Image: Amazon

If you work with the AWS platform, chances are you’re going to need to access your various instances using SSH. But unlike standard access to a server that runs an SSH daemon for access (where you can simply issue the command ssh USER@IP (where USER is a user account on the remove server at IP). That won’t do with AWS–at least not “out of the box”.

Why?

When you first launch an instance on AWS, you generate a key pair. You only have one opportunity to copy that key pair, so you must be sure to copy and paste it to any machine you’ll use to access that instance via SSH. The file in question will have a .pem extension.

SEE: Windows 10 security: A guide for business leaders (TechRepublic Premium)

If you’ve saved that .pem file to your desktop, you shouldn’t have any problem using SSH to gain access to your AWS instance.

Let me show you how.

The SSH Command

Remember, you’re not using secure shell in the standard fashion. We have to instruct SSH that we’re using an identity file. Said identity file will be the .pem file you’ve saved from your AWS instance. Let’s call that saved .pem file mykey.pem and save it in ~/.ssh. I’m going to assume you already have your AWS instance up and running and said instance is of the Linux sort. To use that .pem file with SSH, the command would be:

ssh -i ~/.ssh/mykey.pem USER@INSTANCE_ADDRESS

Where USER is your AWS instance username and INSTANCE_ADDRESS is the actual address of your Amazon AWS instance.

Importing your own key pair

Let’s say you want to import your own key pair to an AWS instance. If you already have your SSH .pub key to import, all you have to do is log into your Amazon EC2 console and follow these steps:

  1. Go to NETWORK & SECURITY.
  2. Click Key Pairs.
  3. Click Import Key Pair.
  4. Click Browse.
  5. Navigate to the directory housing your .pub file.
  6. Type a name for the key pair and click Import.

If you have yet to generate a key pair, here’s how (I’ll demonstrate from the Linux command line). Open a terminal window and generate the key with the command:

ssh-keygen -P "" -f ~/.ssh/mykey.

The above command will create the following two files:

  • ~/.ssh/mykey
  • ~/.ssh/mykey.pub

Once you have your key pair, you can then import the mykey.pub file as shown above.

What about ssh-copy-id?

With regular Linux servers, you can easily copy your key pair with the ssh-copy-id command. But with an AWS instance, things get a bit tricky. However, there is a way around the complication.

First off, you need to log into your AWS instance and issue the command:

sudo nano /etc/ssh/sshd_config

In that file, change:

PasswordAuthentication no

To

PassworthAuthentication yes

Save and close the file. Restart SSH with the command:

sudo systemctl restart sshd

Before you copy the key pair, you need to make sure you have your original AWS key saved to the local machine and issue the command (assuming you’ve saved your AWS key to ~/.ssh):

ssh-add ~/.ssh/KEY

Where KEY is the name of your AWS key.

Once that command completes, you can now copy those keys with the command:

ssh-copy-id -i ~/.ssh/id_rsa.pub USER@INSTANCE_ADDRESS

Where USER is your AWS instance remote username and INSTANCE_ADDRESS is the public address of your AWS instance.

That should successfully copy your key to the AWS instance. You can then go back into the /etc/ssh/sshd_config file and change PasswordAuthentication from yes to no. Restart the sshd service, and you’re good to go. At this point you should be able to access your AWS instance in the standard SSH fashion (ssh USER@INSTANCE_ADDRESS).

Subscribe to the Cybersecurity Insider Newsletter

Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday

Subscribe to the Cybersecurity Insider Newsletter

Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday