pem
ssh -i key.pem [user]#[host]
You will need to specify the path to the key, instance key pairs are described here http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html
It may help to verify a few things-
Are you creating the key pair on Amazon Ec2 (or whichever instance you are using) and then downloading and saving (as a .pem file- example yourpemfile.pem) on your computer? If you are, you would know which directory (the PATH that is being discussed) you saved it in. If you already did it and cannot find it, you can do it again creating a new key pair with a new filename yourpemfile2.pem, but you have to stop the Ec2 instance and remove the old keypair file associated with it. (I have seen ways online to change keypairs while instance is running as well).
Go to that particular folder on your Mac using Terminal. You don't need Amazon CLI if you use the terminal with MacOS. (You can do so by pressing Command+Space and then type terminal in the blank typing space that appears). Once the terminal window opens, at the prompt- type linux command 'pwd' to see which directory/folder your are in. Use 'cd' command for going to your folder where the .pem file is downloaded or saved (by you). List the particular folder by using linux command 'ls -l' at the prompt to see if your .pem file is actually there and what are its permissions.
Then change permissions using 'chmod' command-> chmod 400 yourpemfile.pem. ls -l yourpemfile.pem' again the file permissions should become r--------.
Now you are in the directory where you pem file is and you can directly ssh to your Ec2 instance from here. Now (using web browser) go to Amazon Ec2 Management Console and click on Instances (within folder Instances) on the left of dashboard you will see details of your instance which is running. Make sure the key pair associated with that instance is this particular .pem file. Then at the top of the page, where it says "Launch instance" and also has two other tabs, "Connect" and "Actions", click on "Connect".
A new window pops up which provides details of ssh commands to use and instance details.
Make sure to select standalone SSH client.
You see a suggested command like this- (helps in making sure you are using the right amazon instance and keypair)
ssh -i "AmcEc2mykeypair.pem" ec2-user#ec2-134-17-351-22.us-east-2.compute.amazonaws.com
Copy paste this on your linux terminal (Use Command+c and Command+v on Mac). Press Enter.
You should be 'logged in' now and a new prompt for the Amazon Ec2 instance machine- specifying clearly that it is an Amazon linux or ubuntu image should appear.
I am trying to launch aws ec2 server. I got a key pair, but my key looks like privatekey.pem.txt.
If I open it with text editor it looks like normal key, but how could I generate .pem file from it?
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAh89 ...
Have you tried simply renaming the file with a .pem extension? i.e. get rid of the .txt? My .pem file is also a text file (though not named as such) and it works just fine.
You can either use AWS generated PEM key or custom PEM key you have on your computer.
When you generate your key from AWS console or CLI, you just get a PEM file which is your private key and you can use this key in your ssh command line for example. If this key is renamed by either you or your OS(add a .txt), you can just get rid of it and rename it to <key>.pem
When you generate your key by yourself(in RSA format), you have to transform your public key to PEM format before uploading it to AWS. You can do it using the following command:
ssh-keygen -f rsa.pub -e -m pem
Of course, wherever your key was generated from, you have to change permission:
chmod 400 <key>.pem
I download pem file while launching t2.small instance. When I try to connect it via ssh it say no such a file in directory. But am sure that pem file is in directory.
$ ls
mypemfile.pem
$ chmod 400 mypemfile.pem
chmod: cannot access ‘mypemfile.pem’: No such file or directory
$ ssh -i "mypemfile.pem" root#x.x.x.xx
Warning: Identity file mypemfile.pem not accessible: No such file or directory.
Permission denied (publickey).
How to track this issues? and any solutions?
Note: I created instance from AMI image shared by another account.
For sure the problem is because there is no "mypemfile.pem" file.
Recheck the availability of the file, if the file is available try to rename it or make a copy of it and try with the newly created file.
Hope it helps..
I figured it out on Mac. So, this is what I had to do. When you created private key, my Mac saved is as whatever.pem.txt, so in order to connect to the AWS instance just add .txt extension to whatever AWS instructions tell you to do. For example:
chmod 400 yourfile.pem.txt ssh -I "yourfile.pem.txt" ubuntu#ecX-XX-XX-XXX-XXX.compute-1.amazonaws.com
This is for Mac users.
Best,
When i downloaded my private key file from Security Credentials, I got a .cer file instead of a .pem. I tried to ssh to my ec2 instance using that but i am constantly getting:
Bad passphrase, try again for pk-xxxxxxxxxxx
Is it because i have a .cer file or because i need a pass phrase? I do not know what is a passphrase. I would really appreciate if i can be helped soon. I think i am confusing the the .cer files i get from X.509 with the file i need for ssh. But the problem is i never get .pem files, only .cer file
I have just started working on the Amazon AWS platform and came across this question.
Not sure if you managed to resolve your issue - however, here is a AWS forum thread that talks of a related issue and the solution:
ssh error: "Enter passphrase for key 'id_rsa-gsg-keypair'"
To summarize the thread - the problem seems to be with the permissions on the .cer file that was downloaded.
Another thing about the .cer file - A .cer file is essentially confirmant with the PEM format and hence there should be no problem using the .cer file just like you would use a .PEM file.
I downloaded my .cer file and was able to connect to my Amazon Linux instance using it after having the correct permissions (chmod 400 mykey.cer) and then using it in the ssh command as below:
ssh -i mykey.cer ec2-user#public-dns-of-my-amazon-instance
Probably the connecting user varies for other linux instances. More information here
Try downloading the file in a different browser I had similar trouble when I was downloading ec2 instance using Brave Browser but didn't have any trouble when I used safari.
chmod 400 mykey.pem
ssh -i mykey.pem bitnami#x.x.x.x
I just had this problem myself. The "Connect" feature on the EC2 instance stated that it was a .pem file but the actual download was .cer
I ran chmod 400 FILENNAME.cer but still could not log in. Then I inspected the ssh link and noticed that it was also a .pem file. I switched the .pem to .cer and it worked!
Just rename the file from .cert to .pem and it
I had the same issue which gave me a "no such file or directory" error message because my Ec2 ssh key appeared with a .cer extension in my directory instead of a .pem.
I changed the extension to .pem
Reran chmod .... command to make the key private in my terminal, iTerm.
Ran ls -al key-name without the extension in the terminal to confirm its presence in the directory.
Then reran the ssh ..... command all over again
It works!
Similar to everyone else's replies, this is just Amazon documentation being weird.
They provide a download of .cer files, but their 'helpful' connection docs/helper references .pem
navigate to where you downloaded the .cer ( ie. cd Desktop)
chmod 400 name_of_cer_file_here.cer
ssh -i "name_of_cer_file_here.cer" your_user_here#ec2-123-456.region.compute.amazonaws.com