Based on an article from: http://blog.taggesell.de/index.php?/archives/73-Managing-Amazon-EC2-SSH-login-and-protecting-your-instances.html
After you have created your instance:
Save the Public DNS, it looks something like ec2-########-compute.amazonaws.com
After you have your keypair, run this command
$ ssh -i mykeypair.pem ubuntu@ec2-##########.compute-1.amazonaws.com
You should be in now. Cool.
Now set yourself up your own user account.
Adduser is the one you want, that sets up with proper options. The first time I wrote this I used useradd.
$ sudo useradd -m jkeesh
-m creates a home directory for the user
$ sudo passwd jkeesh
(end old version)
But you’re cool. You can be root to.
$ sudo visudo
under the line
root ALL=(ALL) ALL
jkeesh ALL=(ALL) ALL
Just to show you that you can, enable password authentication
$ sudo vim /etc/ssh/sshd_config
and write (or uncomment)
Now reload that ssh configuration
$ sudo /etc/init.d/ssh reload
Now try logging out and logging back in with your new username, just to see that it worked.
$ ssh jkeesh@ec2-#######-compute.amazonaws.com
And run some sudo command to see that it worked too.
$ sudo your-favorite-command-that-you-can-only-do-with-special-privileges
Now make well set up the public/private key so you can get rid of this password authentication nonsense.
If you have a public key called id_rsa.pub use scp to get it onto the server:
local$ scp ~/.ssh/id_rsa.pub jkeesh@ec2-#####.compute-1.amazonaws.com:/home/jkeesh
Now we will put it in the right place. You should be adding this key to the user’s authorized_keys file, but we don’t have that file yet, so we’ll just move it and set permissions.
$ mkdir .ssh $ mv id_rsa.pub .ssh/authorized_keys $ chmod 700 .ssh $ chmod 600 .ssh/authorized_keys
Now you should be able to log in to your server without a password. Try it:
$ ssh jkeesh@ec2-#######.compute-1.amazonaws.com
At this point, if you are in, we can disable password authentication. We will also disable root login, for security.
$ sudo vim /etc/ssh/sshd_config
Find the lines for PasswordAuthentication and PermitRootLogin and change to no.
PasswordAuthentication no .. PermitRootLogin no $ sudo /etc/init.d/ssh reload
Thats a little bit for now on creating user accounts, changing ssh settings, and setting up public keys.
18 thoughts on “Setting up User Accounts, Password Authentication, and SSH Keys on a New EC2 Instance”
Great instructions, very clear and concise.
One point: at the line “Just to show you that you can, enable password authentication”. I skipped this as it seemed it wasn’t essential, but of course it is essential because you need temporary password auth so you can get the public key onto the server. Very useful instructions though – thanks!
Thanks Luc! You actually don’t need a temporary password because you can continue to ssh in using your keyfile. Also as a side node, enabling password authentication makes your server less secure. You can copy the public key into the new user’s .ssh directory even while logged in as the superuser.
The permissions are the important part. .ssh = 700 and the authorized_keys = 600. Things just did not work without these.
I have an instance previously setup, now I want to add a user with limited rights. After I create the user and set the passwords, I try logging in, but keep getting this error:
Permission denied (publickey,gssapi-with-mic).
How should I fix this?
Hi, Getting the error
Permission denied (publickey,gssapi-with-mic)
Please post note to resolve this issue.
Hi Raju and apprentice–
I think this means that the permissions on your private key are off. Try setting those to 600 using
chmod 600 my_private_key
Mine is at ~/.ssh/id_rsa
Thanks, this is what I was looking for!
To reload the sshd_config, after I changed the password authentication to yes, I had to add a “d” at the end of the script (before the reload).
sudo /etc/init.d/sshd reload
Great job. I just wrote short post explaining ssh config file in bit more details so someone might find it useful.
It is really helpful.. Thanks 🙂
Thank you! I was struggling with this all afternoon. None of the directions out there are very straight forward. This was simple and I followed it to a T. Worked perfect.
If you connect from a lot of machines, you’ll want to have all their public keys in your authorized_keys file. So instead of:
mv id_rsa.pub .ssh/authorized_keys
I always append them to the end of the file:
cat id_rsa.pub >> .ssh/authorized_keys
Thanks for the tutorial!
These instructions really helped me…
oops!!! Jeremy (sorry with your spelling)…
if there is no line of PasswordAuthentication in sshd_config file. will user can login ltsp server?