Question
The Nautilus DevOps team needs to set up a new EC2 instance that can be accessed securely from their landing host (aws-client
). The instance should be of type t2.micro
and named datacenter-ec2
. A new SSH key should be created on the aws-client
host if it doesn’t already exist. This key should then be added to the authorized keys of the root
user on the EC2 instance, allowing password-less SSH access from the aws-client
host.
Answer
~ on (us-east-1) ➜ cd .ssh/
~/.ssh on (us-east-1) ➜ ls -la
total 24
drwx------ 1 root root 4096 Jul 10 03:09 .
drwx------ 1 root root 4096 Jul 10 03:09 …
-rw------- 1 root root 134 Jul 10 03:09 agent-environment
-r-------- 1 root root 1138 Jul 10 03:09 authorized_keys
~/.ssh on (us-east-1) ➜ ssh-keygen -t rsa -f devops-key
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in devops-key
Your public key has been saved in devops-key.pub
The key fingerprint is:
SHA256:E75erqXAZdaJ693b0oMD9G+mAecfKqT1Ab/wZhbX/dE root@aws-client
The key’s randomart image is:
±–[RSA 3072]----+
| |
| |
| . |
| . +o. |
| S.++. .o|
| . + +=+= …E|
| o o+o=oO. o|
| +.…@=…|
| =.o==Bo. |
±—[SHA256]-----+
~/.ssh on (us-east-1) ➜ cat devops-key.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDzQREavuBnekkKnn03FifSmzCR0N8MhrJlDGbIv7xeDXS2YG16GlfqXilJ5YnnCxGh5MFECDus+5N1L22bSnye29RCsw+2hkcN87WUNE2v25mQHS7uA/XuUwLpAXDfWj/dlZ9oxIJfHQO8QvE1IREQ8ApQxB7/ZXi2JGT+xPeZejjzjBtYhut8ejitBytQ1vCJ2BHakk0mm+e2VTgYxXOU+SYZ5O08k7JxFOXhWUfZWDrH7Cg6W5Kd4Qe19KzWbZT/AprcmTjPyI4GsKhjWw2+enGGpS1UtFUOwSXAPTySFOTleipP5Na22I/8irnEY6sKAEdCbsvjr3IHp8tGPyvLk4Jgr9uw5h2orYjTZVFhAaJGKKgKMwcMxpCoHdvRbPaK4J2Hm/JRmNNy8lmPCvTJy61TVzDEa7gxSHP4hNU0PrBy1ss71rFPCavbIig4a1lTF9AXs2KSBadZhRSjZPeM1y+aAhh/kX0IQVF99ds5XXyM0xWO/lh5hHH5OX0UI9k= root@aws-client
~/.ssh on (us-east-1) ➜ ssh -i devops-key [email protected]
The authenticity of host ‘3.83.179.143 (3.83.179.143)’ can’t be established.
ECDSA key fingerprint is SHA256:srMXzPuBX6Klk7KcPeSttPfveerwRnXGj737bIv0SEY.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added ‘3.83.179.143’ (ECDSA) to the list of known hosts.
, #_
~_ ####_ Amazon Linux 2023
~~ _#####
~~ ###|
~~ #/ ___ Linux for the Cloud – Amazon Linux 2023 – Amazon Web Services
~~ V~’ ‘->
~~~ /
~~._. _/
_/ _/
_/m/’
[ec2-user@ip-172-31-6-169 ~]$ pwd
/home/ec2-user
[ec2-user@ip-172-31-6-169 ~]$ ls -la
total 12
drwx------. 3 ec2-user ec2-user 74 Jul 10 03:25 .
drwxr-xr-x. 3 root root 22 Jul 10 03:25 …
-rw-r–r–. 1 ec2-user ec2-user 18 Jan 28 2023 .bash_logout
-rw-r–r–. 1 ec2-user ec2-user 141 Jan 28 2023 .bash_profile
-rw-r–r–. 1 ec2-user ec2-user 492 Jan 28 2023 .bashrc
drwx------. 2 ec2-user ec2-user 29 Jul 10 03:25 .ssh
[ec2-user@ip-172-31-6-169 ~]$ cat /home/ec2-user/.ssh/authorized_keys > /root/.ssh/authorized_keys
-bash: /root/.ssh/authorized_keys: Permission denied
[ec2-user@ip-172-31-6-169 ~]$ sudo cat /home/ec2-user/.ssh/authorized_keys > /root/.ssh/authorized_keys
-bash: /root/.ssh/authorized_keys: Permission denied
[ec2-user@ip-172-31-6-169 ~]$ sudo su -
[root@ip-172-31-6-169 ~]# ls -la
total 20
dr-xr-x—. 3 root root 103 Jun 28 01:05 .
