Scenario:
I have a running ec2 instance but don't have the key pair for the instance.
I have a ftp-user account set up but don't have root access.
I want to duplicate the running instance to a new instance go gain root access.
Problem:
When I try to create a new instance, from a snapshot of the old one, putty says "Server refused our key" when trying to ssh into it...
This is what I did:
Created a snapshot of the old instance's ebs volume
From the snapshot I created an image
Made sure the architecture and kernel-id matched the old instance
I launched a new instance from the image
Created a new key pair
Created a new security group and made sure port 22 was open
Assigned an elastic ip to the instance
I downloaded and converted the key pair .pem file with puTTYgen
Loaded .pem file into puTTYgen
Used SSH-2 RSA 1024
Saved private key
Tried to ssh into the instance with putty (BUT FAILING)
Used elastic ip address
Tried with usernames: "ec2-user", "root", "ubuntu", "bitnami"
What could be wrong?
The image and your new instance still use the original keypair. Unless you prepare the instance to accept a new key at launch, it will not.
What you need to do is attach the volume to a new instance entirely, (created from a public ami). Mount the volume and edit the user's authorized_keys file on that volume. Put in your new key, and then move it back to the original instance.
Related
I'm recently working on creating a cloud instance on Azure. Once I created a new VM for the service I need, it always lets me download a pem file. However, it seems like I can log in to the VM through SSH without using the pem file.
Besides that, when I check the "authorized_keys" file on the new VM, it includes a public key, which is not the one on my local machine's "id_rsa.pub" file.
I'm wondering how I could log in without the public key stored in the authorized_keys file?
I think this question is related to SSH, thanks in advance!
Why we get a pem file when creating a VM on Microsoft Azure?
Disabling password logins to SSH is a common practice for SSH hardening [1,2]. The PEM file provided by default will help you achieve this.
Besides that, when I check the "authorized_keys" file on the new VM,
it includes a public key, which is not the one on my local machine's
"id_rsa.pub" file
I believe you are viewing the file for another user or comparing the wrong keys.
I'm wondering how I could log in without the public key stored in the
authorized_keys file?
You could change the authorized_keys file you are referring to by modifying the AuthorizedKeysFile variable in the /etc/ssh/sshd_config file.
I'm creating an instance on AWS, and it's given me a .pem file that will allow me to connect to my instance.
I always use public/private keys to connect to remote servers.
I'd like to know what's the difference between these methods on AWS.
You can ask AWS to create a public/private key in the Amazon EC2 console. When you do this, AWS retains the public key and downloads the private key (.pem) to you. Make sure you save it, because you can't get the private key again.
Alternatively, you can create your own public/private key outside of AWS. You can then Import the key into the Amazon EC2 console.
In both cases, the key is then available to select when launching an Amazon EC2 instance. When an AMI provided by AWS is used for the new instance, software on the instance will automatically copy the public keypair into the /home/ec2-user/.ssh/authorized_keys file.
For Windows users, a program on the AMI will generate a random Administrator password, encrypt the password using the selected keypair, and the user must then provide the private key to decrypt the password. (You are encouraged to change the Administrator password after login.)
If you use Windows and want to use PuTTY to SSH into an Amazon EC2 instance, you will need a .ppk file. This can be selected when generating the keypair, or you can use PuTTYGen to convert the key.
Bottom line: The .pem file is your private key.
I am facing a very minor isue and not able to figure it out :(
I have 2 AWS accounts(Preprod and Prod)
First AWS A/c is a preprod account where I have created a jumphost(preprod_Server1 and login to instance(i.e preprod_Server2 )
preprod_Server1>> ssh vin#preprod_Server2 (This works fine,password less SSH)
Now IN second AWS account i.e PROD
I have created a server_prod1 (jumphost ) and I have taken an AMI of preprod_Server2.
I have copied id_rsa public key in authorised file of preprod_Server2 and then taken the AMI image of it.
Now I launch an instance with an AMI of preprod_Server2
when I login from server_prod1 it's not allowing me.
prod_Server1>> ssh vin#preprod_Server2 ( I get permission denied)
Note: only pem file is different in preprod and prod account is that an issue.
I am not aware of the root credentials of preprod_Server2.
