3

Disclaimer: I'm a bit of a n00b when it comes to AWS / EC2

I need to do some work on a clients EC2 instance. To do this we're after FTP access. From what I've worked out (I could be wrong) to access the servers I need the PEM/ssh files that were created with that instance.

As these are private keys there is no way to download them. Is there any other way I can get access to this servers FTP?

Thanks

Shane Jones
  • 141
  • 3
  • 4
    Shouldn't you be asking the client how to access their instance? – joeqwerty Dec 15 '16 at 13:18
  • 1
    The PEM file cannot be downloaded again. It can only be downloaded once when the instance is created. This is by design for security purposes. There are warnings about this in EC2 when initializing the instance (though I assume someone else did this previously). Have you asked the client for the PEM file? – SamAndrew81 Dec 15 '16 at 14:18
  • The client has nothing. :( – Shane Jones Dec 15 '16 at 14:26
  • 1
    If the client has lost their ssh keys, you'll first have to deal with that. – Michael Hampton Dec 15 '16 at 18:01
  • in addition this is an usefull post that may help you from Stackoverflow : > http://stackoverflow.com/questions/16744863/connect-to-amazon-ec2-file-directory-using-filezilla-and-sftp – Alexandre Roux Dec 15 '16 at 13:46
  • I'm fine with the connecting part, its more an issues with the keys / pem file. – Shane Jones Dec 15 '16 at 13:49
  • Have you had a look to this article? http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html#having-ec2-create-your-key-pair – Alexandre Roux Dec 15 '16 at 13:53
  • Note that if you're using ssh keys, you're hopefully using scp/sftp and not ftp – Foon Dec 16 '16 at 00:01
  • Yeah I use SFTP on a different client using this same platform, was trying to get everything set up the same but they didn't have their keys to send over. – Shane Jones Dec 19 '16 at 09:38

3 Answers3

6

EC2 instances come with one user already set up, called ec2-user. This is generally used to SSH onto the instance and do whatever needs doing to get it running.

There's nothing to stop the client creating new users and setting up new keys. In fact its probably a good idea for them to do this, unless they're happy to provide you with root access (the ec2-user can sudo) and share accounts.

Similarly there's nothing to stop them setting up FTP and creating an FTP user for you to use.

In summary; they might give you the ec2-user keys, or they might give you another username (and keys), or they might just give you the FTP credentials. You should ask them.

Edit: If they give you keys then follow the instructions here to connect.

Qwerky
  • 209
  • 1
  • 4
  • I think its getting the keys that is the issue as it seems no one has them. Is it possible to add new keys do you know? – Shane Jones Dec 15 '16 at 13:47
  • It is possible to create new users and associated keys, as Qwerky said. They actually do not need the original PEM file for this, just the AWS login. If they provided you with an AWS login you could do it yourself. – SamAndrew81 Dec 15 '16 at 14:28
  • Yeah I have the AWS logins and that is all. I've created a new PEM file although i'm now getting a "Permission denied (publickey)." error when trying to ssh into the machine. – Shane Jones Dec 15 '16 at 14:32
  • 2
    @ShaneJones Creating a key doesn't put that key on the instance. – ceejayoz Dec 15 '16 at 19:40
3

You can't download RSA private key after it was initially issued. So if you client lost the password and root volume is an EBS volume there is only one way you can restore access to the instance:

  1. Stop the instance.
  2. Detach the volume.
  3. Create a new instance and choose a key that you do have (or create a new one and save it).
  4. Attach volume to the new instance.
  5. Mount volume inside the new instance.
  6. Replace key in authorized_keys on the attached volume (something like /home/ec2-user/.ssh/authorized_keys).
  7. Shutdown temporary instance, detach volume, attach it back to the main instance, start the main instance.
Sergey Kovalev
  • 353
  • 1
  • 6
  • I'm guessing stopping the instance takes the site down right? – Shane Jones Dec 15 '16 at 15:39
  • That is correct. If that is critical, you can use a more complex strategy: clone EC2 instance, replace key, redirect traffic to the new instance. That'll work as long as user files and DB are located somewhere else and EC2 server acts as pure web application server. – Sergey Kovalev Dec 15 '16 at 15:42
-2

Sergey Kovalev has the best answer here and AWS actually has those same exact steps published in their documentation.

If they can't provide anything then you will inevitably need to recreate the instance.

However, would you be able to look at the config file that the site is using to gain access to the FTP server? You could try logging into the EC2 instance with those credentials.

Josh
  • 1