LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 07-26-2013, 08:04 AM   #1
unclesamcrazy
Member
 
Registered: May 2013
Posts: 200

Rep: Reputation: 1
Amazon Linux AMI(Amazon Machine Image) - ec2 server - query about pem file


Recently, Linux server's log in details are given to me. The server was Amazon Linux AMI(Amazon Machine Image) - ec2 - AWS (Amazon Web Services). They did not provide me password. They provided me a username and a pem file. I had to log into server using these details. The log in was successful. I used following command.
Code:
ssh -i /path/of/pem-file.pem ec2-user@ec2-207-81-13-106.compute-1.amazonaws.com
I didn't need to put my public file in the server's ssh directory(ssh-copy-id) as well as I didn't need to know the password of the server. Just one pem file like a key and I was inside the server.

Can I make this pem file for my local CentOS server so I do not need to give password to each user. I will give the pem file and user will be inside centOS in their account.

Please comment.
 
Old 07-26-2013, 09:01 AM   #2
Habitual
LQ Veteran
 
Registered: Jan 2011
Location: Abingdon, VA
Distribution: Catalina
Posts: 9,374
Blog Entries: 37

Rep: Reputation: Disabled
Quote:
Originally Posted by unclesamcrazy View Post
Can I make this pem file for my local CentOS server so I do not need to give password to each user. I will give the pem file and user will be inside centOS in their account.

Please comment.
Under NO conditions would I do this. You compromise your entire server by exposing your AWS .pem file to each user.
What I do is create a new ssh key for each user and stick the contents of each user's key.pub into each users home/.ssh directory in .ssh/authorized_keys
You may have to make this directory and file.

NEVER give out that .pem file. EVER.
NEVER give out your aws_access_key OR aws_secret_key contents to anyone you don't trust either.

You can generate keys for each "user" on any machine using
Code:
ssh-keygen -f /path/to/safe/directory/user1-id_rsa -t rsa -N '' -q
where user1-id_rsa can be Bob, Carol, Ted, or Alice usernames on the Amazon instance.

then copy the [Bob,Carol,Ted.Alice].pub contents of each user's key to each user's home/$user/.ssh/authorized_keys file
Make sure that authorized_keys is owned by each user and is chmod'd 600
You can even do this for root. I would, just to keep the .pem file safe.

Give [Bob,Carol,Ted.Alice] key (not the .pub extension) to Bob,Carol,Ted and Alice and they stick the key in their local machine's .ssh directory and use it in a similar manner as the pem you shown here...
Code:
ssh -qi /path/to/key user@ip_of_instance
IF you have an EIP associated with the instance and you'll need one for public assess.
or
Code:
ssh -i /path/to/key user@ec2-xx-xxx-xxx-xx.compute-1.amazonaws.com
It's good practice and you'll need the experience if you're going to have "users".
You'll need to understand SecurityGroups also.

If you get stuck, you should read and bookmark http://docs.aws.amazon.com/gettingst...tro/intro.html
You can also send me an email to

lq at cirrhus9 dot com
that is el que, NOT eye queue

or I am subscribed with interest...

Last edited by Habitual; 07-26-2013 at 09:08 AM.
 
Old 07-26-2013, 03:44 PM   #3
unclesamcrazy
Member
 
Registered: May 2013
Posts: 200

Original Poster
Rep: Reputation: 1
Thanks for this prompt reply.
Actually right now we use this authorized_keys method using ssh-copy-id and store user's pub files on the server as authorized_keys.

But the server is home network local server. So there is no security threat because there is no static ip as well as port 22 is not opened for outsiders.I want to see that how user can get access into server just using pem file and withou saving any of it's details on the server.

I am not getting how you gave hint to make pem files. I am not able to make it. I have client system's pub and private key file as well as server's pub and private key file now how can i make pem file so client system can log into server.

Please explain in easy words. Thanks.
 
Old 07-26-2013, 04:13 PM   #4
Habitual
LQ Veteran
 
Registered: Jan 2011
Location: Abingdon, VA
Distribution: Catalina
Posts: 9,374
Blog Entries: 37

Rep: Reputation: Disabled
I will NOT quote myself.
I will NOT quote myself.
I will NOT quote myself.

Process is identical for any host you are wishing to provide access to.

You can generate keys for each "user" on any machine using

Code:
ssh-keygen -f /path/to/safe/directory/user1-id_rsa -t rsa -N '' -q
where user1-id_rsa can be Bob, Carol, Ted, or Alice usernames on the CentOS instance.

then copy the [Bob,Carol,Ted.Alice].pub contents of each user's key to each user's /home/$user/.ssh/authorized_keys file
Make sure that authorized_keys is owned by each user and is chmod'd 600
and give the key (not the key.pub) to the user needing access.

