Once connecting to a AWS server using the PEM keypair (either RDP or SSH) if we add a new user with local administrator permissions will we be able to logon/SSH without using the original PEM keypair?
Asked
Active
Viewed 76 times
1 Answers
0
Yes.
In fact, it is recommended that once an Amazon EC2 Linux instance is launched, the keypair used for authentication should be replaced with your standard corporate security method.
This might mean creating local users and copying their personal keypairs to their ~.ssh/authorized_keys file, or it might mean using an LDAP or AD server to provide authentication services.
Quick explanation:
- When somebody uses SSH with a keypair to login to a Linux instance, the SSH server looks in the requested user's
~.ssh/authorized_keysfile. It then tries to match the public keypairs in the file with the private keypair used to establish the SSH session. - If they match, then the login is permitted
- Therefore, you can simply replace the keypairs in that file with any desired keypair
This keypair authentication process is a Linux standard and actually has nothing to do with Amazon EC2 itself. However, a helper script on Amazon Linux AMIs will copy the selected keypair into the authorized_keys file on first boot, to make it easier for users to initially login to the instance.
John Rotenstein
- 241,921
- 22
- 380
- 470