Task Passwordless authentication for root user on EC2 (AWS level 2) fails even after getting the desired output please help!

Question
The Nautilus DevOps team needs to set up a new EC2 instance that can be accessed securely from their landing host (aws-client). The instance should be of type t2.micro and named datacenter-ec2. A new SSH key should be created on the aws-client host if it doesn’t already exist. This key should then be added to the authorized keys of the root user on the EC2 instance, allowing password-less SSH access from the aws-client host.
Answer
~ on :cloud: (us-east-1) ➜ cd .ssh/

~/.ssh on :cloud: (us-east-1) ➜ ls -la
total 24
drwx------ 1 root root 4096 Jul 10 03:09 .
drwx------ 1 root root 4096 Jul 10 03:09 …
-rw------- 1 root root 134 Jul 10 03:09 agent-environment
-r-------- 1 root root 1138 Jul 10 03:09 authorized_keys

~/.ssh on :cloud: (us-east-1) ➜ ssh-keygen -t rsa -f devops-key
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in devops-key
Your public key has been saved in devops-key.pub
The key fingerprint is:
SHA256:E75erqXAZdaJ693b0oMD9G+mAecfKqT1Ab/wZhbX/dE root@aws-client
The key’s randomart image is:
±–[RSA 3072]----+
| |
| |
| . |
| . +o. |
| S.++. .o|
| . + +=+= …E|
| o o+o=oO. o|
| +.…@=…|
| =.o==Bo. |
±—[SHA256]-----+

~/.ssh on :cloud: (us-east-1) ➜ cat devops-key.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDzQREavuBnekkKnn03FifSmzCR0N8MhrJlDGbIv7xeDXS2YG16GlfqXilJ5YnnCxGh5MFECDus+5N1L22bSnye29RCsw+2hkcN87WUNE2v25mQHS7uA/XuUwLpAXDfWj/dlZ9oxIJfHQO8QvE1IREQ8ApQxB7/ZXi2JGT+xPeZejjzjBtYhut8ejitBytQ1vCJ2BHakk0mm+e2VTgYxXOU+SYZ5O08k7JxFOXhWUfZWDrH7Cg6W5Kd4Qe19KzWbZT/AprcmTjPyI4GsKhjWw2+enGGpS1UtFUOwSXAPTySFOTleipP5Na22I/8irnEY6sKAEdCbsvjr3IHp8tGPyvLk4Jgr9uw5h2orYjTZVFhAaJGKKgKMwcMxpCoHdvRbPaK4J2Hm/JRmNNy8lmPCvTJy61TVzDEa7gxSHP4hNU0PrBy1ss71rFPCavbIig4a1lTF9AXs2KSBadZhRSjZPeM1y+aAhh/kX0IQVF99ds5XXyM0xWO/lh5hHH5OX0UI9k= root@aws-client