dr-xr-xr-x. 18 root root 237 Jun 28 01:04 …
-rw-r–r–. 1 root root 18 Feb 2 2023 .bash_logout
-rw-r–r–. 1 root root 141 Feb 2 2023 .bash_profile
-rw-r–r–. 1 root root 429 Feb 2 2023 .bashrc
-rw-r–r–. 1 root root 100 Feb 2 2023 .cshrc
drwx------. 2 root root 29 Jul 10 03:25 .ssh
-rw-r–r–. 1 root root 129 Feb 2 2023 .tcshrc
[root@ip-172-31-6-169 ~]# cat /home/ec2-user/.ssh/authorized_keys > /root/.ssh/authorized_keys
[root@ip-172-31-6-169 ~]# cat /root/.ssh/authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDzQREavuBnekkKnn03FifSmzCR0N8MhrJlDGbIv7xeDXS2YG16GlfqXilJ5YnnCxGh5MFECDus+5N1L22bSnye29RCsw+2hkcN87WUNE2v25mQHS7uA/XuUwLpAXDfWj/dlZ9oxIJfHQO8QvE1IREQ8ApQxB7/ZXi2JGT+xPeZejjzjBtYhut8ejitBytQ1vCJ2BHakk0mm+e2VTgYxXOU+SYZ5O08k7JxFOXhWUfZWDrH7Cg6W5Kd4Qe19KzWbZT/AprcmTjPyI4GsKhjWw2+enGGpS1UtFUOwSXAPTySFOTleipP5Na22I/8irnEY6sKAEdCbsvjr3IHp8tGPyvLk4Jgr9uw5h2orYjTZVFhAaJGKKgKMwcMxpCoHdvRbPaK4J2Hm/JRmNNy8lmPCvTJy61TVzDEa7gxSHP4hNU0PrBy1ss71rFPCavbIig4a1lTF9AXs2KSBadZhRSjZPeM1y+aAhh/kX0IQVF99ds5XXyM0xWO/lh5hHH5OX0UI9k= devops-key
[root@ip-172-31-6-169 ~]# cd .ssh
[root@ip-172-31-6-169 .ssh]# ls -la
total 4
drwx------. 2 root root 29 Jul 10 03:25 .
dr-xr-x—. 3 root root 103 Jun 28 01:05 …
-rw-------. 1 root root 564 Jul 10 03:28 authorized_keys
[root@ip-172-31-6-169 .ssh]# cat /etc/ss
ssh/ ssl/ sssd/
[root@ip-172-31-6-169 .ssh]# cat /etc/ssh/sshd_config
$OpenBSD: sshd_config,v 1.104 2021/07/02 05:11:21 dtucker Exp $
This is the sshd server system-wide configuration file. See
sshd_config(5) for more information.
This sshd was compiled with PATH=/usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin
The strategy used for options in the default sshd_config shipped with
OpenSSH is to specify options with their default value where
possible, but leave them commented. Uncommented options override the
default value.
To modify the system-wide sshd configuration, create a *.conf file under
/etc/ssh/sshd_config.d/ which will be automatically included below
Include /etc/ssh/sshd_config.d/*.conf
If you want to change the port on a SELinux system, you have to tell
SELinux about this change.
semanage port -a -t ssh_port_t -p tcp #PORTNUMBER
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key
Ciphers and keying
#RekeyLimit default none
Logging
#SyslogFacility AUTH
#LogLevel INFO
Authentication:
#LoginGraceTime 2m
#PermitRootLogin prohibit-password
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
#PubkeyAuthentication yes
The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile .ssh/authorized_keys
#AuthorizedPrincipalsFile none
For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
Change to yes if you don’t trust ~/.ssh/known_hosts for
HostbasedAuthentication
#IgnoreUserKnownHosts no
Don’t read the user’s ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
Explicitly disable PasswordAuthentication. By presetting it, we
avoid the cloud-init set_passwords module modifying sshd_config and
restarting sshd in the default instance launch configuration.
