Scenario / Questions

Is it possible to create more than one private key to SSH into an EC2 instance? What’s the general best practice for this? We have multiple users who need to SSH into the servers and distributing one key just does not work well. This does not allow us to remove users from being able to SSH into the server unless we change the key and redistribute.

Find below all possible solutions or suggestions for the above questions..

Suggestion: 1

Absolutely; you just place all the relevant public keys into the image and you should be right to go. I prefer to use a configuration management system to manage SSH keys; that way it’s fairly trivial to revoke a user’s access even on running systems. There are also far more… let’s say “imaginative”… ways of handling this, such as storing all your SSH keys in LDAP, that centralise SSH keys like any other credential.

Suggestion: 2

You could also use standard ssh mechanisms. The best approach would be if user run on their machine ssh-keygen to generate his/her key pair. Then they send you ~/.ssh/id_rsa.pub (or id_dsa.pub, depending on chosen algorithm) and you add its content to the .ssh/authorized_keys on the destination host in the home directory of the user account they should be able to access. There can be more than one key in the file. One per line. And that is all! The same public key (id_rsa.pub) can be used on any number of hosts – it will always identify the user.

You can also do it other way round – you run the ssh-keygen and post ~/.ssh/id_rsa (or id_dsa) to the user. And the user saves the file to ~/.ssh/id_rsa. Just need to remember to change permissions to 600 (-rw——-) of that file, otherwise ssh won’t accept it. This is obviously less secure, since the private key is being distributed over email probably.

It can also be done in PuTTY with PuTTYgen.

Suggestion: 3

A simpler way is as shown below.

For Linux / Mac users :

  1. To create Public and Private keys use the following command:
    $ ssh-keygen -t rsa -b 4096

  2. Upload the public key to a folder in your S3 bucket. For example : S3 > MyBucket > Keypair

  3. Save and secure your private key.

For Windows users :

  1. Use puttygen to generate the keys.
  2. Follow DigitalOcean to create SSH keys.
  3. Upload the public key to S3 > MyBucket > Keypair
  4. Save and secure your private key.

The following steps are important during the launch of any Linux AMI.

  1. Ensure the IAM role has a role created with AmazonS3FullAccess policy. This allows the instance to assume a role to access the S3 buckets. This is needed to read the public keys from S3 and copy them to the user profile

  2. Add the following code under the user-data section in Configure Instance details > Advanced Details (as Text) :

    #!/bin/bash
    usermod user 1
    usermod -aG wheel user1
    mkdir /home/user1/.ssh/
    aws s3 cp s3://MyBucket    /Keypair/user1-pub.pub /home/user1/.ssh/authorized_keys
    
    useradd user2
    usermod -aG wheel user2
    mkdir /home/user2/.ssh/
    aws s3 cp s3://MyBucket   /Keypair/user2-pub.pub /home/user2/.ssh/authorized_keys
    
    sudo -i 
    echo “user1 ALL=(ALL) NOPASSWD:ALL” >> /etc/sudoers
    echo “user2 ALL=(ALL) NOPASSWD:ALL” >> /etc/sudoers
    
    yum update -y
    

This setup creates User1 and User2 and adds them to sudo users. The aws s3 cp command copies the users public keys from the S3 folder to their .ssh/authorized_keys path. The last section is to run commands as admin without needing passwords.

There are lots of security improvements that can be recommended here. While not explicitly used in this example, limiting S3 bucket access to a specific bucket and knowing the security implications of disabling password usage in sudo, are few things that can be highlighted. Use them wisely based on your particular needs.