Amazon EC2 key pair changed automatically - amazon-ec2

I have 2 instances in my Amazone ec2 console. Let it be Inst1 and Inst2 .
I created an image ( AMI ) for Inst2 and I launched that image as new instance with new key pair.
But with that newly created I was not able to Login to the instance via ssh .
So I stopped that instance .
But after that Inst1's key pair changed to that of Inst2. (means Inst1 and Inst2 now have the same key pair )
In amazon FAQ I checked, but in that they clearly mentioned that we can't chane the Key pair for an instance without stopping that instance. But in my case, Inst1's key pair got changed without restarting it and without my knowledge.
It is not fair to have the same key pair for both the instances. And Inst1 is a critical one and I can't stop that instance .
What should I do for this ?
How may be the key pair get changed ?

Keypairs are used to grant access to Amazon EC2 instances. They are public/private keypairs, typically randomly generated by EC2 but existing keypairs (or more specifically, the public half of the keypair) can be imported into EC2.
They are used as follows:
Windows: When starting Windows from a standard Windows AMI, a utility called Ec2Config randomly generates an Administrator password, encrypts it using the public half of the keypair, and passes it back through the System Log. Users must decrypt it using their private key. They can then login to Windows.
Linux: When starting Linux from a standard Linux AMI, the public half of the keypair is copied to .ssh/authorized_keys. Users can login via ssh by providing their private key.
(The reference to a 'standard' AMI is intentional -- AMIs created by other people will not necessarily have these utilities installed.)
In both situations, it is advisable that users then modify their instance to use their normal security standards. For example, Windows users should change the Administrator password or, preferably, attach the instance to an Active Directory domain. Linux users should create additional users and install their standard keypairs.
There should be no continuing need to use keypairs after the initial launch of the EC2 instance. Users should be using their own passwords/keypairs. It is not good practice to keep using the same password/keypair as initially created when the instance is launched.
To answer your question...
The keypair on an instance will not change (and in fact cannot change). The name of the keypair is listed as a property of the instance, so the keypair used can be identified.
However, Windows users can change the Administrator password and Linux users can replace the contents of the .ssh/authorized_keys file. Therefore, the password/keypair used to login to an instance might change, but the keypair listed against the instance (used during the first boot) does not change.

Related

Lost .pem file. Need help connecting to EC2 remote server

My secretary created a new instance in Amazon using their EC2 server but lost the .pem file. Doing research online I was able to go to the instance system settings/get system log and retrieve some type of password there. The instance system log shows something like this:
2019/04/15 12:15:19Z: Username: Username
2019/04/15 12:15:19Z: Password: <Password>
It is a very long code of random characters.
Is there any way I can use this to log in via remote desktop or is there a way to decrypt it? I tried several decryption methods online and they said this was not a valid "hash"...whatever this means. I am not a technical person so I need hopefully a response in layman terms.
It appears that you are connecting to a Windows instance. When a new Amazon EC2 Windows instance is launched, a program on the AMI (disk image) automatically generates a random Administrator password. This is done so that you can access the instance, but nobody else can.
To keep the password secret, the program encrypts the password with the keypair nominated when the instance was launched. The encrypted password is passed back to AWS via the console. That is the string of 'random characters' you saw.
To decrypt the password, you can use the Get Windows Password feature, which requires you to supply the nominated keypair. It will then decrypt the password, which can be used to login to the instance as Administrator.
Since you no longer have the keypair, you cannot decrypt the password and therefore cannot login to the server. This is good! This proves that security works, because you would not want other people to be able to login to the server.
So, can do you regain access?
Refer to the steps on: I need to reset the administrator password on a Windows Server instance in Amazon EC2
Basically, there are two methods:
If Systems Manager is enabled for the instance, you can run a "rescue" script
Otherwise, there is a series of scripts that assist with the process of:
Detaching the disk
Attaching it to another instance
Resetting a configuration on the disk
Reattaching the disk to the original instance
The second process is a bit like plugging a USB disk into another computer to change a file (except that EC2 disks are managed differently).

Can a server have more than one SSH key pair?

I have an EC2 server on AWS. I created a key pair upon first time connecting to the server (following whatever default steps on the console).
Now I want to login to the same server from a different machine. What is the best way to do so? Do I have to email my public key to the other machine?
I tried to create more key pairs on the AWS console, but can't figure out to additional key pairs to the server. Is that even possible?
Update:
This is not a duplicate question. My goal is not to associate two key pairs with one server. I am trying to find a way to login to a server from a different computer, whether to use the same key pair, another key pair or even a different user.
When an Amazon EC2 instance is launched from an Amazon Linux AMI (and several other Linux AMIs, too), the public half of the keypair selected at launched will automatically be copied to:
/home/users/ec2-user/.ssh/authorized_keys
When you later attempt to login to the ec2-user by providing the private half of the keypair, the two halves will be compared and, if they match, you will be permitted to login as that user.
You can allow another person to login to the ec2-user by either:
Giving them the same private keypair (bad for security), OR
By creating a keypair for them (via ssh-keygen) and adding the public half of that keypair to the above file
Alternatively, you could create a new user on the machine for them, then add the keypair to the above file within their user directory.
See: Add New User Accounts with SSH Access to a Linux Instance
So, to login to that EC2 instance from a different computer, you will need the private keypair on that different computer. It's just like a password.
Or, you could create a new keypair on that computer and copy the public keypair to the authorized_keys file on the target instance.
All of this is really Linux stuff, rather than something specific to Amazon EC2.
It is not possible to create multiple key pairs for an ec2 server; however you can create multiple users and through that give access.
Id advice creating multiple users and giving access via ssh with key authentication. I have included a link below with the walkthrough.
With that being said you Create a new user, then
allocate permissions and privileges. Next you generate a key - certificate. And finally, you associate the certificate to the user.
https://debian-administration.org/article/530/SSH_with_authentication_key_instead_of_password

How to replace/add key pair for a Windows EC2 instance

I have a running Windows server image on EC2.
I created an additional administrator login and have been using it login using RDP. Unfortunately I've lost the PEM file for the "Administrator" account and I've also disabled it for "safety"
Since I have access to the instance through an alternative administrative account I'm trying to figure out a few things:
Do need the "Administator" account PEM file in future?
If I get Amazon to generate a new PEM file using the same name that I currently have, how do I replace the "Administrator" key pair for the instance?
I've searched all over and can't find an answer on how to replace the key pair or add an additional key pair to a running "Windows" instance
Everything talks about shutting down and creating an new instance. I cannot shut down this server, so that must be a way to replace the key pair for the "Administrator" account.
I can't even find where Windows stores the key pair in a Windows server.
When an instance is first launched from one of the Amazon-supplied Windows AMIs, some code on the instance generates a random Administrator password. This password is then encrypted with the selected Keypair and passed back to AWS (you can actually see it in the System Log).
When you wish to first login to the instance, you will need to use the PEM to decrypt the Administrator password. You can then login to the Windows instance using that password.
It is recommended that you immediately change the Administrator password or connect the instance to Active Directory -- basically, follow your standard company security practices.
If you remember the password, you will not require the PEM file again. In fact, if you change the password, then even having the PEM will not facilitate access because it will only decrypt the original password, not the current password.
Bottom line: Ignore the PEM file. You still have administrative access to the instance, so you don't even need the Administrator account anymore. If you wish to use the Administrator account, simply use your existing administrative login to reactive it and set the password. There is no reason to panic and, actually, no reason to do anything.

What's the difference between Amazon EC2 private key (.pem) and secret access key?

While signing up for Amazon EC2 and enabling ssh, I have to create and download a private key (.pem) and a secret access key.
How are they different? What different functions do they have?
You need to read a good tutorial on SSH, but here is a summary:
The Access Key ID and Secret Access Key are like a username and password. They allow you to "do stuff" on the AWS API using the commandline tools or code you write.
The private key (.pem) is like a password for talking (SSH) to an individual box that you have launched. (i.e. not "AWS itself", but "your box within AWS".) You can have different passwords to different boxes if you want, but most of the time you only need one.
If you know how SSH works, they are just putting down ~/.ssh/known_hosts with the public part of your key, allowing you to log in for the first time. You can change that file later to add more users or rotate your SSH keys.

What is Key Name?? while creating RunInstanceRequest for AMI (Amazon machine Image)

if I set Key Name as 'Default' it throws error that 'Key pair Default does not exist as well from where I can get Key Name, I am using a public AMI. and also have tool ElasticFox..is there any place in this tool where I can found Key Name???
Any Idea??
Thanks
In your browser open AWS console. Go to EC2 tab. You should see in the right part under My Resources the keypairs (if you do not have one you can create - the UI is pretty intuitive).
The name of the keypair is the key name you looking for.
keyname refers to ssh keypairs. You can create a new keypair on Elasticfox and use it to launch your instance.

Resources