I have a running Windows server image on EC2.
I created an additional administrator login and have been using it login using RDP. Unfortunately I've lost the PEM file for the "Administrator" account and I've also disabled it for "safety"
Since I have access to the instance through an alternative administrative account I'm trying to figure out a few things:
Do need the "Administator" account PEM file in future?
If I get Amazon to generate a new PEM file using the same name that I currently have, how do I replace the "Administrator" key pair for the instance?
I've searched all over and can't find an answer on how to replace the key pair or add an additional key pair to a running "Windows" instance
Everything talks about shutting down and creating an new instance. I cannot shut down this server, so that must be a way to replace the key pair for the "Administrator" account.
I can't even find where Windows stores the key pair in a Windows server.
When an instance is first launched from one of the Amazon-supplied Windows AMIs, some code on the instance generates a random Administrator password. This password is then encrypted with the selected Keypair and passed back to AWS (you can actually see it in the System Log).
When you wish to first login to the instance, you will need to use the PEM to decrypt the Administrator password. You can then login to the Windows instance using that password.
It is recommended that you immediately change the Administrator password or connect the instance to Active Directory -- basically, follow your standard company security practices.
If you remember the password, you will not require the PEM file again. In fact, if you change the password, then even having the PEM will not facilitate access because it will only decrypt the original password, not the current password.
Bottom line: Ignore the PEM file. You still have administrative access to the instance, so you don't even need the Administrator account anymore. If you wish to use the Administrator account, simply use your existing administrative login to reactive it and set the password. There is no reason to panic and, actually, no reason to do anything.
Related
My secretary created a new instance in Amazon using their EC2 server but lost the .pem file. Doing research online I was able to go to the instance system settings/get system log and retrieve some type of password there. The instance system log shows something like this:
2019/04/15 12:15:19Z: Username: Username
2019/04/15 12:15:19Z: Password: <Password>
It is a very long code of random characters.
Is there any way I can use this to log in via remote desktop or is there a way to decrypt it? I tried several decryption methods online and they said this was not a valid "hash"...whatever this means. I am not a technical person so I need hopefully a response in layman terms.
It appears that you are connecting to a Windows instance. When a new Amazon EC2 Windows instance is launched, a program on the AMI (disk image) automatically generates a random Administrator password. This is done so that you can access the instance, but nobody else can.
To keep the password secret, the program encrypts the password with the keypair nominated when the instance was launched. The encrypted password is passed back to AWS via the console. That is the string of 'random characters' you saw.
To decrypt the password, you can use the Get Windows Password feature, which requires you to supply the nominated keypair. It will then decrypt the password, which can be used to login to the instance as Administrator.
Since you no longer have the keypair, you cannot decrypt the password and therefore cannot login to the server. This is good! This proves that security works, because you would not want other people to be able to login to the server.
So, can do you regain access?
Refer to the steps on: I need to reset the administrator password on a Windows Server instance in Amazon EC2
Basically, there are two methods:
If Systems Manager is enabled for the instance, you can run a "rescue" script
Otherwise, there is a series of scripts that assist with the process of:
Detaching the disk
Attaching it to another instance
Resetting a configuration on the disk
Reattaching the disk to the original instance
The second process is a bit like plugging a USB disk into another computer to change a file (except that EC2 disks are managed differently).
I have an EC2 server on AWS. I created a key pair upon first time connecting to the server (following whatever default steps on the console).
Now I want to login to the same server from a different machine. What is the best way to do so? Do I have to email my public key to the other machine?
I tried to create more key pairs on the AWS console, but can't figure out to additional key pairs to the server. Is that even possible?
Update:
This is not a duplicate question. My goal is not to associate two key pairs with one server. I am trying to find a way to login to a server from a different computer, whether to use the same key pair, another key pair or even a different user.
When an Amazon EC2 instance is launched from an Amazon Linux AMI (and several other Linux AMIs, too), the public half of the keypair selected at launched will automatically be copied to:
/home/users/ec2-user/.ssh/authorized_keys
When you later attempt to login to the ec2-user by providing the private half of the keypair, the two halves will be compared and, if they match, you will be permitted to login as that user.
You can allow another person to login to the ec2-user by either:
Giving them the same private keypair (bad for security), OR
By creating a keypair for them (via ssh-keygen) and adding the public half of that keypair to the above file
Alternatively, you could create a new user on the machine for them, then add the keypair to the above file within their user directory.
See: Add New User Accounts with SSH Access to a Linux Instance
So, to login to that EC2 instance from a different computer, you will need the private keypair on that different computer. It's just like a password.
Or, you could create a new keypair on that computer and copy the public keypair to the authorized_keys file on the target instance.
All of this is really Linux stuff, rather than something specific to Amazon EC2.
It is not possible to create multiple key pairs for an ec2 server; however you can create multiple users and through that give access.
Id advice creating multiple users and giving access via ssh with key authentication. I have included a link below with the walkthrough.
With that being said you Create a new user, then
allocate permissions and privileges. Next you generate a key - certificate. And finally, you associate the certificate to the user.
https://debian-administration.org/article/530/SSH_with_authentication_key_instead_of_password
While signing up for Amazon EC2 and enabling ssh, I have to create and download a private key (.pem) and a secret access key.
