56

1: Is there a way to log in to an AWS instance without using key pairs? I want to set up a couple of sites/users on a single instance. However, I don't want to give out key pairs for clients to log in.

2: What's the easiest way to set up hosting sites/users in 1 AWS instance with different domains pointing to separate directories?

Andres
  • 5,002
  • 6
  • 31
  • 34
  • 1
    It is possbiel now in aws: https://aws.amazon.com/blogs/compute/new-using-amazon-ec2-instance-connect-for-ssh-access-to-your-ec2-instances/ – BMW Apr 15 '20 at 02:32
  • @BMW Moreover, there is an official python wrapper [`pip install ec2instanceconnectcli`](https://pypi.org/project/ec2instanceconnectcli/) which allows one to do `mssh ` – Aleksandr Dubinsky Mar 30 '21 at 11:54

7 Answers7

144

Answer to Question 1

Here's what I did on a Ubuntu EC2:

A) Login as root using the keypairs

B) Setup the necessary users and their passwords with

# sudo adduser USERNAME
# sudo passwd USERNAME

C) Edit /etc/ssh/sshd_config setting

For a valid user to login with no key

PasswordAuthentication yes

Also want root to login also with no key

PermitRootLogin yes

D) Restart the ssh daemon with

# sudo service ssh restart

just change ssh to sshd if you are using centOS

Now you can login into your ec2 instance without key pairs.

Community
  • 1
  • 1
illy
  • 1,578
  • 2
  • 9
  • 9
16

I came here through Google looking for an answer to how to setup cloud init to not disable PasswordAuthentication on AWS. Both the answers don't address the issue. Without it, if you create an AMI then on instance initialization cloud init will again disable this option.

The correct method to do this, is instead of manually changing sshd_config you need to correct the setting for cloud init (Open source tool used to configure an instance during provisioning. Read more at: https://cloudinit.readthedocs.org/en/latest/). The configuration file for cloud init is found at: /etc/cloud/cloud.cfg

This file is used for setting up a lot of the configuration used by cloud init. Read through this file for examples of items you can configure on cloud-init. This includes items like default username on a newly created instance)

To enable or disable password login over SSH you need to change the value for the parameter ssh_pwauth. After changing the parameter ssh_pwauth from 0 to 1 in the file /etc/cloud/cloud.cfg bake an AMI. If you launch from this newly baked AMI it will have password authentication enabled after provisioning.

You can confirm this by checking the value of the PasswordAuthentication in the ssh config as mentioned in the other answers.

ali-hussain
  • 511
  • 3
  • 9
  • I suspect this answer hints at the correct solution, but it'w written so poorly, I can't understand it. – Jim Maguire Nov 13 '15 at 02:07
  • I did not even know this file existed. Great answer! – Richard_G Nov 17 '15 at 18:35
  • 1
    @JimMaguire I guess I assumed a lot of background information. I've added some more clarification. Does that help? Do you have some particular suggestions you want me to incorporate? – ali-hussain Nov 19 '15 at 08:53
  • If you don't find "PasswordAuthentication" in /etc/cloud/cloud.cfg, look for "ssh_pwauth" in /etc/cloud/cloud.cfg.d/00_defaults.cfg and change its value from "false" to "true". – Russell G Jan 07 '17 at 15:51
15

1) You should be able to change the ssh configuration (on Ubuntu this is typically in /etc/ssh or /etc/sshd) and re-enable password logins.

2) There's nothing really AWS specific about this - Apache can handle VHOSTS (virtual hosts) out-of-the-box - allowing you to specify that a certain domain is served from a certain directory. I'd Google that for more info on the specifics.

Chris Bunch
  • 87,773
  • 37
  • 126
  • 127
  • Can you still use HTTPS under these conditions (1 ip and multiple vhosts)? Do you know of docs that explain setting up openSSL for all the domains? – Andres May 25 '11 at 16:23
  • So I addressed this in my question but since this is the accepted answer I want to clarify. There is an AWS specific component to this answer. Cloud Init, which will run as a part of boot up will overwrite the configuration you set using this method. This is what my answer addresses. – ali-hussain Apr 19 '16 at 19:38
2

Recently, AWS added a feature called Sessions Manager to the Systems Manager service that allows one to SSH into an instance without needing to setup a private key or opening up port 22. I believe authentication is done with IAM and optionally MFA.

You can find out more about it here:

https://aws.amazon.com/blogs/aws/new-session-manager/

pmagunia
  • 1,718
  • 1
  • 22
  • 33
1

AWS added a new feature to connect to instance without any open port, the AWS SSM Session Manager. https://aws.amazon.com/blogs/aws/new-session-manager/

I've created a neat SSH ProxyCommand script that temporary adds your public ssh key to target instance during connection to target instance. The nice thing about this is you will connect without the need to add the ssh(22) port to your security groups, because the ssh connection is tunneled through ssm session manager.

AWS SSM SSH ProxyComand -> https://gist.github.com/qoomon/fcf2c85194c55aee34b78ddcaa9e83a1

qoomon
  • 4,549
  • 1
  • 21
  • 27
0

su - root

Goto /etc/ssh/sshd_config

vi sshd_config

Authentication:

PermitRootLogin yes

To enable empty passwords, change to yes (NOT RECOMMENDED)

PermitEmptyPasswords no

Change to no to disable tunnelled clear text passwords

PasswordAuthentication yes

:x!

Then restart ssh service

root@cloudera2:/etc/ssh# service ssh restart
ssh stop/waiting
ssh start/running, process 10978

Now goto sudoers files (/etc/sudoers).

User privilege specification

root  ALL=(ALL)NOPASSWD:ALL
yourinstanceuser  ALL=(ALL)NOPASSWD:ALL    / This is the user by which you are launching instance.
Veerendra K
  • 2,145
  • 7
  • 32
  • 61
Moin
  • 9
  • 1
0

Amazon added EC2 Instance Connect.

There is an official script to automate the process https://pypi.org/project/ec2instanceconnectcli/

pip install ec2instanceconnectcli

Then just

mssh <instance id>

Aleksandr Dubinsky
  • 22,436
  • 15
  • 82
  • 99