5

I have an AWS EC2 Instance using EBS and I want to stop the use of the current private key, and use a new one. As I understand it, merely deleting the key pair on the AWS Console just deletes the public key and does not prevent access to the instance using the (old) private key via SSH.

I attempted a workaround (detailed here) but I realized this doesn't prevent the use of the old private key.

Is there any way to keep using this instance and prevent the use of the old private key and issue a new one, without having to create a new instance and re-install everything? Can you go into Linux and SSH and manually delete support for specific keys?

I can provide details about the instance configuration as needed.

Community
  • 1
nhuff717
  • 63
  • 1
  • 4

2 Answers2

5

EC2 key pairs, which appear on AWS console panel, are only used to initialize EC2 instances, granting you initial access to them with the provided key pair. Thus, deleting them on AWS console panel won't make a difference on existing instances. See AWS Doc.

To prevent the use of the old private key, you need to to edit the .ssh/authorized_keys file on your remote EC2 instance, removing the corresponding entry, which is the public key of your EC2 key pair.

Remember to add your new public key to authrozied_keys file, and test it before removing the old one, or you may be locked out of your EC2 instance.

To issue a new key pair, use ssh-keygen command on your local Linux machine, it's an interactive program when calling without arguments.

And use ssh-copy-id to automatically apply your new key to your instance.

pallxk
  • 476
  • 4
  • 5
  • So I'm trying to follow your instructions. On my local machine (Mac OSX 10.9) I used `ssh-keygen` to generate a public (.pub) and private (.pem) key file. Now how do I use `ssh-copy-id` to apply this key to my instance? When I use `ssh-copy-id` on my local machine it says command not found. – nhuff717 Sep 06 '14 at 00:22
  • If you cannot use `ssh-copy-id`, you may also add your public key manully in `.ssh/authorized_keys` file on your server. Just copy the content of your `.pub` key file into a seperate line of that file. – pallxk Sep 06 '14 at 00:29
  • 1
    Great, so just to verify the steps (I am not a sys admin): 1. Generate the new key locally using `ssh-keygen`. 2. Add the contents of the `.pub` file to a new line of the `.ssh/authorized_keys` file on the EC2 Instance. 3. Verify that the newly add key works by using `ssh -i new-key-file.pem user@ip`. Does this sound right? – nhuff717 Sep 06 '14 at 00:34
  • Exactly. And delete your old public key entry, if you do not want it, in `.ssh/authorized_keys` file after all the operations you mentioned succeed. – pallxk Sep 06 '14 at 00:42
  • "As far as I know, EC2 key pairs, which appear on AWS console panel, are only used to initialize EC2 instances, granting you initial access to them with the provided key pair. Thus, deleting them on AWS console panel won't make a difference on existing instances."-This information is not correct please check the link:https://aws.amazon.com/premiumsupport/knowledge-center/delete-access-key/ – Utsav Gupta Jan 17 '20 at 08:26
  • @UtsavGupta *EC2 key pairs* and *AWS access key* are two different things. One for *EC2* and the other for *AWS Account*. See https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html#delete-key-pair – pallxk Jan 17 '20 at 08:33
  • @pallxk thanks for clarifying, I am still confused, What is meant by AWS access keys here for AWS account here? – Utsav Gupta Jan 17 '20 at 08:41
0

EC2 is just like any other Linux install if you're using Linux, so all you need to do is remove the old key from the authorized_keys file and delete the private key from the .ssh folder and the AWS console to ensure it doesn't come back.

If I remember right, the security keys in the web console generate the first keys that the new instances uses and provides access to the EC2 API (using tools or otherwise), but removing them doesn't remove them from your instances.

Nathan C
  • 15,059
  • 4
  • 43
  • 62
  • I will check in again once I look at that file and folder, but first do I need to do anything in `/etc/ssh` as well? – nhuff717 Sep 03 '14 at 14:27