AWS/Connect over SSH to EC2

From Ever changing code
Jump to navigation Jump to search

Theory: private and public keys

Ssh protocol can authenticate a user without password by using a private key that is matching a public key installed on a remote server.

OpenSSH - secure keys management

Each user home has ~/.ssh/ hidden subdirectory with files:

-rw-r--r-- piotr:piotr authorized_keys     #contains a list of public keys (the contents of id_rsa.pub) one per line that are allowed to 
                                            login with the corresponding private key (the id_rsa file)
-r-------- piotr:piotr id_rsa              #contains the user private key on the current system
-rw-r--r-- piotr:piotr id_rsa.pub          #contains public key that can be copied/(append to authorized_keys file) on another system
                                            allowing ssh logon without password

Command ssh-keygen generates interactively a key pair of 2 files in default ~/.ssh location

  • id_rsa - private key, stays with us and should never be copied to another system
  • id_rsa.pub - public key, to be installed on remote system

Theory: ways to connect without password

  • You can use a private key id_rsa copied from a remote server to connect to the remote server.
  • Or you can append PUB key to authorized_keys file on a remote server and then use the matching private key to connect from a client.

It's worth to note that PuTTY and OpenSSH key files formats are not compatible although both are flat text files.

Download private key from EC2 Instance

Your OpenSSH key pair is generated at the time you build EC2 instance. The key pair name used for connection to the instance is listed under EC2 Dashboard > Network & Security > Key Pairs. You should have already downloaded a copy of the private key onto your local machine during the instance creation. The key pair used to connect to the specific instance is listed on the Instances screen > Key Pair Name:

Instance-keypair

Generate private PEM and public PUB key pair in Linux

A file without the extension it is private key, use cat mykey to preview. During the key generating you will be prompted for passphrase that adds extra layer of security but it can be ignored by pressing [enter] twice. The command below will generate a key pair: id_rsa and id_rsa.pub files.

ssh-keygen   #default RSA key

You should change a file permissions of the key to read_only by the owner as per Getting Started with Amazon EC2 Linux Instances

chmod 400 id_rsa.pem
-r------- 1 user user 1766 Aug 18 01:17 mykey.pem

Copy public PUB key to the EC2 instance authorized_keys

The key pair has been generated on local Linux machine. Theory says that we can share the public key with anyone. Therefore using SCP programme we can copy mykey.pub from local machine to a remote machine. In our case the remote is EC2 instance.

Option 1. From a local linux box copy a public key over to the remote host

scp ~/.ssh/mykey.pub ubuntu@ec2-user@ec2-99-99-99-99.compute-1.amazonaws.com:/home/ubuntu/.ssh/

On the remote EC2 instance/linux box append the public_key mykey.pub to authorized_keys file. This is known as installing the public key to a server.

ssh {ubuntu|ec2-user}@ec2-99-99-99-99.compute-1.amazonaws.com
cat ~/.ssh/mykey.pub >> ~/.ssh/authorized_keys

Option 2. Install identity - public key from local machine using OpenSSH command, use FQDN. This will append .pub key to ~/.ssh/authorized_keys file

ssh-copy-id -i ~/.ssh/id_rsa.pub {ubuntu|ec2-user}@ec2-99-99-99-99.compute-1.amazonaws.com

Connect to the EC2 instance

  • Ubuntu user: ubuntu (confirmed)
  • RedHat user: root (tbc)
  • Amazon branded instances: ec2-user (confirmed)
  • CentOS user: centos (tbc)

Connect from Linux

Connecting and useful flags -l username specifies Linux account user name, -v verbose mode

ssh -i mykey.pem ubuntu@ec2-user@ec2-99-99-99-99.compute-1.amazonaws.com

Connecting from Windows

PuTTY does not natively support OpenSSH private key format (.pem) generated on Amazon EC2 instance. This private key file is in a form called PEM – "Private Enhanced Mail". PuTTY cannot work with PEM files. PuTTY has a tool named PuTTYgen, which can convert keys to the required PuTTY format (.ppk). You must convert your private key into PuTTY format (.ppk) before attempting to connect to your instance using PuTTY.

How to convert your PuTTY-gen private key to OpenSSH readable key
  1. Start PuTTYgen (All Programs > PuTTY > PuTTYgen).
  2. Under Type of key to generate, select SSH-2 RSA.
  3. Click Load. By default, PuTTYgen displays only files with the extension .ppk. To locate your .pem file, select the option to display files of all types(*.*).
    Import-pem-key-into-puttygen
  4. Change Key comment into your instance Key Pair Name made up by you when you created the instance's key pair.
  5. Click Save private key to save the key in the format that PuTTY can use. PuTTYgen displays a warning about saving the key without a passphrase. Click Yes. Note: A passphrase on a private key is an extra layer of protection, so even if your private key is discovered, it can't be used without the passphrase. The downside to using a passphrase is that it makes automation harder because human intervention is needed to log on to an instance, or copy files to an instance.
  6. Specify the same name for the key that you used for the key pair (for example, my-key-pair). PuTTY automatically adds the .ppk file extension.

Your private key is now in the correct format for use with PuTTY. You can now connect to your instance using PuTTY's SSH client

How to use PPK private key file for password less connection
  • Double-click on the PPK file to load into PuTTY Pageant key agent that holds keys in RAM and use them for each connection you do using PuTTY
  • Or open PuTTY, navigate to Connection>SSH>Auth>Private key file for authentication (Browse...) to specify location of the PPK file to be used for the connection

Remove host from SSH known_hosts file

SSH in Linux stores fingerprints of authorized hosts that can connect to the system in ~/.ssh/known_hosts file. This file is used to detect if a host has changed or may have been compromised. However, recent OpenSSH versions hash the hostname in this file, which is good for security but means you can't just go in and edit the known_hosts file if you want to remove an entry (e.g. the server has been re-built and it now has new fingerprint). The command below will remove an entry for 'a hostname' from your known_hosts file. It also works with IP addresses.

ssh-keygen -R hostname

EC2 Security Group

Remember to assign the security group that applies to your scheme on your instance. Having port open on the instance does not mean you will be able to access from outside. It must bypass EC2 Security Group first. Overview below:

Ec2-security-group

References