How do I configure multiple ssh access to an EC2 instance - linux

I've been trying to setup access to my Amazon instance to my development team and have hit a bit of a brick wall. I've tried a bunch of different tutorials online & none seem to work. Here's my config:
I have access to the AWS Management Console & I'd rather that I be the central administrator of that account, they don't need to setup new instances.
I have a t1.micro instance setup Running 32 bit Amazon Linux AMI
My developer and I both use Macs. I am able to ssh in to the machine using my key pair that is assigned to the box
I've previously tried to ssh into the machine & add my developers key & but he keeps getting Permission Denied (Public Key)
I setup a keypair for my dev, but its obviously not tied to the account, mine is.
Do I have to setup the developer in IAM so that they login & setup the original key that I had to setup when I first created the account? Could that be what they are missing?
I did get one of them to setup a key on their machine & provide me the RSA info to insert into the ~/.ssh/authorized_keys file, however they still received the error message above. Even when their key was chmod'd correctly, they still received that error. Could that be due to chmod needed on the .ssh folder?
Just trying to get some clarity on requirements of accessing a linux-based EC2 instance that isn't the main admin of the account (i.e. my developers). FYI I trust them with full permissions on the instance.
Thanks.

.ssh directory should be chmod 700.

You don't need to created any IAM user for connection to your ec2 instance via ssh. You just need to add your developer's public key to ~/.ssh/authorized_keys in your instance. Be sure that ~/.ssh owner is ec2-user, it should be like that by default.
Then the developers have to move their private key to ~/.ssh/id_rsa and do:
chown "dev_user"."dev_user" -R ~/.ssh/
chmod 400 ~/.ssh/id_rsa
"dev_user" is the local user for your developers. Then be sure that ~/.ssh folder's owner is the same that id_rsa file and have 700 permission:
chmod 700 ~/.ssh/
The developers just have to do:
ssh ec2-user#x.x.x.x

Related

key issues : aws EC2-instance

I am facing some login problem for accessing instance. While login to the server console (its a live server) it shows as Permission denied (publickey), Also am accessing with sudo also same issue persists. AWS instance, should reboot, no change while login issue persists.
As explained in AWS docs your key needs correct permissions:
If you are connecting from MacOS or Linux, run the following command to fix this error, substituting the path for your private key file.
chmod 0400 .ssh/my_private_key.pem
If you got a public key when you set up the server and you saved it (.pem file), you first need to change permissions to it. If in Linux cd to the directory holding the .pem file, then do this:
chmod 400 /path/to/your_public_key.pem for only-read permission.
Then with your EC2 instance public DNS ( get it in AWS EC2 console when you click on your instance ID) which is similar to ec2-x-xxx-xx.us-east-3.compute.amazonaws.com ,you can ssh into your server as follows. Assuming your user account name in the server is ubuntu like in most of the Linux based AMIs in AWS, do:
ssh -i your_public_key.pem ubuntu#ec2-x-xxx-xx.us-east-3.compute.amazonaws.com and if prompted for a password, provide it.
Good luck:)

Private key for connecting EC2 instance

On-premise, we do not use public-private key to connect to Linux VM, launched on ESX.
root user create/configure local users(with an expiry) on the VM and provide access to non-root users
Admin user(IAM) on AWS console, creates an EC2 instance, that is supposed to be used by multiple non-admin users(IAM).
Admin user(IAM) can connect to EC2 instance, using command:
ssh -i /local_to_machine/my_private_key.pem user_name#public_dns_name
Admin user does not have root access to EC2 instance, instead the user name is ec2_user(UID=1000), which is a normal user, but has sudo access to almost do everything
$ cat /etc/group | grep ec2-user
adm:x:4:ec2-user
wheel:x:10:ec2-user
systemd-journal:x:190:ec2-user
ec2-user:x:1000:
1) Can IAM admin user have root access(UID=0) to EC2 instance?
2) Being a root user, can multiple non-root users connect to this instance? without a private key...
I don't know about 1. but here's what I can help you with.
The permission to access a root/ non-root user on an EC2 instance is determined by the keys.
For example, by default the .pem file given by AWS when you launch the instance doesn't have root access, why ? because the public key of this .pem file is not listed under the authorized keys that can access the root user.
what you can do to check is the following
ssh-keygen -f my_private_key.pem -y > my_public_key.pub (1)
cat my_public_key.pub (2)
Now SSH into your instance by using this command :
ssh -i /local_to_machine/my_private_key.pem user_name#public_dns_name (3)
cat ~/.ssh/authorized_keys (4)
Here at least 1 entry will be the public part of the pem file you got by 2.
Now suppose you want to give a computer direct root access to the EC2 instance. What you want to do is to add their public key to the authorized_keys file under the root account :
//Ask them to give you the PUBLIC key
ssh -i /local_to_machine/my_private_key.pem user_name#public_dns_name
sudo su // changes from current user to root user
echo "<their public key>" >> ~/.ssh/authorized_keys
Now they can directly access the root user by
ssh root#public_dns_name
For managing several accounts with root/non-root privileges. My recommendation is to keep the .pem file to your self (keep it for emergencies) and manage the access the appending/removing entries in the ~./ssh/authorized_keys file.
If you don't want to ask for their public keys you can actually create pem files yourself
1) Can IAM admin user have root access(UID=0) to EC2 instance?
IAM is not in charge of your EC2 instance OS access, it only defines access policy to AWS entities(EC2, S3, SQS etc.). You are connecting to the EC2 instance using preconfigured ssh user and your public key, not by using your IAM user credentials, thus all further ssh acccess configuration relies completely in you responsibility and not related to IAM.

