Ssh – how to change password of AWS EC2 instance

amazon ec2amazon-web-servicespublic-keyssh

I am logging in my AWS EC2 instance using winscp/putty as root using a .ppk file which has imported-openssh-key.

Earlier it was shared with many ppl, who are all gone, so now I have to change it in such a way that no one else can access it.

I tried to search about it on internet but couldn't find any. Thanks in advance 🙂

Best Answer

You need to change the keys. On your instance use ssh-keygen to do this e.g.

ssh-keyget -t rsa -b 2048
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.

The key fingerprint is:
35:dc:34:c2:98:89:8b:4a:e2:f7:71:ad:09:02:83:57 root@somehost.tld

Now you have a public key (/root/.ssh/id_rsa.pub) that needs to be added to the /root/.ssh/authorized_keys file

cd $HOME/.ssh
cp authorized_keys authorized_keys.safe
cat id_rsa.pub >> authorized_keys

You'll have to remove the old key from the authorized_keys file later.

Don't log out.

Copy the new private key (/root/.ssh/id_rsa) to your windows machine and use puttygen to import and save it like you did previously.

Check that you can log in using your new keys. If you can then remove the old key from your instance.

cat id_rsa.pub > authorized_keys

Don't log out.

Now check again that you can log in using your new keys

You really shouldn't use the root account in this manner. You should create separate user accounts for everyone that needs access to your system. You should then use sudo to grant them access to the commands they need to do the job. Sudo is part of the base install for most (all ?) Linux distros.

Related Solutions

Python CGI on Amazon AWS EC2 micro-instance — a how-to!

(Strange post, so hopefully this won't be as strange a reply).

On the subject of security flaws: it is considered general bad practice to store cgi-bin scripts within the document root of the web server. Even the W3C eludes to it under "Are compiled languages such as C safer ..." in their World Wide Web Security FAQ:

Consider the following scenario. For convenience's sake, you've decided to identify CGI scripts to the server using the .cgi extension. Later on, you need to make a small change to an interpreted CGI script. You open it up with the Emacs text editor and modify the script. Unfortunately the edit leaves a backup copy of the script source code lying around in the document tree. Although the remote user can't obtain the source code by fetching the script itself, he can now obtain the backup copy by blindly requesting the URL:
    http://your-site/a/path/your_script.cgi~
(This is another good reason to limit CGI scripts to cgi-bin and to make sure that cgi-bin is separate from the document root.)

This is not as significant a threat as the ability to write a file within the document root. However, an attacker could obtain the source code of the cgi, devise a directed attack against it, and use it as a stepping stone into the server.

To mitigate this, you can add the following lines to the lighttpd.conf (or some variation therein) to direct cgi-bin to a directory separate from the /var/www/lighttpd document root.

$HTTP["url"] =~ "/cgi-bin/" { cgi.assign = ( "" => "" ) }
alias.url = ( "/cgi-bin/" => "/usr/lib/cgi-bin/" )

This requires both the cgi and alias modules for lighttpd.

Ssh – How to automate SSH login with password

Don't use a password. Generate a passphrase-less SSH key and push it to your VM.

If you already have an SSH key, you can skip this step… Just hit Enter for the key and both passphrases:

$ ssh-keygen -t rsa -b 2048
Generating public/private rsa key pair.
Enter file in which to save the key (/home/username/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/username/.ssh/id_rsa.
Your public key has been saved in /home/username/.ssh/id_rsa.pub.

Copy your keys to the target server:

$ ssh-copy-id id@server
id@server's password:

Now try logging into the machine, with ssh 'id@server', and check-in:

.ssh/authorized_keys

Note: If you don't have .ssh dir and authorized_keys file, you need to create it first

to make sure we haven’t added extra keys that you weren’t expecting.

Finally, check to log in…

$ ssh id@server

id@server:~$

You may also want to look into using ssh-agent if you want to try keeping your keys protected with a passphrase.

Best Answer

Related Solutions

Python CGI on Amazon AWS EC2 micro-instance — a how-to!

Ssh – How to automate SSH login with password

Related Topic