I am very new to AWS.I am working on a POC, where I get request from Developers for provisioning the instance in EC2. Once instance provisioned, developer would expect to share the private key to access the instance.
I am using terraform to
1.provision,
2.generate key pair
3.Output it and store it in secret manager.
Next step is to , share the private key to developer so that he can access only his instance.
Sending private key through, deemed bad idea.
Is there any best solutions or channel to share the private key?
It is not a good idea to share a private key at all.
If all developers use the same private key:
you cannot simply deactivate the key of a developer that leaves the company.
you cannot see who does what on the server.
You can copy the public key of the developers to the default user's (ec2-user, ubuntu...) ~/.ssh/authorized_keys file. So each user uses his/her own private key to connect to the server. This approach however does not solve the issue #2 above.
ssh -i dev1.pub ec2-user#instance-ip
The recommended way is to create a new user for each developer on the instance and copy the public key of each user to authorized_users. Depending on what you want to achieve, this method has more administrative burden but is more secure.
e.g. Created a user dev1, uploaded his public key to /home/dev1/.ssh/authorized_users. Now dev1 can connect using:
ssh -i dev1.pub dev1#instance-ip
For small organizations, to allow multiple users to get access to AWS EC2 Linux instances without having to share keys or accounts is always a challenge.Definitely sharing keys across multiple users is not good practice.
The public / private key pair is generated on your local machine and the private key is uploaded to S3. When launching the EC2 instance via the wizard, you can now choose to Proceed without a key pair.
For Linux / Mac users :
To create Public and Private keys use the following command
$ ssh-keygen -t rsa -b 4096 (This creates a 4096 bit RSA key pair)
Upload the public key to a folder in your S3 bucket. For example :
S3 > MyBucket > Keypair
Save and secure your private key.
For Windows users :
Use puttygen to generate the keys.
Follow DigitalOcean to create SSH keys.
Upload the public key to S3 > MyBucket > Keypair
Save and secure your private key.
The following steps are important during the launch of any Linux AMI.
Ensure the IAM role has a role created with AmazonS3FullAccess policy. This allows the instance to assume a role to access the S3 buckets. This is needed to read the public keys from S3 and copy them to the user profile.
Add the following code under the user-data section in Configure Instance details > Advanced Details (as Text) :
# FOR AWS LINUX #
#!/bin/bash
useradd user1
usermod -aG wheel user1
mkdir /home/user1/.ssh/
aws s3 cp s3://MyBucket /Keypair/user1-pub.pub /home/user1/.ssh/authorized_keys
useradd user2
usermod -aG wheel user2
mkdir /home/user2/.ssh/
aws s3 cp s3://MyBucket /Keypair/user2-pub.pub /home/user2/.ssh/authorized_keys
sudo -i
echo “user1 ALL=(ALL) NOPASSWD:ALL” >> /etc/sudoers
echo “user2 ALL=(ALL) NOPASSWD:ALL” >> /etc/sudoers
yum update -y
# FOR UBUNTU #
#!/bin/bash
apt-get install -y awscli
useradd user1
usermod -aG sudo user1
mkdir /home/user1/.ssh/
aws s3 cp s3://MyBucket /Keypair/user1-pub.pub /home/user1/.ssh/authorized_keys
useradd user2
usermod -aG sudo user2
mkdir /home/user2/.ssh/
aws s3 cp s3://MyBucket /Keypair/user2-pub.pub /home/user2/.ssh/authorized_keys
sudo -i
echo “user1 ALL=(ALL) NOPASSWD:ALL” >> /etc/sudoers
echo “user2 ALL=(ALL) NOPASSWD:ALL” >> /etc/sudoers
exit
apt-get update -y
This setup creates User1 and User2 and adds them to sudo users. The aws s3 cp command copies the users public keys from the S3 folder to their .ssh/authorized_keys path. The last section is to run commands as admin without needing passwords.
To read in details with screenshots - refer here. There are lots of security improvements that can be recommended here. While not explicitly used in this example, limiting S3 bucket access to a specific bucket and knowing the security implications of disabling password usage in sudo, are few things that can be highlighted. Use them wisely based on your particular needs.
An alternate way to connect is by using EC2 Instance Connect that allows using IAM policies and principals to connect via SSH to the instances thus avoiding sharing of SSH keys anymore. You can also use the browser-based SSH connection to the instances.
More details of EC2 Instance connect is available at https://aws.amazon.com/about-aws/whats-new/2019/06/introducing-amazon-ec2-instance-connect/
Related
I'm on my network but want to be able to quickly log onto multiple clients on it without having to type SSH username#ipaddress everytime and then be prompted for a password. They all have the same password, is there a way for this to be automated? tips and knowledge are greatly appreciated
ssh-keygen
will create your public/private key pair in the ~/.ssh directory. You can enter for every prompt. Please be aware that you should not share ~/.ssh/id_rsa (the generated private key) with anyone. Consider it your password.
The following command will upload your public key to each host in question:
ssh-copy-id username#ipaddress
The above command copies your ~/.ssh/id_rsa.pub (the public key) to the ~/.ssh/authorized_keys file on the remote box. You will be prompted for your password, but that should be the last time.
Once you have copied your public key, you should be able to log in after that without a password.
ssh username#ipaddress
I've created a new NodeJS instance on Amazon Lightsail, and wish to connect to it from my Mac's command line. Not sure how to include the required SSH key in the connection command when it says Permission denied (publickey).
Go to the "SSH Keys" tab under your Lightsail Account page
Select the Default option under your region and download the key pair file
Will be a .pem file, ex. LightsailDefaultPrivateKey-us-west-2.pem
Open up your terminal and navigate to the directory where the above file is stored
Run chmod 600 [fileName] at the command line to restrict file permission so only you can read it
Run ssh -i [fileName] [username]#[Public IP] to establish the connection to Lightsail
Username and IP are available under the "Connect" tab on the Lightsail web dashboard for your resource
To use your existing ~/.ssh/id_rsa.pub
Login to the server using the browser client
Do nano ~/.ssh/authorized_keys
Get your local public key with xclip -sel clip < ~/.ssh/id_rsa.pub
Append the ~/.ssh/authorized_keys with the copied key
Restart the instance
Login locally using ssh ubuntu#[instance_public_ip]
To be able to connect to your amazon lightsail instance you need to download the key first.
Go to Accounts > SSH Keys (
https://lightsail.aws.amazon.com/ls/webapp/account/keys ) >
Download
(Make sure that you download the key for the same region where your instance is installed.)
Save it in a folder in your local machine. For Example- "Desktop > keys"
Open the terminal and navigate to the directory where the key is stored(cd desktop/keys )
Enter this command in terminal: chmod 600 keyfilename.pem (replace keyfile name with your actual key name e.g chmod 600 LightsailDefaultKey-eu-west-2.pem )
It is required that your private key files are NOT accessible by others.
This is why we have to change the file permissions
Run this command ssh -i keyfilename.pem username#ip
replace keyfilename.pem with your actual file name, username with your username(e.g bitnami or user) and replace IP with actual IP
You can find your IP and username on your instance page (https://lightsail.aws.amazon.com/ls/webapp/home/instances > Select Instance> Manage)
I spent hours figuring out how to add an additional key to login to my Wordpress/Bitnami Lightsail Instance.
I though that by adding new key pairs in [https://lightsail.aws.amazon.com/ls/webapp/account/keys][1], I could get direct access to my instances, but that was not the case. I always got "Permission denied (publickey)" when trying to connect via SSH/SFTP.
How to solve it?
You should add your public keys directly to your Lightsail instance:
Connect first to your instance via your Lightsail console. The link should looks like this: https://lightsail.aws.amazon.com/ls/remote/yourzone/instances/instancename/terminal?protocol=ssh
nano ~/.ssh/authorized_keys
It should looks something like:
ssh-rsa AFGGS#%NzaC1yc2EFDSGgpCvpVhFyRSpfsdfjhgasdDSduD$
This means that only one key par is allowed to connect via SSH/SFTP to your Lightsail instance (voilà!).
You should add to that file the new public key bellow:
(YOUR PREVIOUS KEY)ssh-rsa AFGGS#%NzaC1yc2EFDSGgpCvpVhFyRSpfsdfjhgasdDSduD$
(ADD NEW PUBLIC KEY) ssh-rsa ASJKAKKFS#%ASDFbsdjfhJHGJvpVhFyRSpfsdfjhgasdDSduD$
Restart your server and login from your local terminal:
ssh bitnami#yourpublicip -i /Users/youruser/.ssh/yourkeyfile
With this, I could also login via SFTP in Filezilla (Mac), adding the private key in the Site Manager.
I'm performing:
# copy public key to other hosts
for host in ec2-master.eu-west-1.compute.amazonaws.com \
ec2xxx.compute.amazonaws.com \
ec2xxx.compute.amazonaws.com; \
do ssh-copy-id -i ~/.ssh/id_rsa.pub $host; \
done
So I try to copy the key I've generated on ec2-master.eu-west-1.compute.amazonaws.com to the other servers.
But I still get
/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
The authenticity of host 'ec2xxx.eu-west-1.compute.amazonaws.com (10.0.xx.xx)' can't be established.
ECDSA key fingerprint is 3a:63xx:a6:19:xx:23:d1:xx:06:22:xx:a0:b9:8c:xx:cf.
Are you sure you want to continue connecting (yes/no)?
So I got a permission denied. But I don't know why. What am I doing wrong?
Try changing the ssh-copy-id command to:
ssh-copy-id -i ~/.ssh/id_rsa.pub ec2-user#$host
(assuming you're using Amazon Linux -- use ubuntu as the user if you are using Ubuntu)
Update:
I think the problem may be because you are trying to copy a new key over to a host that only accepts logins using an existing key (no passwords allowed).
I couldn't get this to work with ssh-copy-id, but you can do it with a standard ssh command:
cat ~/.ssh/id_rsa.pub | ssh -i AWS_key.pem centos#$host "cat - >> ~/.ssh/authorized_keys"
Where AWS_key.pem is the private part of the key pair that AWS attached to your instance when you launched it.
SSH is trying to tell you that authentication into your hosts has failed and what authentication methods were tried.
Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
This is what the (publickey,gssapi-keyex,gssapi-with-mic) portion of the log output is telling you.
It is telling you it attempted to authenticate against publickey, gssapi-keyex, and gssapi-with-mic authentication methods.
Typically you or AWS provide an ssh keypair to be used prelaunch setup.
The sshd config is also set to authenticate using the keypairs (public + private key = Public Key Encryption hence publickey mentioned in the ssh log).
Therefore, your command
ssh-copy-id -i ~/.ssh/id_rsa.pub $host;
is wrong for a few reasons.
You don't specify a specific user to login against unless the username of your local host matches your remote machine (for AWS the user could be ec2-user, centos, ubuntu, etc
Even if the usernames were to match correctly, since AWS effectively (I am not familiar with GSSAPI) only enables ssh keypair authentication, you would only be able to login with the private key chosen or generated at EC2 instance creation.
If there were some alternative authentication mechanism configured on the host i.e. user:password then you would be able to run a modified version of the command.
REMOTE_USER=ec2-user
...
do ssh-copy-id -i ~/.ssh/id_rsa.pub $REMOTE_USER#$host
However, you would be prompted for a user/password each time.
Note The above command assumes you have enabled a user/pass authentication mechanism (Could be temporarily). However, for just 3 hosts I might just manually install the keypair at this point.
The language from the "Copy the key to a server" from sshd.com seems to imply that password-based authentication is enabled initially on the hosts.
"Once an SSH key has been created, the ssh-copy-id command can be used to install it as an authorized key on the server. Once the key has been authorized for SSH, it grants access to the server without a password."
I use this script and it works for me:
Сan you try this
for host in ${hosts[*]}
do
echo $host
ssh-keyscan $host | tee -a ~/.ssh/known_hosts
sshpass -p 'mypass' ssh-copy-id myuser#$host
done
I try to login using the ec2-user but for some reason the login fails:
Using the username: ubuntu I am able to login just fine, however, I don't have any privileges and I can't sudo su for the privileges to write to my files. I tried using the cyberduck terminal and send command options but sudo su doesn't work with them. Cyberduck just spins.
I don't think the ec2-user account works on recent Ubuntu AMIs, which may explain the failed login.
You can approach this in a few ways. The first is to create a new user account specifically for FTP and give it permissions only to the necessary folders. First create the user, then create a public/private key pair for non-interactive login. This will allow you to operate your FTP client like normal.
My preferred solution is to upload the files to the ubuntu home directory and then run a script as root that moves the files to the correct location. You won't have to modify the system configuration this way, but you will have to do the file transfer in two steps.
Create a staging folder in /home/ubuntu and copy the files there. Create a /home/ubuntu/copy.sh script on the server like this:
#!/bin/bash
sudo su #this will only work if sudo doesn't prompt for a password
cp -r /home/ubuntu/stage/* /var/www/html/
Then from your dev machine, call the script:
$ ssh -i ~/path/to/key.pem ubuntu#ec2.hostname.com /home/ubuntu/copy.sh
If you want to get really fancy, you could set up a git repository and use a post-receive hook to handle this all for you when you push. No need for an FTP client at all.
Is there a way to log into an EC2 ubuntu ami or a way to set up an ubuntu ami so that non-root users can log in? I tried creating a user and logging in with the associated password. I also tried using the private key, copied the authorized-keys file into the .ssh directory of the non-root user's home directory and tried to log in to the box with that user account id. Neither method worked.
Thanks in advance.
So, this works, but the missing high-order bit of information here has to do with setting the right permission on the authorized-keys file in the home directory for the user. So, I copied /root/.ssh/authorized-key to /home/user, then did with
cp -r /root/.ssh /home/user
chown -R user /home/user/.ssh
This allowed me to use the keypair.pem file to log in.
Make sure you are sending your AWS keypair as the identity file, i.e.
ssh -i ~/.ssh/keypair.pem user#ec2-174-129-xxx-xx.compute-1.amazonaws.com
Also check that SSH is enabled in your security group
Assuming you would like to have users log in with a password so they need not supply a key every time, all you must do is turn on the ability to SSH in with a password. This option is turned off by default in all Linux AMIs.
vi, nano, pico, etc. into the following file with root privileges:
sudo vi /etc/ssg/sshd_config
Change the following setting to yes:
PasswordAuthentication = yes
Finally you must restart SSH (Since you are SSHed onto a remote machine, a simple reboot is fine.)
That's it! Of course, you must still add users with the adduser command and give them passwords with the passwd command for them to be able to login to your AMI. Checkout this link for more info on the OpenSSH SSH client configuration files.