On-premise, we do not use public-private key to connect to Linux VM, launched on ESX.
root user create/configure local users(with an expiry) on the VM and provide access to non-root users
Admin user(IAM) on AWS console, creates an EC2 instance, that is supposed to be used by multiple non-admin users(IAM).
Admin user(IAM) can connect to EC2 instance, using command:
ssh -i /local_to_machine/my_private_key.pem user_name#public_dns_name
Admin user does not have root access to EC2 instance, instead the user name is ec2_user(UID=1000), which is a normal user, but has sudo access to almost do everything
$ cat /etc/group | grep ec2-user
adm:x:4:ec2-user
wheel:x:10:ec2-user
systemd-journal:x:190:ec2-user
ec2-user:x:1000:
1) Can IAM admin user have root access(UID=0) to EC2 instance?
2) Being a root user, can multiple non-root users connect to this instance? without a private key...
I don't know about 1. but here's what I can help you with.
The permission to access a root/ non-root user on an EC2 instance is determined by the keys.
For example, by default the .pem file given by AWS when you launch the instance doesn't have root access, why ? because the public key of this .pem file is not listed under the authorized keys that can access the root user.
what you can do to check is the following
ssh-keygen -f my_private_key.pem -y > my_public_key.pub (1)
cat my_public_key.pub (2)
Now SSH into your instance by using this command :
ssh -i /local_to_machine/my_private_key.pem user_name#public_dns_name (3)
cat ~/.ssh/authorized_keys (4)
Here at least 1 entry will be the public part of the pem file you got by 2.
Now suppose you want to give a computer direct root access to the EC2 instance. What you want to do is to add their public key to the authorized_keys file under the root account :
//Ask them to give you the PUBLIC key
ssh -i /local_to_machine/my_private_key.pem user_name#public_dns_name
sudo su // changes from current user to root user
echo "<their public key>" >> ~/.ssh/authorized_keys
Now they can directly access the root user by
ssh root#public_dns_name
For managing several accounts with root/non-root privileges. My recommendation is to keep the .pem file to your self (keep it for emergencies) and manage the access the appending/removing entries in the ~./ssh/authorized_keys file.
If you don't want to ask for their public keys you can actually create pem files yourself
1) Can IAM admin user have root access(UID=0) to EC2 instance?
IAM is not in charge of your EC2 instance OS access, it only defines access policy to AWS entities(EC2, S3, SQS etc.). You are connecting to the EC2 instance using preconfigured ssh user and your public key, not by using your IAM user credentials, thus all further ssh acccess configuration relies completely in you responsibility and not related to IAM.
Related
I am facing some login problem for accessing instance. While login to the server console (its a live server) it shows as Permission denied (publickey), Also am accessing with sudo also same issue persists. AWS instance, should reboot, no change while login issue persists.
As explained in AWS docs your key needs correct permissions:
If you are connecting from MacOS or Linux, run the following command to fix this error, substituting the path for your private key file.
chmod 0400 .ssh/my_private_key.pem
If you got a public key when you set up the server and you saved it (.pem file), you first need to change permissions to it. If in Linux cd to the directory holding the .pem file, then do this:
chmod 400 /path/to/your_public_key.pem for only-read permission.
Then with your EC2 instance public DNS ( get it in AWS EC2 console when you click on your instance ID) which is similar to ec2-x-xxx-xx.us-east-3.compute.amazonaws.com ,you can ssh into your server as follows. Assuming your user account name in the server is ubuntu like in most of the Linux based AMIs in AWS, do:
ssh -i your_public_key.pem ubuntu#ec2-x-xxx-xx.us-east-3.compute.amazonaws.com and if prompted for a password, provide it.
Good luck:)
I'm unable to ssh into my EC2 instance, seems to be an issue with the permission level of the ssh .pem file I'm passing to ssh, googling around this seems to be a problem many others have faced but their solutions didn't work for me.
Here is what I tried, someone please help...
Atempt 1:
asemani$ ssh -i ~/.ssh/secure.pem root#54.210.0.1
********************************************************************************
This is a private computer system containing information that is proprietary
and confidential to the owner of the system. Only individuals or entities
authorized by the owner of the system are allowed to access or use the system.
Any unauthorized access or use of the system or information is strictly
prohibited.
All violators will be prosecuted to the fullest extent permitted by law.
********************************************************************************
###########################################################
# WARNING: UNPROTECTED PRIVATE KEY FILE! #
###########################################################
Permissions 0777 for '.ssh/secure.pem' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
Load key ".ssh/secure.pem": bad permissions
Permission denied (publickey).
