ssh aws key management

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

ssh aws key management

Thufir Hawat
For ssh, what's a good strategy to keep logins organized?  I'm doing:

ssh -i "suse.pem" ec2-user@ec2...

and could add that to aliases.  What might be some other approaches to
handling keys and logins?  I'm not ssh'ing to dozens of instances -- less
than five.



thanks,

Thufir


--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
Reply | Threaded
Open this post in threaded view
|

Re: ssh aws key management

Karl Auer
On Sun, 2017-11-12 at 04:25 +0000, thufir wrote:
> For ssh, what's a good strategy to keep logins organized?  I'm doing:
>
> ssh -i "suse.pem" ec2-user@ec2...
>
> and could add that to aliases.  What might be some other approaches
> to handling keys and logins?  I'm not ssh'ing to dozens of instances
> -- less than five.

Read "man ssh_config" and check out the CertificateFile and
IdentityFile directives. You can either just set up a big list of
identities and they will all be tried in turn, or you can use the Host
directive (I think, I have not tried this myself) to limit each
identity to a particular host.

I suggest you put these things into ~/.ssh/config rather than into the
global ssh configuration file /etc/ssh/ssh_config, though the
permissions on the certificate file should prevent misuse.

All this said, you do not require the AWS-supplied identity unless you
like using multiple identity files. Just add your own ssh public key to
~/.ssh/authorized_keys on the AWS system for the user you want to log
in as - ec2-user or whatever - or make a new user and use that one. If
you delete the AWS-supplied key out of the authorized_keys file, it
will no longer work for logins, which might be useful in some
scenarios.

BTW AWS gives the primary user (e.g ubuntu@host) password-less sudo
access, which is IMHO dangerous (but let's please not have THAT
discussion again). Anyway, if you don't like it you can and IMHO should
fix /etc/sudoers to turn it off. 

Also, for better ssh security you should at a minimum change the ssh
port and turn off password-only logins (i.e., require publickey
access).

Regards, K.

--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Karl Auer ([hidden email])
http://www.biplane.com.au/kauer
http://twitter.com/kauer389

GPG fingerprint: A52E F6B9 708B 51C4 85E6 1634 0571 ADF9 3C1C 6A3A
Old fingerprint: E00D 64ED 9C6A 8605 21E0 0ED0 EE64 2BEE CBCB C38B



--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
Reply | Threaded
Open this post in threaded view
|

Re: ssh aws key management

Thufir Hawat
On Sun, 12 Nov 2017 17:44:19 +1100, Karl Auer wrote:


> All this said, you do not require the AWS-supplied identity unless you
> like using multiple identity files. Just add your own ssh public key to
> ~/.ssh/authorized_keys on the AWS system for the user you want to log in
> as - ec2-user or whatever - or make a new user and use that one.


Ohhh, I see.  You're suggesting, really, to just use a more regular type
of ssh usage.  To my understanding, at least.  Yes/no?

That is, I have one or some public keys.

When I want access to a remote system, add my public key to the remote
system.  Presto, access?  Yes, I want passwordless, key-only, login to
the default "ubuntu" user (because, as you pointed out, it has
passwordless sudo access).

I suppose that the AWS way of doing things is to make it easy for them,
with generating special keys, downloading keys, etc, etc.  PITA for me.




-Thufir


--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
Reply | Threaded
Open this post in threaded view
|

Re: ssh aws key management

Karl Auer
On Sun, 2017-11-12 at 07:42 +0000, thufir wrote:
> All this said, you do not require the AWS-supplied identity
> Ohhh, I see.  You're suggesting, really, to just use a more regular
> type of ssh usage.  To my understanding, at least.  Yes/no?

Yes - or at least, the option is available to you. I'm not recommending
it, just telling you about it. There is nothing special about the AWS-
supplied key except (and this IS important) it does not have a
passphrase, and that IMHO means you should not ue it and should make it
unusable. Or adda  passphrase to it :-)

> When I want access to a remote system, add my public key to the
> remote system.  Presto, access?  Yes, I want passwordless, key-only,
> login to the default "ubuntu" user (because, as you pointed out, it
> has passwordless sudo access).

By "passwordless" I mean you should disable the ability to log into
your instance using a password; you should require a previously-
installed public key.

You should DEFINITELY not use keys without passphrases. If you do,
anyone who acquires your keys can log in anywhere you can log in. Two
minutes with your unattended laptop and they are gone. Unless you
encrypted your disks.

> I suppose that the AWS way of doing things is to make it easy for
> them, with generating special keys, downloading keys, etc, etc.  PITA
> for me.

They offer you a working key. You do not have to use it.

Regards, K.

--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Karl Auer ([hidden email])
http://www.biplane.com.au/kauer
http://twitter.com/kauer389

GPG fingerprint: A52E F6B9 708B 51C4 85E6 1634 0571 ADF9 3C1C 6A3A
Old fingerprint: E00D 64ED 9C6A 8605 21E0 0ED0 EE64 2BEE CBCB C38B



--
ubuntu-users mailing list
[hidden email]
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users