1

I'm fairly new to this. I'm running a bunch of EC2 machines and when creating my AWS Account i got my own .pem file in order to connect to my machines for which I have full access rights, etc.

As I'm working with freelancers and developers I want to give them full access rights for a specific instance without of course sharing my very own .pem file.

What is the easiest and best/pragmatic way to do that. What are the steps and are the freelance developers then also be able to fully connect to the machine with read/write access to everything on this instance?

Thanks for your feedback in advance, Matt

Matt
  • 43
  • 1
  • 3
  • 11
  • Typically setting up ssh access for a new user involves creating a personal user account, adding them to the relevant groups (if using group based access rights) or setting up personal sudo rule for them and then add **the public ssh key they provide** to the authorized_keys file in that new users ~/.ssh directory – HBruijn Oct 16 '19 at 19:16
  • is there a way, so that I can create a dedicated pem file that is only providing access to a specific instance that I could share then? Like if I would be sharing my .pem file it provides them full access to the server, but also to all other instances. I want to avoid them to provide a public key that I have then to add to the authorized_keys etc. just for the sake of pragmatism. – Matt Oct 16 '19 at 19:25

1 Answers1

1

Create a user on your EC2 instance, then generate them a key. Grant that user permissions to access whatever they need access to.

I have a tutorial on creating an EC2 user with a certificate. In short

Create the user

sudo su
sudo useradd -m fred
passwd fred

Create the key

su fred
cd ~
ssh-keygen -f rsa

mkdir .ssh

touch .ssh/authorized_keys
chmod go-w ~/
chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys

cat fred.pub >> /home/fred/.ssh/authorized_keys

Allow the user to log in

vi /etc/ssh/sshd_config
PasswordAuthentication no
AllowUsers ec2-user fred

Send the private key to the user securely.

Luke
  • 101
  • 1
  • 10
Tim
  • 31,888
  • 7
  • 52
  • 78
  • 1
    Hey @tim … thanks so much. That tutorial looks just perfect. Only thing that I'm struggling with it seems is when Creating the key and putting ```ssh-keygen -f rsa``` I get "Saving key `rsa` failed: Permission denied" after being prompted for a passphrase. What would be the passphrase here that I'm prompted for? Is this the passphrase for the main user? How do I find out that password if I'm connecting with a pem file and no password? – Matt Oct 17 '19 at 07:05
  • That will probably be file permissions. Make sure you're the right user and are in their folder so they have permissions to write to it. The phrase is like a password for the key, it can be anything you like, but I usually leave it empty. – Tim Oct 17 '19 at 07:27
  • … thanks I seem to have figured that out. But I might need one more hint for downloading the private key file. I did what's in the tutorial of yours. Also updated the sshd_config file with the two lines at the end. I have a user "fred" now. Also I see the rsa.pub file for this user in the user directory, where and how do I download the private key file though? – Matt Oct 17 '19 at 08:03
  • I haven't done this in a while. From memory the public key is in the file with the pub extension, the private key has the same name but no extension. You can ftp it to your PC using sftp (which is provided by the ssh daemon). Another way to do it is to open the file in vi / nano then copy and paste the contents into a file on your PC. – Tim Oct 17 '19 at 08:09
  • update `-m` parameter when `useradd` nor the new user won't have a home directory, add `cd ~` command for fred to jump to his folder first, then `ssh-keygen` – Luke Aug 07 '21 at 11:07