By default AWS allows us to “ssh” or login in aws to EC2 instance with “ec2-user” itself through the rsa key downloaded in the time of instance creation.
But we are not able to “ssh” the instance through the “root” user so far. Have you tried ever why we are not able to ssh with “root” user?
When we try to login with root, it gives us a error message “Authenticating with public key “imported-openssh-key”
Please login as the user “ec2-user” rather than the user “root“.
Generate RSA Key Pair
A key pair consist of a public key and private key. Public key stores at AWS instance in the user’s home directory (ec2-user) inside the .ssh directory file named “authorized_keys” and private key file that you store.
That public key and private together allows you to connect your instance securely.
Download key pair aws ec2: –
If you compare the “ec2-user” and root user default key file at /home/ec2-user/.ssh/authorized_keys.
How to ssh the Instance With Root User
If you want to ssh the instance by using the ftp client, go to “/root/.ssh/authorized_key” file and remove the text “no-port-forwarding,no-agent-forwarding,no-X11-forwarding,command=”echo ‘Please l ogin as the user \”ec2-user\” rather than the user \”root\”.’;echo;sleep 10″ and save the file.
As of now you will be able to ssh the instance through the root user itsef.
How To Create And Login With New User In EC2 Instance
You can create new user with command “useradd” create the “.ssh” directory in user’s home directory and copy the “authorized_key” file in it. Change the ownership of the file to the user added with command “#chown newuser:newuser authorized_key”
How to add key pair to ec2 instance
#useradd newuser ; passwd
give the password of newuser
#mkdir /home/newuser/.ssh
#cp /root/.ssh/authorized_key /home/newuser/.ssh
#chown newuser:newuser authorized_key
#su newuser
#vim /home/newuser/.ssh/authorized_key
and remove the line “no-port-forwarding,no-agent-forwarding,no-X11-forwarding,command=”echo ‘Please l ogin as the user \”ec2-user\” rather than the user \”root\”.’;echo;sleep 10″
:wq
You will be able to ssh through the newuser.
How To Recover The Key Pair of EC2 Instance
There are two scenario we have need to recover the “Key Pair”
1. Key pair deleted from the local system
2. Key pair deleted from machine AWS side
Recover RSA Key Pair
There are two methods: –
1. By Creating AMI (Amazon Machine Image) of the running server
2. By Volume
How To Create AMI Of Server And Recover The Key Pair
This is a custom method and you will have to replace the server is self.
Select the server and go to “Action” menu and “Image” and “Create Image”.
Step 1: Now create the Instance with selecting this AMI
Step 2: Choose Instance type
Step 3: Configure Instance Details
Step 4: Add Storage
Step 5: Add Tags
Step 6: Configure Security Group
Step 7: Review Instance Launch
Click on Launch
Select an existing key pair if you have the private key with you
or create a new key pair if you have not the private key
Launch the instance
It will store the Public Key with instance and in both the cases you have the private key to login.
As of now you will be able to login to the new server with all the configurations.
Shutdown the old server and you can get the IP which was associated with the old server if any IP specific application was running.
Associate the IP with new server and get the application running.
Before creating the AMI, detached all the secondary volumes.
How to Recover The Key Pair By Instance Volume
In this method you will not have to replace the server.
First identify the AZ of your server and create new recovery sever in the same AZ.
Shout down the server which key has been lost.
Find the primary volumes of this server and detached the same.
Attach the same volume with recovery server.
Login the recovery server and mount the secondary volume but don’t format it
Note: – if you check with the command #blkid
It will show the same UUID of both the volumes.
run the command with option #mount -o nouuid /filesystem /mountpoint
go to the mounted directory and here you can see the server’s (key lost) file system
How to change key pair of ec2 instance
Copy “authorized_key file with permissions of the recovery server to the key lost server’s user home directory.
[root@RrecoveryServer .ssh]# pwd
/root/.ssh
[root@RrecoveryServer.ssh]# cp -p authorized_keys mountedDir/home/ec2-user/.ssh/
As of now public has been copy to the location and you have recovery server’s .pem file itself.
Unmount the file system
Detached the volume from the recovery server and attaché with the old server.
Make sure give the right device name as it was primary volume (/dev/xvda) for this server.
Now power on the server,
you will be able to ssh the server with new key pair you got the with new server (Recovery Server).
Public Key Private Key
When you download the Key pair it will be .pem extension file and need to convert it to .ppk extension. Key pair is the combination of both “Public Key” and “Private Key”.
You can generate Public Key as well as Private Key with “PuTTYgen” software itself.
Just open the “PuTTYgen” and click on “Load” and browse the path of .pem key file, save the desired private or public key.
Note:- You can generate the “Public Key” from the “Private Key” but from the “Private Key” to “Public Key” will not work.
If you are using “Putty” software for ssh, you have to give the path of “Private Key” generated from the PuTTYgen, then you will be able to take the remote of the server.
Both the recovery method has need down time of the server but second method is the most popular because you don’t have to replace the server so far.