Access EC2 Linux box over ssh without .pem file
You may be in the situation where you need to access your EC2 instance from any machine, not necessarily your own. It's a pain to carry around your .pem
file and a bad idea to leave it on someone elses machine too. Here's a solution to let you login to your instance with a password. Please be aware that this is less secure (thanks rnhurt for pointing this out) than using keys, so be sure to create a strong password.
1. Login to your EC2 instance using your .pem
file
ssh -i your_pem_file.pem ubuntu@ec2-________.compute-1.amazonaws.com
2. Create a new user that will access the instance using a password:
$ sudo useradd -s /bin/bash -m -d /home/USERNAME -g root USERNAME
where:
-
-s /bin/bash
: use/bin/bash
as the standard shell -
-m -d /home/USERNAME
: create a home directory at/home/USERNAME
-
-g root
: add to grouproot
-
USERNAME
: the username of the new user
3. Create a strong password for the new user:
$ sudo passwd USERNAME
Enter new UNIX password:
Retype new UNIX password:
4. Add user to sudoers file by using sudo visudo
and add the following line:
USERNAME ALL=(ALL:ALL) ALL
5. Enable password authentication by editing /etc/ssh/sshd_config
: change PasswordAuthentication no
to PasswordAuthentication yes
6. Restart ssh:
sudo /etc/init.d/ssh restart
Logout of your instance (exit
) and try your new login without the .pem
file:
$ ssh USERNAME@ec2-________.compute-1.amazonaws.com
USERNAME@ec2-________.compute-1.amazonaws.com's password:
Written by Willem van der Jagt
Related protips
22 Responses
This is an amazingly bad idea. There is a reason that we use keys instead of passwords. Amazon isn't trying to make your life harder, they are following best practices and making your systems more secure and keeping you from hurting yourself.
If you want to avoid entering your key name in the SSH command set up an IdentityFile option in your .ssh/options file as seen here (http://nerderati.com/2011/03/simplify-your-life-with-an-ssh-config-file/).
Thanks for the link. But the problem I was trying to solve though was to be able to connect to the instance from any machine without having to cary the .pem file with me all the time. I am not always on my own machine, so I don't want to leave access to the instace open either. I should have mentioned it above. I'll update.
If you know a better solution, please let me know.
You should not want to connect to your servers from every location.. The servers I maintain I can access only from the computers I own. Optimal security :)
But a possible solution is using a password protected keyfile on a USB drive and carry that with you all the time. So you can use the keyfile, but if the USB gets lost or stolen noone can use the key.
Nothing would stop "the bad guy" copying your key from that USB drive once you plug it in, would it?
Your keyfile should be protected by a strong passphrase. This would buy you some time as you swap out the authorized keys on your remote instance (assuming you have a backup of your private keyfile somewhere and can still access your instance).
My (optimal) solution:
Create a new keypair for every different server you own and for every user that can access one single server. The public keys of all allowed users (project partners) go into the /root/.ssh/authorized_keys on that server. The private keys you own on your personal desktop go into you /home/user/.ssh/ folder in separate files, in a specific tree structure. Then you add a /home/user/.ssh/config file. Read this: http://www.kelvinwong.ca/2011/03/. Soft link your .ssh folder to dropbox or gdrive. But not when your home folders aren't encrypted or other people can access these other computers. Have fun, be safe!
Cool, some really nice solutions. I am wondering though, I am not saying using a password is the best idea, but even when using keys, isn't the password to your Amazon account still the weakest link in the case of EC2 instances?
Two factor authentication for AWS accounts is a must!
I think a combination of all things mentioned might be the best. First off, use two factor authentication on anything that lets you log in via password on the internet. Secondly, the reason to not turn on you password authentication is the it's pretty likely that someone would knock on the door a few hundred thousand times, getting in eventually(if you really, really have to, turn on denyhosts: http://en.wikipedia.org/wiki/DenyHosts to make that harder). Thirdly, make your key save with a bigger 16 characters keyword and stay save on the go with an encrypted USB drive, good solution to that is truecrypt: http://www.truecrypt.org/ supports all platforms.
Anything left? Stay save out there :)
What's that? Oh, nothing, just the sound of a thousand passwords being sniffed.
Just import your own SSH key into AWS and use it, or set it using user data scripts.
wkjagt- Use MFA for your Amazon account. Limit access to resources using IAM.
Avoid PasswordAuthentication yes
as much as possible
This is a horrible fauxtip, please consider removing it.
Keep the .pem in google drive.
@drywheattoast. I agree. But the conversation in the comments is interesting. I admit I was wrong though, so I'll leave this here:
For anyone reading this in the future: DON'T DO THIS. IT IS A BAD IDEA. I thought it was a good one, because it made my life simpler, but people wiser than me have taught me otherwise. Please read all the comments above. If you still want to continue, you're on your own.
Don't remove the post. It's like removing cars because some people drive while they are drunk...
And to be completely troll for people that don't understand the use of this post, you can suggest to keep the PEM in github.
Don't remove the post. It's like removing cars because some people drive while they are drunk...
And to be completely troll for people that don't understand the use of this post, you can suggest to keep the PEM in github.
Can someone provide instructions (commands) for this part?
4.Add user to sudoers file by using sudo visudo and add the following line:
USERNAME ALL=(ALL:ALL) ALL
5. Enable password authentication by editing /etc/ssh/sshd_config: change PasswordAuthentication no to PasswordAuthentication yes
fnhurt - Your comment is dumb. There are plenty of relly good reasons to do this. There are many things that don't need to be secure at all. In my case I am teaching BDD in WordPress and I deploy a fresh server for each student during my lectures, and then terminate them after we're done. My students all have a terminal program on their various machines, but rarely know what a .pem file is.
very nice instructions. Having one machine (your laptop) or a few machines to interact with the server is ridiculous.
Thank you for such an incredible article. Is there a way to go back to accessing ec2 with only pem file?
Thank you Willem