In prod server I am able to login to other instance only AMI of preprod_Server2 is giving problem.
the key is excluded from the AMI when you built it.
Another key is injected into the machine when you launch it (everytime you launch an EC2 machine you have to specify the key).
This works by copying the id_rsa publickey of prod_Server1 to authorised keys file in preprod_Server2. And then take the AMI of preprod_Server2.
prod_Server1>> ssh vin#preprod_Server2 (This works)
Note : somehow Initially when I copied the keys there was an extra space which resulted in problem.
I'm trying to setup continuous deployment for an Azure website using bitbucket.
The problem is I'm using a submodule (which I own) that Azure doesn't have permission to, because it doesn't add that by default.
I'm trying to figure out how to add an SSH key so that Azure can connect and get the submodule.
Steps I've taken.
Created a New Public/Private Key with PuttyGen, Added the public key to my bitbucket account under the name Azure
FTPed into Azure, and added both the public and private key files (.ppk) to the .ssh directory (yeah I didn't know which one I was suppose to add). They are named azurePrivateKey.ppk, and azurePublicKey.
Updated my config file to look like this
HOST *
StrictHostKeyChecking no
Host bitbucket.org
HostName bitbucket.org
PreferredAuthentications publickey
IdentityFile ~/.ssh/azurePrivateKey.ppk
(no clue if that's right)
Updated my Known Hosts to look like this
bitbucket.org,131.103.20.168, <!--some key here...it was here when i opened the file, assuming it's the public key for the repo i tried to add-->
bitbucket.org,131.103.20.168, <!--the new public key i tried to add-->
And I still get the same error, no permission to get submodule. So i'm having trouble figuring out which step I did incorrectly as I've never done this before.
Better late then never, and it could be usefull for others :
A Web App already have a ssh key, to get it :
https://[web-site-name].scm.azurewebsites.net/api/sshkey?ensurePublicKey=1
You can then add this key to you git repo deploy key.
I've never set that up in Azure but some general rules of thumb for handling SSH keys:
The private key in $HOME/.ssh/ must have file mode 600 (RW only for the owner)
You need both, the public and the private key in this folder, usually named id_rsa and id_rsa.pub but you can change the filename to whatever you like
You have to convert the private key generated by puttykeygen to a OpenSSH2 compatible format, see How to convert SSH keypairs generated using PuttyGen
known_hosts stores the public keys of the servers you've already connected to. That's useful to make sure that you are really connecting to the same server again. more detailed information on this topic
HTH
So if you like me had multiple private submodules on the same github account as the app service is deployed at you can give your service access to all your modules by moving the deployment key.
Go to the repo where your service is hosted.
In settings go to deploy keys.
Remove the deployment key.
Get the public key from https://[your-web-app].scm.azurewebsites.net/api/sshkey?ensurePublicKey=1
Add the key to your SSH keys in the account settings for github.
If you have modules on several accounts you can add the same key to each account.
After this the service can access private repos on all accounts with the key.
I have set up an Amazon EC2 instance and am able to SSH into it. Can anyone please tell me how I could allow additional users to SSH into this instance from a different location?
Max.
I started out creating additional users. But it is pointless if you want to give them sudo access anyway. Which you probably do want right? Because giving them sudo acccess gives them access they want to do anyway, so creating their user account was just a waste of time. Additionally creating additional users is an onerous task and leads to a lot of different permissions problems, and means you have to monkey around with the sudoers file to allow them to undertake sudo tasks without entering their password everytime.
My recommendation is to get the new user to provide you with a public key and have them use the primary ubuntu or root account directly:
ssh-keygen -f matthew
And get them to give you the .pub keyfile and paste it into the .ssh/authorized_keys file of your ec2 server.
Then they can login with their private key directly into the ubuntu or root account of your ec2 instance.
I store the authorized_keys file in my private github account. The public keys are not very useful unless you have the private key component so putting it in github seems fine to me. I then put the deployment of my centrally stored authorized_keys file as part of my new server production process.
And then remove the public key from access when they leave your employment. This will lock them out.
Create additional users at a *nix command prompt
useradd
Create a new rule in the security group which has been applied to your instance, enabling ssh for the public IP Range of your remote user
For specific instructions check out: http://developer.amazonwebservices.com/connect/entry.jspa?externalID=1233.
1.
Max.