j5nk9w
Last Updated: April 04, 2017
·
45.48K
· wkjagt
Ccc9abdf9963f3452808cff0e77679a1

Access EC2 Linux box over ssh without .pem file

You may be in the situation where you need to access your EC2 instance from any machine, not necessarily your own. It's a pain to carry around your .pem file and a bad idea to leave it on someone elses machine too. Here's a solution to let you login to your instance with a password. Please be aware that this is less secure (thanks rnhurt for pointing this out) than using keys, so be sure to create a strong password.

1. Login to your EC2 instance using your .pem file

ssh -i your_pem_file.pem ubuntu@ec2-________.compute-1.amazonaws.com

2. Create a new user that will access the instance using a password:

$ sudo useradd -s /bin/bash -m -d /home/USERNAME  -g root USERNAME

where:

  • -s /bin/bash : use /bin/bash as the standard shell
  • -m -d /home/USERNAME : create a home directory at /home/USERNAME
  • -g root : add to group root
  • USERNAME : the username of the new user

3. Create a strong password for the new user:

$ sudo passwd USERNAME
Enter new UNIX password:
Retype new UNIX password:

4. Add user to sudoers file by using sudo visudo and add the following line:

USERNAME  ALL=(ALL:ALL) ALL

5. Enable password authentication by editing /etc/ssh/sshd_config: change PasswordAuthentication no to PasswordAuthentication yes

6. Restart ssh:

sudo /etc/init.d/ssh restart

Logout of your instance (exit) and try your new login without the .pem file:

$ ssh USERNAME@ec2-________.compute-1.amazonaws.com
USERNAME@ec2-________.compute-1.amazonaws.com's password:
Say Thanks
Respond

18 Responses
Add your response

7943
Db883fd0947fe07e0c5d4a7574c8782b

This is an amazingly bad idea. There is a reason that we use keys instead of passwords. Amazon isn't trying to make your life harder, they are following best practices and making your systems more secure and keeping you from hurting yourself.

If you want to avoid entering your key name in the SSH command set up an IdentityFile option in your .ssh/options file as seen here (http://nerderati.com/2011/03/simplify-your-life-with-an-ssh-config-file/).

over 1 year ago ·
7945
Ccc9abdf9963f3452808cff0e77679a1

Thanks for the link. But the problem I was trying to solve though was to be able to connect to the instance from any machine without having to cary the .pem file with me all the time. I am not always on my own machine, so I don't want to leave access to the instace open either. I should have mentioned it above. I'll update.

If you know a better solution, please let me know.

over 1 year ago ·
7980
F1a3945f946bb34d84f257534fb9d4e4

You should not want to connect to your servers from every location.. The servers I maintain I can access only from the computers I own. Optimal security :)

But a possible solution is using a password protected keyfile on a USB drive and carry that with you all the time. So you can use the keyfile, but if the USB gets lost or stolen noone can use the key.

over 1 year ago ·
7997

Nothing would stop "the bad guy" copying your key from that USB drive once you plug it in, would it?

over 1 year ago ·
7998

Your keyfile should be protected by a strong passphrase. This would buy you some time as you swap out the authorized keys on your remote instance (assuming you have a backup of your private keyfile somewhere and can still access your instance).

over 1 year ago ·
8003
39eb3f3d313b13f05534e496285040b8

My (optimal) solution:

Create a new keypair for every different server you own and for every user that can access one single server. The public keys of all allowed users (project partners) go into the /root/.ssh/authorized_keys on that server. The private keys you own on your personal desktop go into you /home/user/.ssh/ folder in separate files, in a specific tree structure. Then you add a /home/user/.ssh/config file. Read this: http://www.kelvinwong.ca/2011/03/. Soft link your .ssh folder to dropbox or gdrive. But not when your home folders aren't encrypted or other people can access these other computers. Have fun, be safe!

over 1 year ago ·
8004
Ccc9abdf9963f3452808cff0e77679a1

Cool, some really nice solutions. I am wondering though, I am not saying using a password is the best idea, but even when using keys, isn't the password to your Amazon account still the weakest link in the case of EC2 instances?

over 1 year ago ·
8010
D84bafb736095351bc997bef693f899a

Two factor authentication for AWS accounts is a must!

over 1 year ago ·
8036
Gavatar big

I think a combination of all things mentioned might be the best. First off, use two factor authentication on anything that lets you log in via password on the internet. Secondly, the reason to not turn on you password authentication is the it's pretty likely that someone would knock on the door a few hundred thousand times, getting in eventually(if you really, really have to, turn on denyhosts: http://en.wikipedia.org/wiki/DenyHosts to make that harder). Thirdly, make your key save with a bigger 16 characters keyword and stay save on the go with an encrypted USB drive, good solution to that is truecrypt: http://www.truecrypt.org/ supports all platforms.

Anything left? Stay save out there :)

over 1 year ago ·
8058
E89c71bcfd9a22ab4b814f215890073d

What's that? Oh, nothing, just the sound of a thousand passwords being sniffed.

Just import your own SSH key into AWS and use it, or set it using user data scripts.

over 1 year ago ·
8059
E89c71bcfd9a22ab4b814f215890073d

wkjagt- Use MFA for your Amazon account. Limit access to resources using IAM.

over 1 year ago ·
8113
69ada3a32ca6d8dd797202d230cc0190

Avoid PasswordAuthentication yes as much as possible

over 1 year ago ·
8114
Img 1057

This is a horrible fauxtip, please consider removing it.

over 1 year ago ·
8880

Keep the .pem in google drive.

over 1 year ago ·
8881
Ccc9abdf9963f3452808cff0e77679a1

@drywheattoast. I agree. But the conversation in the comments is interesting. I admit I was wrong though, so I'll leave this here:

For anyone reading this in the future: DON'T DO THIS. IT IS A BAD IDEA. I thought it was a good one, because it made my life simpler, but people wiser than me have taught me otherwise. Please read all the comments above. If you still want to continue, you're on your own.

over 1 year ago ·
20842
None

Don't remove the post. It's like removing cars because some people drive while they are drunk...
And to be completely troll for people that don't understand the use of this post, you can suggest to keep the PEM in github.

over 1 year ago ·
20843
None

Don't remove the post. It's like removing cars because some people drive while they are drunk...
And to be completely troll for people that don't understand the use of this post, you can suggest to keep the PEM in github.

over 1 year ago ·
28782

Can someone provide instructions (commands) for this part?

4.Add user to sudoers file by using sudo visudo and add the following line:

USERNAME ALL=(ALL:ALL) ALL
5. Enable password authentication by editing /etc/ssh/sshd_config: change PasswordAuthentication no to PasswordAuthentication yes

5 months ago ·
Filed Under