Secure Shell (SSH) keys provide a method of authenticating connections to various services which is particularly useful with virtual servers like Amazon EC2 instances where it is often the best or only way to connect to the server in the AWS console. This guide details the process of creating and adding an SSH key from a local computer with Ubuntu Linux to the authorized_keys file of an AWS EC2 instance. It covers the creation of SSH key pairs, the procedure to access the instance and update the authorized_keys file, and considerations to ensure the continued accessibility of the instance.
TL:DR – The process of adding or replacing an SSH key on an AWS EC2 instance allows secure access management for different users. This includes generating a new SSH key, connecting to the instance via SSH, updating the authorized_keys file, and testing the connection. Regularly updating SSH keys is good practice to maintain security, especially in collaborative environments. Additionally, proper management of the authorized_keys file is crucial to prevent accidental lockouts.
Contents
- A diagram of what we are doing to enable SSH key access from your computer to your AWS EC2 Instance
- Understanding SSH keys and their significance
- Creating a new SSH key pair on Ubuntu
- Connecting to the EC2 instance
- Updating the authorized_keys file
- Verifying SSH access with the new key
- Removing an SSH key from the EC2 instance
- Best practices for managing SSH keys
- Monitoring and logging
- Conclusion: Effective SSH key management
A diagram of what we are doing to enable SSH key access from your computer to your AWS EC2 Instance
Understanding SSH keys and their significance
SSH keys are cryptographic keys used to authenticate access to systems over insecure networks. They consist of a private key, which is kept secret and secured on the user's machine, and a public key, which is shared with the server or instance one wishes to access. The main advantage of using SSH keys lies in eliminating the need for password authentication, thus enhancing the security of remote logins. Using SSH keys also allows for the implementation of more complex authentication mechanisms, such as passphrase-protected keys.
In the context of AWS EC2 instances, SSH keys facilitate secure login to virtual machines via the Secure Shell protocol. AWS employs a key pair model allowing users to define both the public and the private keys. During the creation of a new EC2 instance, the public key is stored in a specific file, enabling incoming SSH connections from the corresponding private key. This versatility is essential for environments requiring various users to have controlled access to shared resources.
As of 2023, security best practices dictate that keys should be rotated periodically, especially when users leave an organisation or roles change. Furthermore, such management prevents potential security breaches from outdated or compromised keys. Hence, it is imperative to monitor and update SSH keys regularly.
Creating a new SSH key pair on Ubuntu
To begin the process, the first step is to generate a new SSH key pair on your Ubuntu system, if you do not already have one to put to use. This can be accomplished using the ssh-keygen command. Open a terminal and execute the following command:
ssh-keygen -t rsa -b 2048 -C "
Here, the option –t specifies the type of key to create; in this case, RSA is a widely used algorithm. The -b flag sets the number of bits in the key, and -C allows you to label your key with an identifier, usually your email address. After executing the command, follow the prompts to choose a location for saving the key files and optionally set a passphrase for added security. The public key will typically be saved in ~/.ssh/id_rsa.pub.
After creating the key pair, you can find two files in the specified location: the private key (id_rsa) and the public key (id_rsa.pub). It is critical not to share your private key, safeguarding it to prevent compromise. The public key is the file that will need to be added to the AWS EC2 instance.
Connecting to the EC2 instance
With your SSH key pair created, the next step is to connect to your EC2 instance. Firstly, ensure you have the appropriate permissions and that the instance is up and running.
You may be able connect to the instance using the following command:
ssh -i /path/to/your/private/key.pem
Here, replace "/path/to/your/private/key.pem" with the actual path to your private key file and use the public DNS or IP address of your EC2 instance in place of “ec2-xx-xxx-xxx-xxx.compute-1.amazonaws.com”. If successful, this will grant you shell access to your EC2 instance.
Alternatively, if you are not able to use the private key file, you can use EC2 Instance Connect to make a direct connection from the AWS console to the instance.
If you encounter issues connecting, check your security group settings in the AWS Management Console to ensure SSH access (port 22) is permitted from your client’s IP address. Additionally, ensure you are using the correct user, which is usually 'ubuntu', or another default user such as 'ec2-user', depending on the Linux distribution.
Updating the authorized_keys file
Once connected to the EC2 instance, you will need to add your public SSH key to the authorized_keys file. To do this, first obtain the content of your public key. You can use the following command to display it:
cat ~/.ssh/id_rsa.pub
Next, navigate to the .ssh directory of the user account you are accessing (e.g., /home/ubuntu/.ssh/)
authorized_keys file before making any changes. This backup can be invaluable if errors are made during the editing process.Open the authorized_keys file using a text editor such as vi:
vi ~/.ssh/authorized_keys
Go to the end of the file ( Shift G Shift A) Enter insert mode by (Press I) and press enter then paste your public key into the authorized_keys file (each key should be on its own line). Save and exit the editor. (Escape :wq!) It is essential to ensure that file permissions are correctly set for the .ssh directory and the authorized_keys file to prevent access issues but if it already exists they probably are. You can set them using:
chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys
This ensures the directory is accessible only to the user and the necessary permissions are applied to the authorized_keys file.
Verifying SSH access with the new key
To check that the new SSH key has been correctly added, attempt to connect to the instance again using the private key associated with your newly added public key. Notice that this isn't quite the same SSH command as before, because it is using your SSH key not the amazon key pair PEM file.
ssh
If successful, congratulations, you have added your SSH key to the EC2 instance and can connect from this computer with ease! If you still cannot connect, double-check the public key’s formatting in the authorized_keys file and ensure that no trailing spaces or erroneous characters are present, as these can lead to failed authentication attempts.
Removing an SSH key from the EC2 instance
In some scenarios, you may need to remove an existing SSH key from the EC2 instance. Such a need may arise when a user no longer requires access or if there’s a need to rotate keys for security reasons. The process is straightforward: SSH into your EC2 instance and edit the authorized_keys file as previously described.
Locate the public key you wish to remove and delete the corresponding line in the authorized_keys file. Following the edit, save the file to apply the changes.
authorized_keys file to maintain access to the instance. If all public keys are removed, access will be revoked unless an alternative login method exists.Best practices for managing SSH keys
Managing SSH keys effectively is key to maintaining a secure environment, especially in a cloud setting like AWS EC2. Following best practices can mitigate risks associated with key management. Some valuable practices include:
1. Regular Key Rotation: Change SSH keys periodically, especially if there are organisational changes. Automated scripts can aid this rotation process, ensuring all keys are kept up to date seamlessly. This practice minimises the window of opportunity for potential attackers.
2. Limit Key Access: Assign SSH keys to specific users or roles, preventing blanket access for all. In scenarios where multiple users require access, consider utilizing bastion hosts or similar secure access methodologies to control and monitor connections.
3. Use Key Passphrases: Adding a passphrase to your private key can bolster security significantly. Even if a private key is compromised, the additional passphrase ensures that unauthorised users are still obstructed from gaining access.
Monitoring and logging
Regularly monitor access logs for your EC2 instances. AWS CloudTrail and AWS CloudWatch provide robust monitoring solutions that can be configured to send alerts on suspicious activities. Logs should be reviewed regularly to identify any unusual access patterns or unauthorised logins.
Conclusion: Effective SSH key management
In summary, adding and managing SSH keys on AWS EC2 instances is a vital skill for maintaining the integrity and security of your cloud environments. By generating secure key pairs, updating the authorized_keys file with your administrative computers public key and removing outdated keys, you can control access efficiently while protecting your sensitive data and ensuring you have administrative access in case of emergency. Remember to implement best practices such as regular key rotation and access monitoring to safeguard your instances.
