0

TL;DR

Can I tell AWS EC2 to launch an instance from AMI but keep the host keys -- the ones in /etc/ssh that were saved with the AMI -- instead of generating new keys and overwriting the ones saved with the AMI.

The full question:

On AWS, I'm setting up an EC2 instance to serve as a SFTP host. An automated system (managed by customer) will deliver files into there on regular basis. Those systems will authenticate via public keys provided by the customer.

In front of the EC2 instance there will be an elastic IP. This IP needs to remain constant "forever", since the automated system connecting to us relies on that constancy.

Behind the scenes, I would like to retain the ability to swap this EC2 instance with a different one at any point, and re-associate the existing IP address with the new server. (Some reasons to do this would be in order to launch a more powerful instance, or to consolidate various other servers into a single instance).

This kind of re-association needs to be transparent to the automated system that delivers the files. However, I expect that the automated system would freak out when I make such a switch, because it would detect that the host's fingerprint has changed. Maybe normally that's a good thing, but I believe in this case, since one host is supposed to replace another, it's appropriate to preserve the identity.

So, whenever I swap instances as described, I need to copy the original host's public key(s) into the new host. I actually half expected that this would happen automatically — if I use the same AMI to launch both hosts, but it appears that EC2 deliberately assigns new public keys to the new instance, overwriting whatever keys were saved with the AMI.

My question is what's the easiest way to achieve the desired behavior. I know how to do it manually, by copying the keys over from the old server onto the new server and overwriting the ones that were assigned to the new server. But I wonder if EC2 has an automated or idiomatic way to do this.

meetamit
  • 143
  • 5
  • 1
    EC2 merely gives you a virtual machine. Within that machine, things are managed as you would any other linux host. – EEAA Nov 17 '15 at 00:21

1 Answers1

1

I'd advise leaving the system instance as is for administration duties, and instead creating a 2nd instance of SSHd that runs with your shared key.

Copy your shared set of SSH keys to your AMI image and save them to a differently named file (e.g. /etc/ssh/shared_host_rsa_key).

Next, make a copy of the SSH server configuration (/etc/ssh/sshd_config -> /etc/ssh/sshd_shared_config), modify said configuration to listen on a new port (e.g. 2222) and use to your shared host keys.

Configure your 2nd sshd instance to start on boot, and tell your customer that from now on, they'll need to connect to port 2222.

You can even go further and harden the 2nd sshd configuration more so than the one you use for generic system administration.

oo.
  • 861
  • 6
  • 11
  • Thank you! It didn't occur to me that it's possible to have multiple instances of SSHd. I assume that the 2nd SSHd's keys will remain intact when I launch an instance from an AMI that was saved with this configuration. – meetamit Nov 19 '15 at 04:07