How are they different? What different functions do they have?
You need to read a good tutorial on SSH, but here is a summary:
The Access Key ID and Secret Access Key are like a username and password. They allow you to "do stuff" on the AWS API using the commandline tools or code you write.
The private key (.pem) is like a password for talking (SSH) to an individual box that you have launched. (i.e. not "AWS itself", but "your box within AWS".) You can have different passwords to different boxes if you want, but most of the time you only need one.
If you know how SSH works, they are just putting down ~/.ssh/known_hosts with the public part of your key, allowing you to log in for the first time. You can change that file later to add more users or rotate your SSH keys.
I have 2 instances in my Amazone ec2 console. Let it be Inst1 and Inst2 .
I created an image ( AMI ) for Inst2 and I launched that image as new instance with new key pair.
But with that newly created I was not able to Login to the instance via ssh .
So I stopped that instance .
But after that Inst1's key pair changed to that of Inst2. (means Inst1 and Inst2 now have the same key pair )
In amazon FAQ I checked, but in that they clearly mentioned that we can't chane the Key pair for an instance without stopping that instance. But in my case, Inst1's key pair got changed without restarting it and without my knowledge.
It is not fair to have the same key pair for both the instances. And Inst1 is a critical one and I can't stop that instance .
What should I do for this ?
How may be the key pair get changed ?
Keypairs are used to grant access to Amazon EC2 instances. They are public/private keypairs, typically randomly generated by EC2 but existing keypairs (or more specifically, the public half of the keypair) can be imported into EC2.
They are used as follows:
Windows: When starting Windows from a standard Windows AMI, a utility called Ec2Config randomly generates an Administrator password, encrypts it using the public half of the keypair, and passes it back through the System Log. Users must decrypt it using their private key. They can then login to Windows.
Linux: When starting Linux from a standard Linux AMI, the public half of the keypair is copied to .ssh/authorized_keys. Users can login via ssh by providing their private key.
(The reference to a 'standard' AMI is intentional -- AMIs created by other people will not necessarily have these utilities installed.)
In both situations, it is advisable that users then modify their instance to use their normal security standards. For example, Windows users should change the Administrator password or, preferably, attach the instance to an Active Directory domain. Linux users should create additional users and install their standard keypairs.
There should be no continuing need to use keypairs after the initial launch of the EC2 instance. Users should be using their own passwords/keypairs. It is not good practice to keep using the same password/keypair as initially created when the instance is launched.
To answer your question...
The keypair on an instance will not change (and in fact cannot change). The name of the keypair is listed as a property of the instance, so the keypair used can be identified.
However, Windows users can change the Administrator password and Linux users can replace the contents of the .ssh/authorized_keys file. Therefore, the password/keypair used to login to an instance might change, but the keypair listed against the instance (used during the first boot) does not change.
I want to encrypt passwords using the DPAPI like this
ProtectedData.Protect(plain, optionalEntropy, DataProtectionScope.CurrentUser);
and wonder if the domain administrator could decrypt the generated blob, as
Using Passwords Effectively states:
However, in a domain environment a
domain administrator can safely change
your password, and you'll still have
access to your encrypted files.
It seems like the domain administrator would have to decrypt the data (or rather, the encrypted master keys) first, in order to be able to re-encrypt it using a different password.
The answer is yes, provided he also has acces to the entropy key(if one is created), or if he is willing and capable enough to hack into the blobs (see links below).
For the Master key in DPAPI (in CurrentUser mode), the windows login username and password are used to generate the master key.
If the administrator updates the user's domain password, DPAPI wil reencode the master key for that user. The same goes if the user updates his password due to eg. a monthly password change policy.
However, if he doesn't have access to the optional entropy key or the data that composes that key, the file will remain encrypted and all he will get is invalid data.
If DPAPI is used in CurrentMachine mode, the file can only be decrypted on the computer that encrypted it, however the file will be readable to all accounts on that computer, again provided they can also muster the content of the entropy key.
A good repository for information is DPAPI Secrets and this paper on reverse-enginerring DPAPI + link to a tool that can recover data from DPAPI blobs
Short answer : he probably can't right out of the box, but Domain Admin is powerfull. There are many ways they can get to your key if they really want it.
Long answer : DPAPI encrypts your data with a key. IIRC, it uses AES with a key that changes every 90 days. The key is stored on your computer, encrypted with your password. That's the default and it saves your key out of reach of anyone but you.
Unless your domain admin remotely installs a key logger, steals your password, impersonnate you and steal your key (or go straight to the data which he now sees in plain text).
Another somewhat less known fact is that when Credential Roaming is enabled on Active Directory, it will send your encrypted keys to a server. A domain admin could use that copy for an offline attack. But it is hard and unless your data is very valuable, I woulnd't worry about it.
The answer is yes. PoC utility with description: Vulnerability of DPAPI data protection in Win2K, Win2K3, Windows Server 2008, and Windows Server 2012
Works in Win Server 2016/2019 as well.