Real-life example:
Code:
ssh-keygen -f unclesamcrazy -t rsa -N '' -q
creates
unclesamcrazy
unclesamcrazy.pub

cat unclesamcrazy.pub > /home/unclesamcrazy/.ssh/authorized_keys
chmod 600 /home/unclesamcrazy/.ssh/authorized_keys

Now give unclesamcrazy file to the user that uses it.
Code:
ssh -i /path/to/unclesamcrazy unclesamcrazy@centos_ip
I don't use ssh-copy-id, sorry.

Sorry, If I was unclear earlier.
 
1 members found this post helpful.
Old 11-26-2014, 08:52 AM   #5
unclesamcrazy
Member
 
Registered: May 2013
Posts: 200

Original Poster
Rep: Reputation: 1
Log into local CentOS server using pem file

The question is still same.
This is the exact same problem of mine but solution is not working for me.
http://serverfault.com/questions/546...for-my-servers
The final pem file is asking passphrase for me too.

Please help me to generate a pem file for server login.

Last edited by unclesamcrazy; 11-27-2014 at 01:29 AM.
 
Old 11-26-2014, 09:15 AM   #6
Habitual
LQ Veteran
 
Registered: Jan 2011
Location: Abingdon, VA
Distribution: Catalina
Posts: 9,374
Blog Entries: 37

Rep: Reputation: Disabled
Quote:
Originally Posted by unclesamcrazy View Post
Can I make this pem file for my local CentOS server so I do not need to give password to each user. I will give the pem file and user will be inside centOS in their account.
Never give the .pem file for the EC2 host to any "user" of the EC2 host.
Instead make them their own ssh-key to connect to the EC2 host using the technique described here.
If you have further questions on the steps outlined there, post them here.
 
Old 11-26-2014, 09:33 AM   #7
unclesamcrazy
Member
 
Registered: May 2013
Posts: 200

Original Poster
Rep: Reputation: 1
Log into local CentOS server using pem file

Yes, but I am learning Linux on my Home system. I want to know the method to generate valid pem file.
I have found hundreds of method to generate pem files, yes it is generated too but I can not log in to the server using it. either it asks pass phrase or password. There is no passphrase. I haven't set any. not even for my dsa/rsa key pair.

I want to log into the server like amazon ec2. I do not want to use authorized_keys method or ssh-copy-id.

I am not going to give AWS pem file to any other user. I am trying to generate pem file for my HOME system so I can log in to another system from one system in my home. I have two in my home network.

Please help.

Last edited by unclesamcrazy; 11-27-2014 at 01:29 AM.
 
Old 11-26-2014, 12:55 PM   #8
Habitual
LQ Veteran
 
Registered: Jan 2011
Location: Abingdon, VA
Distribution: Catalina
Posts: 9,374
Blog Entries: 37

Rep: Reputation: Disabled
Remove a passphrase from a private key

Code:
openssl rsa -in privateKey.pem -out PrivateKey_nopass.pem
http://centos.tips/ssh_nopw

Last edited by Habitual; 11-26-2014 at 12:58 PM.
 
Old 11-27-2014, 08:45 AM   #9
unclesamcrazy
Member
 
Registered: May 2013
Posts: 200

Original Poster
Rep: Reputation: 1
Now it does not ask for passphrase but it asks for password.

I have tried using rsa and dsa both keys but not able to login without using password.
 
Old 11-27-2014, 09:45 AM   #10
btmiller
Senior Member
 
Registered: May 2004
Location: In the DC 'burbs
Distribution: Arch, Scientific Linux, Debian, Ubuntu
Posts: 4,290

Rep: Reputation: 378Reputation: 378Reputation: 378Reputation: 378
Try running ssh in verbose mode. Make sure the public key is in the user's ~/.ssh/authorized_keys files and that permissions on the ~/.ssh are set to 0700. If permissions are too loose, sshd will refuse to recognize the key based login.
 
Old 11-27-2014, 10:34 AM   #11
unclesamcrazy
Member
 
Registered: May 2013
Posts: 200

Original Poster
Rep: Reputation: 1
I do not want to use authorized_keys method.
I want to login directly through private key or pem file.
 
Old 11-27-2014, 05:31 PM   #12
Habitual
LQ Veteran
 
Registered: Jan 2011
Location: Abingdon, VA
Distribution: Catalina
Posts: 9,374
Blog Entries: 37

Rep: Reputation: Disabled
Quote:
Originally Posted by unclesamcrazy View Post
I do not want to use authorized_keys method.
I want to login directly through private key or pem file.
The keys that Amazon EC2 uses are 1024-bit SSH-2 RSA keys.
Without uploading their public counterparts to the server, this cannot be done. Sorry.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Is it possible to create Slackware AMI image for amazon AWS? kite Slackware 4 02-19-2013 03:19 PM
LXer: Ubuntu 12.04 ARM Server AMI for Amazon EC2 LXer Syndicated Linux News 0 05-28-2012 06:51 PM
How to built an amazon ec2 slackware AMI from scratch fietske Slackware 0 01-18-2010 05:55 PM
LXer: Amazon EC2 Image Released for opentaps Open Source ERP + CRM LXer Syndicated Linux News 0 11-14-2009 04:00 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 01:01 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration