Replace username/password authentication with keypair on an existing Linux AMI

StackOverflow https://stackoverflow.com/questions/20622546

Question

I have a ami which need username/password for login via ssh. I want to create new amis from this, in which I can login from any newly created keypairs.

Any suggestions?

Was it helpful?

Solution 3

The simplest way is to do this is by adding the following snippet in to the /etc/rc.local or its equivalent.

#!/bin/sh
#
# This script will be executed *after* all the other init scripts.
# You can put your own initialization stuff in here if you don't
# want to do the full Sys V style init stuff.

touch /var/lock/subsys/local
if [ ! -d /root/.ssh ] ; then
    mkdir -p /root/.ssh
    chmod 0700 /root/.ssh
fi

# Fetch public key using HTTP
curl -f http://169.254.169.254/latest/meta-data/public-keys/0/openssh-key > /tmp/aws-key 2>/dev/null
if [ $? -eq 0 ] ; then
    cat /tmp/aws-key >> /root/.ssh/authorized_keys
    chmod 0600 /root/.ssh/authorized_keys
fi
rm -f /tmp/aws-key

# or fetch public key using the file in the ephemeral store:
if [ -e /mnt/openssh_id.pub ] ; then
    cat /mnt/openssh_id.pub >> /root/.ssh/authorized_keys
    chmod 0600 /root/.ssh/authorized_keys
fi

OTHER TIPS

I'm not sure what AMI allows username/password login, but when you create an instance from an AMI, you need to specify a key pair.

That key will be ADDED to the authorized_keys for the default user (ec2-user for Amazon Linux, ubuntu for the Ubuntu AMI, etc).

Why you don't just add the users/password to the instance and then build your AMI from there? Then you can change your /etc/ssh/sshd_config and permit username passwords with this: PasswordAuthentication yes. Btw, Username/Password authentication is not recommended for servers in the cloud because of man in the middle attacks. (use it at your own risk)

Not sure if I understand the question fully, but if you want to change the behavior of the instance when it boots up I suggest you look at fuzzing with cloud-init. The configuration in the instance is under /etc/cloud/cloud.cfg. For example on on Ubuntu the default says something like this:

user: ubuntu
disable_root: 1
preserve_hostname: False
...

If you want to change the default user you can change it there

user: <myuser>
disable_root: 1
preserve_hostname: False
...
Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top