Working on EC2 is a snap, you just download the .pem file, give it the right permissions, and you are ready to go, yet ... if you have the .pem file you have full access to the EC2 instance!!
What shall I do to limit people's access to the instance in a controllable way, e.g. people pass me their public key and add it to the instance a la Github
Follow the steps in this document: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/managing-users.html
There are 3 steps:
You have to add a user account (adduser) for each user
Make sure the user-home/.ssh dir has 600 permission (chmod)
Add the user public key to user-home/.ssh/authorized_keys and make sure it has 700 permission (chmod)
Related
I am unable to ssh AWS ec2 instance. It shows error Permission denied (public Key).I have tried to generate new pem key
# ssh-keygen -y -f /path/to/keypair.pem
and added it in Instance Settings View/Change User Data
#cloud-config
#ssh_deletekeys: false
#ssh_authorized_keys:
# - ssh-rsa ENTER YOUR PUBLIC KEY HERE ...
#cloud_final_modules: - [ssh, always]
But it didn't work and I also tried this tutorial
https://aws.amazon.com/premiumsupport/knowledge-center/recover-access-lost-key-pair/
Still it is not working.
What you are trying to do wont work. Neither will the answer #Rajeev provided. If it was a file permission error you would see a message indicating the .pem file had unsecure read permissions. What I suspect you'll need to do is kill off that instance and relaunch with a new key. Will be easier than troubleshooting it, and you can make a snapshot to launch a new instance from if you have done a lot of config on it already.
AWS best practices state instances should be treated as ephemeral. Follow those guidelines and you'll save yourself a lot of hassle in the long run.
I have created an instance and its pem file named as demo.pem, But due to some security i have to change my old demo.pem file with demos.pem for the same instance.
I do not want to create new instance for changing pem file => Is it possible? | Help?
It's worth understanding how keypairs work...
When logging into Linux using keypairs, you specify a username and a keypair, eg:
ssh -i demo.pem ec2-user#54.11.22.33
Linux then looks in the .ssh/authorized_keys file belonging to that user, eg:
/home/users/ec2-user/.ssh/authorized_keys
If looks for the public key in that file that matches the private key used for login. It then does keypair magical stuff and determines whether to allow the person to login.
Therefore, to enable login on an instance using a new keypair:
Add the public half of the keypair to the ~/.ssh/authorized_keys file in the appropriate user's home directory
If desired, remove an old key from that file to remove access permissions
You can have multiple keys in that file, which permit login via any of the authorized keypairs.
Answer from A to Z:
create a pem key pair in the aws interface at (example)
https://console.aws.amazon.com/ec2/v2/home?region=us-east-1#KeyPairs:
then go to your download files and modify access mode
chmod 400 yourNewPemName.pem
then generate the public key:
ssh-keygen -y -f yourNewPemName.pem > yourNewPemName.pub
connect to the ec2 instance:
cd ~ / .ssh
then replace the contents of the authorized_keys file, with the contents of your public key contents generated above step 3
So, it seems a developer on our team deleted the public key for our App-Production.pem key in our .ssh/authorized_keys, so the default AWS Key Pair no longer works, breaking our deployment pipeline.
Where can I find the public key to add back to authorized_keys? Is it possible to do this without having to boot a fresh instance?
If you have the private key, you can retrieve the public key.
If you are using Linux, use following command,
ssh-keygen -y
Then provide your path to private key file when prompted.
After that you will be given a public key. Save it.
Then use following steps to regain access to this instance.
Stop your instance
Detach root volume
Attach volume to another instance as a data volume
Modify the authorized_keys file with the public key
Detach the data volume
Re attach the volume to the affected instance
For more information follow this doc.
I have the .PEM file for my AWS account. How to get AWS access key ID & secret access key to login to AWS CLI?
I am trying to configure my AWS CLI in windows using the command aws configure in command line. Its asking me parameters like
Access Key ID:
Secret Access Key:
I am not sure how to get these !! I only have .PEM file
I also don't have access to create one under the tab My Security Credentials->Users->Security Credentials
the .pem file allows you to connect to an ec2 instance that you have created.
the AWS access key id and AWS secret access key are information about your account and not linked to a specific instance. They are available when you create the account and after are not revealed to you
You can read this blog post from amazon to get more information why and how to get a new one. I'd always recommend to create a dedicated user to be used for the CLI even if you're the only one working on the account.
You need to contact your company's IT administrator, or whomever created the instance for you. They should be able to access your credentials and send it over to you. I had the same issue because I thought my .pem file was the correct credentials, but it was not. Once you obtain the access key ID and secret access key, you can then enter it in the following fields (it may have a slightly different terminology for these prompts, but you should get the idea):
access key ID:
secret access key:
region code: # This could be found on your management console (e.g. us-virginia-1)
Clarification: The .pem file contains the RSA private key, this is NOT what you need for configuring your AWS-CLI, the correct credentials will instead be referred to as 'access key ID' and 'secret access key', respectively.
We are just beginning to use Avi in AWS and I am setting up the controller instance.
As I am adding users to the controller instance I would like for users that log in to the instance via shell do so with private/public keypair authentication.
I created a user and added their public key to ~/.ssh/authorized_keys , I also added a NOPASSWD entry, but it seems to still be prompting for a password. Can I log in to the GUI with a password but restrict shell access to keypair only?
Avi Controller ssh expects the key for each user to be in a separate file at /etc/ssh/authorized_keys_username
The SSH config at /etc/ssh/sshd_config sets the path to the authorized keys:
AuthorizedKeysFile /etc/ssh/authorized_keys_%u
You can restrict the user to use keys for shell access by changing /etc/ssh/sshd_config file; but these changes will get overwritten every time you upgrade to a new version.
There is a match option that can disable any users password-based shell access in /etc/ssh/sshd_config
Match User sysadmin,root,aviseuser,avictlruser,testuser
PasswordAuthentication no