Unable to SSH into EC2 Instance pem 'Permissions 0777 for '.ssh/intuit-tke-qe.pem' are too open'

I'm unable to ssh into my EC2 instance, seems to be an issue with the permission level of the ssh .pem file I'm passing to ssh, googling around this seems to be a problem many others have faced but their solutions didn't work for me.
Here is what I tried, someone please help...
Atempt 1:
asemani$ ssh -i ~/.ssh/secure.pem root#54.210.0.1
********************************************************************************
This is a private computer system containing information that is proprietary
and confidential to the owner of the system. Only individuals or entities
authorized by the owner of the system are allowed to access or use the system.
Any unauthorized access or use of the system or information is strictly
prohibited.
All violators will be prosecuted to the fullest extent permitted by law.
********************************************************************************
###########################################################
# WARNING: UNPROTECTED PRIVATE KEY FILE! #
###########################################################
Permissions 0777 for '.ssh/secure.pem' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
Load key ".ssh/secure.pem": bad permissions
Permission denied (publickey).
Attempt 2:
asemani$ chmod 600 ~/.ssh/secure.pem
asemani$ ls -l ~/.ssh/
total 56
-rw-r--r-- 1 asemani CORP\Domain Users 782 Apr 29 11:14 config
-rw-------# 1 asemani CORP\Domain Users 1696 Apr 29 21:32 secure.pem
asemani$
asemani$ ssh -i .ssh/secure.pem root#54.210.0.1
********************************************************************************
This is a private computer system containing information that is proprietary
and confidential to the owner of the system. Only individuals or entities
authorized by the owner of the system are allowed to access or use the system.
Any unauthorized access or use of the system or information is strictly
prohibited.
All violators will be prosecuted to the fullest extent permitted by law.
********************************************************************************
Permission denied (publickey).
I don't get the warning anymore but Permission is still denied. I then also tried doing a chmod 400 on the .pem file but that also didn't work. I won't paste that here since that may be overkill.
What is happening here? How can I ssh into my ec2? This should be a simple thing??
Change permission to chmod 400 ~/.ssh/secure.pem
Are you able to login as the default user using your pem key? For Ubuntu instances, default user should be ubuntu; for most other instances it should be ec2-user. If you're able to login as the default user, chances are that root isn't allowed for ssh login. To change that, login as the default user and do the following:
# Edit sshd_config and modify 'PermitRootLogin XX' to 'PermitRootLogin yes'
sudo vi /etc/ssh/sshd_config
# Reload sshd configuration
sudo service sshd reload
NOTE: This only serves as a how-to. It's generally not recommended to allow root login over ssh for security reason.
You need to launch the instance through your AWS EC2 management console. Once it is launched, copy the public DNS IPv4 and paste it after the linux distribution name being used (e.g. ubuntu#IPv4). Also, make sure you are working in the directory that houses your private access key.
For clarification, once your EC2 instance is launched and you're in the directory that holds your private access key, type in the following in the command-line:
ssh -i private_access_key.pem linux#IPv4
to windows users can change the premise of files through wsl doing this:
Edit or create (using sudo) /etc/wsl.conf
[automount]
options = "metadata"
Restart wsl: (powershell)
PS Get-Service LxssManager | Restart-Service
and finally, do:
chmod 400 key.pem