Attempt 2:
asemani$ chmod 600 ~/.ssh/secure.pem
asemani$ ls -l ~/.ssh/
total 56
-rw-r--r-- 1 asemani CORP\Domain Users 782 Apr 29 11:14 config
-rw-------# 1 asemani CORP\Domain Users 1696 Apr 29 21:32 secure.pem
asemani$
asemani$ ssh -i .ssh/secure.pem root#54.210.0.1
********************************************************************************
This is a private computer system containing information that is proprietary
and confidential to the owner of the system. Only individuals or entities
authorized by the owner of the system are allowed to access or use the system.
Any unauthorized access or use of the system or information is strictly
prohibited.
All violators will be prosecuted to the fullest extent permitted by law.
********************************************************************************
Permission denied (publickey).
I don't get the warning anymore but Permission is still denied. I then also tried doing a chmod 400 on the .pem file but that also didn't work. I won't paste that here since that may be overkill.
What is happening here? How can I ssh into my ec2? This should be a simple thing??
Change permission to chmod 400 ~/.ssh/secure.pem
Are you able to login as the default user using your pem key? For Ubuntu instances, default user should be ubuntu; for most other instances it should be ec2-user. If you're able to login as the default user, chances are that root isn't allowed for ssh login. To change that, login as the default user and do the following:
# Edit sshd_config and modify 'PermitRootLogin XX' to 'PermitRootLogin yes'
sudo vi /etc/ssh/sshd_config
# Reload sshd configuration
sudo service sshd reload
NOTE: This only serves as a how-to. It's generally not recommended to allow root login over ssh for security reason.
You need to launch the instance through your AWS EC2 management console. Once it is launched, copy the public DNS IPv4 and paste it after the linux distribution name being used (e.g. ubuntu#IPv4). Also, make sure you are working in the directory that houses your private access key.
For clarification, once your EC2 instance is launched and you're in the directory that holds your private access key, type in the following in the command-line:
ssh -i private_access_key.pem linux#IPv4
to windows users can change the premise of files through wsl doing this:
Edit or create (using sudo) /etc/wsl.conf
[automount]
options = "metadata"
Restart wsl: (powershell)
PS Get-Service LxssManager | Restart-Service
and finally, do:
chmod 400 key.pem
I created a new EC2 Amazon Linux instance. I want to allow a developer to SSH into the EC2 instance. To test this, I'm trying it from my windows computer. I have followed the instructions in the link below but I can't get SSH (Putty) to connect using the key pair I'm generating.
I'm following the instructions here as reference
and here
After logging into EC2 as ec2-user using FireSSH and the pem generated by AWS, I use SSH to run the following commands to create a new user, .ssh directory, and permissions.
[ec2-user ~]$ sudo adduser newuser
[ec2-user ~]$ sudo su - newuser
[newuser ~]$ mkdir .ssh
[newuser ~]$ touch .ssh/authorized_keys
[newuser ~]$ chmod 600 .ssh/authorized_keys
[newuser ~]$ vim .ssh/authorized_keys
Then I paste a public key into authorized_keys using vim. I will explain where I get the public key in the next step.
ssh-rsaAAAAB3NzaC1yc2EAAAADAQABAAABAQClKsfkNkuS ....
To create the public key which I pasted in the previous step I followed the steps in this reference starting at "Generating an SSH Key"
I copied the public key from PuttyKeyGen which is showed in the box labeled "Public key for pasting into OpenSSH authorized_keys". Then I pasted that into the .ssh/authorized_keys file on my EC2 instance in the newuser directory.
I log out of the SSH client on EC2. Then I try to login with Putty using the newly created private key on my windows machine. I use the newuser login name. I get this error in Putty: server refused our key. There is also a dialog box that says Disconnected: No supported authentication methods available {server sent: publickey)
What am I doing wrong in these steps?
I did two things different and it works now. It's probably the number of bits that made it work.
I generated a new key pair using PuttyGen but I specified SSH-2 RSA with 1024 bits instead of the default that PuttyGen was putting in which was like 2048.
When I logged back into EC2 with my SSH I pasted the public key using nano instead of vim.
Always use ec2-import-keypair features to verified whether it is GOOD for EC2 instance. It the import works, then it is good, otherwise, regen a compliance keypair. If you simply copy a keypair that is not compliance , you will run into trouble.
Here is the document for import key pair
OpenSSH public key format (the format in ~/.ssh/authorized_keys)
Base64 encoded DER format SSH public key file format as specified in
RFC4716 DSA keys are not supported. Make sure your key generator is
set up to create RSA keys.
Supported lengths: 1024, 2048, and 4096.