PasswordAuthentication no
PermitEmptyPasswords no
Change to no to disable s/key passwords
#KbdInteractiveAuthentication yes
Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
#KerberosUseKuserok yes
GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no
#GSSAPIEnablek5users no
Set this to ‘yes’ to enable PAM authentication, account processing,
and session processing. If this is enabled, PAM authentication will
be allowed through the KbdInteractiveAuthentication and
PasswordAuthentication. Depending on your PAM configuration,
PAM authentication via KbdInteractiveAuthentication may bypass
the setting of “PermitRootLogin without-password”.
If you just want the PAM account and session checks to run without
PAM authentication, then enable this but set PasswordAuthentication
and KbdInteractiveAuthentication to ‘no’.
WARNING: ‘UsePAM no’ is not supported in Fedora and may cause several
problems.
#UsePAM no
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS no
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none
no default banner path
#Banner none
override default of no subsystems
Subsystem sftp /usr/libexec/openssh/sftp-server
Example of overriding settings on a per-user basis
#Match User anoncvs
X11Forwarding no
AllowTcpForwarding no
PermitTTY no
ForceCommand cvs server
AuthorizedKeysCommand /opt/aws/bin/eic_run_authorized_keys %u %f
AuthorizedKeysCommandUser ec2-instance-connect
[root@ip-172-31-6-169 .ssh]# vi /etc/ssh/sshd_config
[root@ip-172-31-6-169 .ssh]# cat /etc/ssh/sshd_config
$OpenBSD: sshd_config,v 1.104 2021/07/02 05:11:21 dtucker Exp $
This is the sshd server system-wide configuration file. See
sshd_config(5) for more information.
This sshd was compiled with PATH=/usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin
The strategy used for options in the default sshd_config shipped with
OpenSSH is to specify options with their default value where
possible, but leave them commented. Uncommented options override the
default value.
To modify the system-wide sshd configuration, create a *.conf file under
/etc/ssh/sshd_config.d/ which will be automatically included below
Include /etc/ssh/sshd_config.d/*.conf
If you want to change the port on a SELinux system, you have to tell
SELinux about this change.
semanage port -a -t ssh_port_t -p tcp #PORTNUMBER
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key
Ciphers and keying
#RekeyLimit default none
Logging
#SyslogFacility AUTH
#LogLevel INFO
Authentication:
#LoginGraceTime 2m
PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
#PubkeyAuthentication yes
The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile .ssh/authorized_keys
#AuthorizedPrincipalsFile none
For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
Change to yes if you don’t trust ~/.ssh/known_hosts for
HostbasedAuthentication
#IgnoreUserKnownHosts no
Don’t read the user’s ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
Explicitly disable PasswordAuthentication. By presetting it, we
avoid the cloud-init set_passwords module modifying sshd_config and
restarting sshd in the default instance launch configuration.
PasswordAuthentication no
PermitEmptyPasswords no
Change to no to disable s/key passwords
#KbdInteractiveAuthentication yes
Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
#KerberosUseKuserok yes
GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no
#GSSAPIEnablek5users no
Set this to ‘yes’ to enable PAM authentication, account processing,
and session processing. If this is enabled, PAM authentication will
be allowed through the KbdInteractiveAuthentication and
PasswordAuthentication. Depending on your PAM configuration,
PAM authentication via KbdInteractiveAuthentication may bypass
the setting of “PermitRootLogin without-password”.
If you just want the PAM account and session checks to run without
PAM authentication, then enable this but set PasswordAuthentication
and KbdInteractiveAuthentication to ‘no’.
WARNING: ‘UsePAM no’ is not supported in Fedora and may cause several
problems.
#UsePAM no
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS no
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none
no default banner path
#Banner none
override default of no subsystems
Subsystem sftp /usr/libexec/openssh/sftp-server
Example of overriding settings on a per-user basis
#Match User anoncvs
X11Forwarding no
AllowTcpForwarding no
PermitTTY no
ForceCommand cvs server
AuthorizedKeysCommand /opt/aws/bin/eic_run_authorized_keys %u %f
AuthorizedKeysCommandUser ec2-instance-connect
[root@ip-172-31-6-169 .ssh]# exit
logout
[ec2-user@ip-172-31-6-169 ~]$ exit
logout
Connection to 3.83.179.143 closed.
~/.ssh on (us-east-1) ➜ ssh -i devops-key [email protected]
, #_
~_ ####_ Amazon Linux 2023
~~ _#####
~~ ###|
~~ #/ ___ Linux for the Cloud – Amazon Linux 2023 – Amazon Web Services
~~ V~’ ‘->
~~~ /
~~._. _/
_/ _/
_/m/’
Last login: Wed Jul 10 03:28:11 2024
[root@ip-172-31-6-169 ~]#