Define a set keyfile for Ubuntu to use when SSHing into a server

I have two Amazon EC2 Ubuntu instances. When I connect to one of them, I can do
ssh ubuntu#54.123.4.56
and the shell uses the correct keyfile from my ~/.ssh directory.
I just set up a new instance, and I'm trying to figure out how to replicate that behavior for this new one. It's a minor thing, just driving me nuts. When I log in with:
ssh -i ~/.ssh/mykey.pem ubuntu#54.987.6.54
it works fine, but with just
ssh ubuntu#54.987.6.54
I get:
Permission denied (publickey).
I have no idea how I managed to get it to work this way for the first server, but I'd like to be able to run ssh into the second server without the "-i abc.pem" argument. Permissions are 600:
-r-------- 1 mdexter mdexter 1692 Nov 11 20:40 abc.pem
What I have tried: I copied the public key from authorized_keys on the remote server and pasted it to authorized_keys on the local server, with mdexter#172.12.34.56 (private key) because I thought that might be what created the association in the shell between that key and that server for the shell.
The only difference I can recall between how I set up the two servers is that with the first, I created a .ppk key in PuTTy so that I could connect through FileZilla for SFTP. But I think SSH is still utilizing the .pem given by Amazon.
How can I tell the shell to just know to always use my .pem key for that server when SSHing into that particular IP? It's trivial, but I'm trying to strengthen my (rudimentary) understanding of public/private keys and I'm wondering if this plays into that.
You could solve this in 3 ways:
By placing the contents of your ~/.ssh/mykey.pem into ~/.ssh/id_rsa on the machine where you are ssh'ing into 2nd instance. Make sure you also change the permissions of ~/.ssh/id_rsa to 600.
Using ssh-agent (ssh-agent will manage the keys for you)
Start ssh-agent
eval `ssh-agent -s`
Add the key to ssh-agent using ssh-add
ssh-add mykey.pem
Using ssh-config file:
You could use ssh config file. From the machine where you are trying to ssh, keep the following contents in the ~/.ssh/config file (make sure to give this file 600 permissions):
Host host2
HostName 54.987.6.54
Port 22
User ubuntu
IdentityFile ~/.ssh/mykey.pem
Once you do that now you could access do the ssh like this:
ssh host2
After performing any of the above steps you should be able to ssh into your second instance with out specifying the key path.
Note: The second option requires you to add the key using ssh-add every time you logout and log back in so to make that a permanent injection see this SO question.

connecting to amazon aws linux server by ssh on mac

I created a new keypair and downloaded it to my mac, then set up a new Amazon Linux AMI server with that keypair and my security group. Now I need to put the keypair .pem file that I downloaded in a .ssh file in my users folder? I am unable to create a folder called ".ssh" however because of the name.
Where do I put the keypair on my mac? and what chmods or other commands are then needed to connect to the server from my linux bash? I know "ssh my public DNS" but what other permissions or anything else should I be aware of? Its a newbie question. Thanks.
You'll want to put the keypair in {your home directory}/.ssh . If that folder doesn't exist, create it. Once you put the keypair in there you have to change the permissions on the file so only your user can read it.
Launch the terminal and type
chmod 600 $HOME/.ssh/<your keypair file>
That limits access to the file, and then to limit access to the folder type
chmod 700 $HOME/.ssh
You have to limit the access because the OpenSSH protocol won't let you use a key that other's can view.
Then to log into your instance, from the terminal you would enter
ssh -i <your home directory>/.ssh/<your keypair file> ec2-user#<ec2 hostname>
you can also create a file ~/.ssh/config
chmod it 644
then inside you can add something like this
host mybox-root
Hostname [the IP or dns name]
User root
IdentityFile ~/.ssh/[your keypair here]
then you can just do
$ ssh mybox-root
and you'll login easier.
You can use Java MindTerm to connect to your EC2 server in Macbook pro. It works for me. here are the more details and step by step instruction.
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AccessingInstancesLinux.html
http://www.openssh.com/ is the suggested one on http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-connect-to-instance-linux.html#using-ssh-client (option 3)
Someone was asking on Mac's an easy way to create the ~/.ssh folder would be by running command ssh-keygen, then use following setup ...
A.
macbook-air$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/Users/sam/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /Users/sam/.ssh/id_rsa.
Your public key has been saved in /Users/sam/.ssh/id_rsa.pub.
B. Then create:
touch ~/.ssh/authorized_keys
C. Fix the permissions:
chmod 600 ~/.ssh/authorized_keys
D. Copy AWS Key to that file:
cp AWS_key.text ~sam/.ssh/authorized_keys
#You would have saved this SSH key earlier when creating the EC2 instance
E. Then test the ssh to AWS Linux server - you will see this error:
ssh -i ./authorized_keys root#ec2-54-76-176-29.ap-southeast-2.compute.amazonaws.com
Please login as the user "ec2-user" rather than the user "root".
F. Re-try that and it should work with allowed AWS user "ec2-user":
ssh -i ./authorized_keys ec2-user#ec2-54-76-176-29.ap-southeast-2.compute.amazonaws.com
__| __|_ )
_| ( / Amazon Linux AMI
___|\___|___|
https://aws.amazon.com/amazon-linux-ami/2014.09-release-notes/
9 package(s) needed for security, out of 12 available
Run "sudo yum update" to apply all updates.
Hope this helps, all the best.

Resources