I created a new keypair and downloaded it to my mac, then set up a new Amazon Linux AMI server with that keypair and my security group. Now I need to put the keypair .pem file that I downloaded in a .ssh file in my users folder? I am unable to create a folder called ".ssh" however because of the name.
Where do I put the keypair on my mac? and what chmods or other commands are then needed to connect to the server from my linux bash? I know "ssh my public DNS" but what other permissions or anything else should I be aware of? Its a newbie question. Thanks.
You'll want to put the keypair in {your home directory}/.ssh . If that folder doesn't exist, create it. Once you put the keypair in there you have to change the permissions on the file so only your user can read it.
Launch the terminal and type
chmod 600 $HOME/.ssh/<your keypair file>
That limits access to the file, and then to limit access to the folder type
chmod 700 $HOME/.ssh
You have to limit the access because the OpenSSH protocol won't let you use a key that other's can view.
Then to log into your instance, from the terminal you would enter
ssh -i <your home directory>/.ssh/<your keypair file> ec2-user#<ec2 hostname>
you can also create a file ~/.ssh/config
chmod it 644
then inside you can add something like this
host mybox-root
Hostname [the IP or dns name]
User root
IdentityFile ~/.ssh/[your keypair here]
then you can just do
$ ssh mybox-root
and you'll login easier.
You can use Java MindTerm to connect to your EC2 server in Macbook pro. It works for me. here are the more details and step by step instruction.
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AccessingInstancesLinux.html
http://www.openssh.com/ is the suggested one on http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-connect-to-instance-linux.html#using-ssh-client (option 3)
Someone was asking on Mac's an easy way to create the ~/.ssh folder would be by running command ssh-keygen, then use following setup ...
A.
macbook-air$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/Users/sam/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /Users/sam/.ssh/id_rsa.
Your public key has been saved in /Users/sam/.ssh/id_rsa.pub.
B. Then create:
touch ~/.ssh/authorized_keys
C. Fix the permissions:
chmod 600 ~/.ssh/authorized_keys
D. Copy AWS Key to that file:
cp AWS_key.text ~sam/.ssh/authorized_keys
#You would have saved this SSH key earlier when creating the EC2 instance
E. Then test the ssh to AWS Linux server - you will see this error:
ssh -i ./authorized_keys root#ec2-54-76-176-29.ap-southeast-2.compute.amazonaws.com
Please login as the user "ec2-user" rather than the user "root".
F. Re-try that and it should work with allowed AWS user "ec2-user":
ssh -i ./authorized_keys ec2-user#ec2-54-76-176-29.ap-southeast-2.compute.amazonaws.com
__| __|_ )
_| ( / Amazon Linux AMI
___|\___|___|
https://aws.amazon.com/amazon-linux-ami/2014.09-release-notes/
9 package(s) needed for security, out of 12 available
Run "sudo yum update" to apply all updates.
Hope this helps, all the best.
I've been trying to setup access to my Amazon instance to my development team and have hit a bit of a brick wall. I've tried a bunch of different tutorials online & none seem to work. Here's my config:
I have access to the AWS Management Console & I'd rather that I be the central administrator of that account, they don't need to setup new instances.
I have a t1.micro instance setup Running 32 bit Amazon Linux AMI
My developer and I both use Macs. I am able to ssh in to the machine using my key pair that is assigned to the box
I've previously tried to ssh into the machine & add my developers key & but he keeps getting Permission Denied (Public Key)
I setup a keypair for my dev, but its obviously not tied to the account, mine is.
Do I have to setup the developer in IAM so that they login & setup the original key that I had to setup when I first created the account? Could that be what they are missing?
I did get one of them to setup a key on their machine & provide me the RSA info to insert into the ~/.ssh/authorized_keys file, however they still received the error message above. Even when their key was chmod'd correctly, they still received that error. Could that be due to chmod needed on the .ssh folder?
Just trying to get some clarity on requirements of accessing a linux-based EC2 instance that isn't the main admin of the account (i.e. my developers). FYI I trust them with full permissions on the instance.
Thanks.
.ssh directory should be chmod 700.
You don't need to created any IAM user for connection to your ec2 instance via ssh. You just need to add your developer's public key to ~/.ssh/authorized_keys in your instance. Be sure that ~/.ssh owner is ec2-user, it should be like that by default.
Then the developers have to move their private key to ~/.ssh/id_rsa and do:
chown "dev_user"."dev_user" -R ~/.ssh/
chmod 400 ~/.ssh/id_rsa
"dev_user" is the local user for your developers. Then be sure that ~/.ssh folder's owner is the same that id_rsa file and have 700 permission:
chmod 700 ~/.ssh/
The developers just have to do:
ssh ec2-user#x.x.x.x