0

Here's my issue

I have an ec-2 instance on AWS running Ubuntu Server. During the initial launch of the instance, I generated the key-pair by going to AWS console --> Key Pairs --> Create key pair. It generated a key abcxxxx.pem and I have saved it.

Here's where the issue starts

  • I head a project where multiple developers come on and off. Without too much thought, I distributed my .pem file to 2-3 developers. They have left the project since and I want to restrict AWS access to only active developers. Basically I don't want the 2-3 developers (with .pem file) to access my machine.

  • For all the new developers ( I no longer distribute .pem file), I give access to AWS machine by pasting there public key in /home/ubuntu/.ssh/authorized_keys. This gives them access to the machine.

My two questions are as follows

  1. How can I restrict access to people who already have .pem file? Will deleting their public key from /home/ubuntu/.ssh/authorized_keys make a difference? NOTE: I still have the key and only I have the access to AWS console.
  2. How are the new developers able to access the AWS machine without a .pem file? (The only thing I do is paste their public key in the authorized_keys on AWS)
  3. How do I implement a system where I have sole access and I deal with developers coming on/off on the project?
  4. All users(including me) who's public key is in the authorized_keys on AWS machine can login without a .pem file. How is this possible? Doesn't everyone need a .pem file to ssh in?

I'm really confused about this key-pair business (what's the role of .pem file?) and other posts online don't seem to help (even AWS support). Most posts online address scenarios where you lose the key and you have launch a new instance etc. etc. I contacted AWS support and they just sent me this link. I don't understand how this helps.

Any solution/elaborate answer will be really helpful.

Jacob Gabrielson
  • 34,800
  • 15
  • 46
  • 64
am3
  • 681
  • 2
  • 12
  • 30

2 Answers2

2

For the most part, your question is really about how to administrate users and SSH on Ubuntu. The keypair that you generated using the console is only used when the instance first launches. It is always available via instance metadata; you can see that by running the following command from the shell on the EC2 instance:

$ curl http://169.254.169.254/latest/meta-data/public-keys/0/openssh-key

which outputs:

ssh-rsa ...blah blah blah...

When your EC2 instance first launched, this key was copied into /home/ubuntu/.ssh/authorized_keys because the Ubuntu AMI you're using is set up to do that. But that's just a convention. That's the only time that the key will get automatically copied anywhere, so from there on out you can manage the authorized_keys file however you like.

Regarding your specific questions,

  1. If the original public key you created on the console is still in authorized_keys, then anyone who has the corresponding PEM file can still log in. To correct this, you would need to carefully remove that key from the authorized_keys file (for example, first making absolutely sure that you can log in with a different key).
  2. While they may not have the PEM file you downloaded from the AWS Console, they must somehow have gotten the PEM file (or some rough equivalent) for one of the public keys that you added to authorized_keys.
  3. There are lots of different ways. As mentioned above, it's more of a matter of how you want to administrate users under Ubuntu. Since you seem to want to retain control over the machine, you could create user accounts for each of the developers to log into, and then give them limited rights to use sudo in certain cases (assuming they need that at all). You could then revoke these accounts whenever you wanted.
  4. My understanding is that there are just many different ways to provide the equivalent of a PEM file to ssh, and somehow you (and your developers) must be doing that. I'd recommend perusing the ssh documentation.

I hope this helps!

Jacob Gabrielson
  • 34,800
  • 15
  • 46
  • 64
  • This was very useful. As U correctly noted, the curl gives you the public key that was generated when the instance was launched. At some point, I deleted this key from my authorized_keys (without knowing the above info). But luckily I had the public key of my laptop/desktop in the authorized_keys and hence was able to login.I verified this by deleting both public keys (my laptop & first-generated-public key) & tried to SSH in and it fails. As long as I dont have the public key which was first generated in my authorized_keys, even developers with the pvt key will not be able to login. Thanks – am3 Apr 15 '16 at 19:14
1

Taking a stab at this:
1) You cannot remove the key from authorized_keys without losing access yourself to the server. The public key in there proves to the server that you are who you say you are when you auth to the server via SSH using the pem.

2) For the new developers, they do pass in a key when the ssh to the machine. It's just their key and it's implicitely passed in, vs the key you've used to spin up the machine. The presence of their public key in the authorized_keys signals to the server that they are authorized to access the machine once their ssh client proves it has the private key that matches the public key in the authorized file.

3) i would just create additional users on the box and set them up for passwordless login by setting up /home/newusername/.ssh/authorized_keys pretty much the same way you set it up for the ubuntu user today. when they leave the project just disable and/or delete the accounts

4) It's possible to login without specifing a pem, but you still specify a key. To see the key exchange and how the auth takes place do "ssh -vvv user@machinename" and you will see the whole ssh dialogue. When you don't specify a key, the ssh client will look for one in a couple of predefined locations. you will see the client attempt to use each of these keys (you're probably picking something up from ~/.ssh/id_*). A pem is not a magic file. It just keys (it may contain a public key, a public and a private key or a public key and the whole cert chain).

I would recommend you read on public/private key crypto to understand how it works.

https://en.wikipedia.org/wiki/Public-key_cryptography

https://www.youtube.com/watch?v=svRWcx7dT8g

https://staff.washington.edu/dittrich/misc/ssh/

Mircea
  • 10,216
  • 2
  • 30
  • 46