Last Updated: March 04, 2022
·
96.65K
· wkjagt

Access EC2 Linux box over ssh without .pem file

You may be in the situation where you need to access your EC2 instance from any machine, not necessarily your own. It's a pain to carry around your .pem file and a bad idea to leave it on someone elses machine too. Here's a solution to let you login to your instance with a password. Please be aware that this is less secure (thanks rnhurt for pointing this out) than using keys, so be sure to create a strong password.

1. Login to your EC2 instance using your .pem file

ssh -i your_pem_file.pem ubuntu@ec2-________.compute-1.amazonaws.com

2. Create a new user that will access the instance using a password:

$ sudo useradd -s /bin/bash -m -d /home/USERNAME  -g root USERNAME

where:

  • -s /bin/bash : use /bin/bash as the standard shell
  • -m -d /home/USERNAME : create a home directory at /home/USERNAME
  • -g root : add to group root
  • USERNAME : the username of the new user

3. Create a strong password for the new user:

$ sudo passwd USERNAME
Enter new UNIX password:
Retype new UNIX password:

4. Add user to sudoers file by using sudo visudo and add the following line:

USERNAME  ALL=(ALL:ALL) ALL

5. Enable password authentication by editing /etc/ssh/sshd_config: change PasswordAuthentication no to PasswordAuthentication yes

6. Restart ssh:

sudo /etc/init.d/ssh restart

Logout of your instance (exit) and try your new login without the .pem file:

$ ssh USERNAME@ec2-________.compute-1.amazonaws.com
USERNAME@ec2-________.compute-1.amazonaws.com's password:

22 Responses
Add your response

This is an amazingly bad idea. There is a reason that we use keys instead of passwords. Amazon isn't trying to make your life harder, they are following best practices and making your systems more secure and keeping you from hurting yourself.

If you want to avoid entering your key name in the SSH command set up an IdentityFile option in your .ssh/options file as seen here (http://nerderati.com/2011/03/simplify-your-life-with-an-ssh-config-file/).

over 1 year ago ·

Thanks for the link. But the problem I was trying to solve though was to be able to connect to the instance from any machine without having to cary the .pem file with me all the time. I am not always on my own machine, so I don't want to leave access to the instace open either. I should have mentioned it above. I'll update.

If you know a better solution, please let me know.

over 1 year ago ·

You should not want to connect to your servers from every location.. The servers I maintain I can access only from the computers I own. Optimal security :)

But a possible solution is using a password protected keyfile on a USB drive and carry that with you all the time. So you can use the keyfile, but if the USB gets lost or stolen noone can use the key.

over 1 year ago ·

Nothing would stop "the bad guy" copying your key from that USB drive once you plug it in, would it?

over 1 year ago ·

Your keyfile should be protected by a strong passphrase. This would buy you some time as you swap out the authorized keys on your remote instance (assuming you have a backup of your private keyfile somewhere and can still access your instance).

over 1 year ago ·

My (optimal) solution:

Create a new keypair for every different server you own and for every user that can access one single server. The public keys of all allowed users (project partners) go into the /root/.ssh/authorized_keys on that server. The private keys you own on your personal desktop go into you /home/user/.ssh/ folder in separate files, in a specific tree structure. Then you add a /home/user/.ssh/config file. Read this: http://www.kelvinwong.ca/2011/03/. Soft link your .ssh folder to dropbox or gdrive. But not when your home folders aren't encrypted or other people can access these other computers. Have fun, be safe!

over 1 year ago ·

Cool, some really nice solutions. I am wondering though, I am not saying using a password is the best idea, but even when using keys, isn't the password to your Amazon account still the weakest link in the case of EC2 instances?

over 1 year ago ·

Two factor authentication for AWS accounts is a must!

over 1 year ago ·

I think a combination of all things mentioned might be the best. First off, use two factor authentication on anything that lets you log in via password on the internet. Secondly, the reason to not turn on you password authentication is the it's pretty likely that someone would knock on the door a few hundred thousand times, getting in eventually(if you really, really have to, turn on denyhosts: http://en.wikipedia.org/wiki/DenyHosts to make that harder). Thirdly, make your key save with a bigger 16 characters keyword and stay save on the go with an encrypted USB drive, good solution to that is truecrypt: http://www.truecrypt.org/ supports all platforms.

Anything left? Stay save out there :)

over 1 year ago ·

What's that? Oh, nothing, just the sound of a thousand passwords being sniffed.

Just import your own SSH key into AWS and use it, or set it using user data scripts.

over 1 year ago ·

wkjagt- Use MFA for your Amazon account. Limit access to resources using IAM.

over 1 year ago ·

Avoid PasswordAuthentication yes as much as possible

over 1 year ago ·

This is a horrible fauxtip, please consider removing it.

over 1 year ago ·

Keep the .pem in google drive.

over 1 year ago ·

@drywheattoast. I agree. But the conversation in the comments is interesting. I admit I was wrong though, so I'll leave this here:

For anyone reading this in the future: DON'T DO THIS. IT IS A BAD IDEA. I thought it was a good one, because it made my life simpler, but people wiser than me have taught me otherwise. Please read all the comments above. If you still want to continue, you're on your own.

over 1 year ago ·

Don't remove the post. It's like removing cars because some people drive while they are drunk...
And to be completely troll for people that don't understand the use of this post, you can suggest to keep the PEM in github.

over 1 year ago ·

Don't remove the post. It's like removing cars because some people drive while they are drunk...
And to be completely troll for people that don't understand the use of this post, you can suggest to keep the PEM in github.

over 1 year ago ·

Can someone provide instructions (commands) for this part?

4.Add user to sudoers file by using sudo visudo and add the following line:

USERNAME ALL=(ALL:ALL) ALL
5. Enable password authentication by editing /etc/ssh/sshd_config: change PasswordAuthentication no to PasswordAuthentication yes

over 1 year ago ·

fnhurt - Your comment is dumb. There are plenty of relly good reasons to do this. There are many things that don't need to be secure at all. In my case I am teaching BDD in WordPress and I deploy a fresh server for each student during my lectures, and then terminate them after we're done. My students all have a terminal program on their various machines, but rarely know what a .pem file is.

over 1 year ago ·

very nice instructions. Having one machine (your laptop) or a few machines to interact with the server is ridiculous.

over 1 year ago ·

Thank you for such an incredible article. Is there a way to go back to accessing ec2 with only pem file?

over 1 year ago ·

Thank you Willem

over 1 year ago ·