~/.ssh on :cloud: (us-east-1) ➜ ssh -i devops-key [email protected]
The authenticity of host ‘3.83.179.143 (3.83.179.143)’ can’t be established.
ECDSA key fingerprint is SHA256:srMXzPuBX6Klk7KcPeSttPfveerwRnXGj737bIv0SEY.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added ‘3.83.179.143’ (ECDSA) to the list of known hosts.
, #_
~_ ####_ Amazon Linux 2023
~~ _#####
~~ ###|
~~ #/ ___ Linux for the Cloud – Amazon Linux 2023 – Amazon Web Services
~~ V~’ ‘->
~~~ /
~~._. _/
_/ _/
_/m/’
[ec2-user@ip-172-31-6-169 ~]$ pwd
/home/ec2-user
[ec2-user@ip-172-31-6-169 ~]$ ls -la
total 12
drwx------. 3 ec2-user ec2-user 74 Jul 10 03:25 .
drwxr-xr-x. 3 root root 22 Jul 10 03:25 …
-rw-r–r–. 1 ec2-user ec2-user 18 Jan 28 2023 .bash_logout
-rw-r–r–. 1 ec2-user ec2-user 141 Jan 28 2023 .bash_profile
-rw-r–r–. 1 ec2-user ec2-user 492 Jan 28 2023 .bashrc
drwx------. 2 ec2-user ec2-user 29 Jul 10 03:25 .ssh
[ec2-user@ip-172-31-6-169 ~]$ cat /home/ec2-user/.ssh/authorized_keys > /root/.ssh/authorized_keys
-bash: /root/.ssh/authorized_keys: Permission denied
[ec2-user@ip-172-31-6-169 ~]$ sudo cat /home/ec2-user/.ssh/authorized_keys > /root/.ssh/authorized_keys
-bash: /root/.ssh/authorized_keys: Permission denied
[ec2-user@ip-172-31-6-169 ~]$ sudo su -
[root@ip-172-31-6-169 ~]# ls -la
total 20
dr-xr-x—. 3 root root 103 Jun 28 01:05 .
dr-xr-xr-x. 18 root root 237 Jun 28 01:04 …
-rw-r–r–. 1 root root 18 Feb 2 2023 .bash_logout
-rw-r–r–. 1 root root 141 Feb 2 2023 .bash_profile
-rw-r–r–. 1 root root 429 Feb 2 2023 .bashrc
-rw-r–r–. 1 root root 100 Feb 2 2023 .cshrc
drwx------. 2 root root 29 Jul 10 03:25 .ssh
-rw-r–r–. 1 root root 129 Feb 2 2023 .tcshrc
[root@ip-172-31-6-169 ~]# cat /home/ec2-user/.ssh/authorized_keys > /root/.ssh/authorized_keys
[root@ip-172-31-6-169 ~]# cat /root/.ssh/authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDzQREavuBnekkKnn03FifSmzCR0N8MhrJlDGbIv7xeDXS2YG16GlfqXilJ5YnnCxGh5MFECDus+5N1L22bSnye29RCsw+2hkcN87WUNE2v25mQHS7uA/XuUwLpAXDfWj/dlZ9oxIJfHQO8QvE1IREQ8ApQxB7/ZXi2JGT+xPeZejjzjBtYhut8ejitBytQ1vCJ2BHakk0mm+e2VTgYxXOU+SYZ5O08k7JxFOXhWUfZWDrH7Cg6W5Kd4Qe19KzWbZT/AprcmTjPyI4GsKhjWw2+enGGpS1UtFUOwSXAPTySFOTleipP5Na22I/8irnEY6sKAEdCbsvjr3IHp8tGPyvLk4Jgr9uw5h2orYjTZVFhAaJGKKgKMwcMxpCoHdvRbPaK4J2Hm/JRmNNy8lmPCvTJy61TVzDEa7gxSHP4hNU0PrBy1ss71rFPCavbIig4a1lTF9AXs2KSBadZhRSjZPeM1y+aAhh/kX0IQVF99ds5XXyM0xWO/lh5hHH5OX0UI9k= devops-key
[root@ip-172-31-6-169 ~]# cd .ssh
[root@ip-172-31-6-169 .ssh]# ls -la
total 4
drwx------. 2 root root 29 Jul 10 03:25 .
dr-xr-x—. 3 root root 103 Jun 28 01:05 …
-rw-------. 1 root root 564 Jul 10 03:28 authorized_keys
[root@ip-172-31-6-169 .ssh]# cat /etc/ss
ssh/ ssl/ sssd/
[root@ip-172-31-6-169 .ssh]# cat /etc/ssh/sshd_config

$OpenBSD: sshd_config,v 1.104 2021/07/02 05:11:21 dtucker Exp $

This is the sshd server system-wide configuration file. See

sshd_config(5) for more information.

This sshd was compiled with PATH=/usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin

The strategy used for options in the default sshd_config shipped with

OpenSSH is to specify options with their default value where

possible, but leave them commented. Uncommented options override the

default value.

To modify the system-wide sshd configuration, create a *.conf file under

/etc/ssh/sshd_config.d/ which will be automatically included below

Include /etc/ssh/sshd_config.d/*.conf

If you want to change the port on a SELinux system, you have to tell

SELinux about this change.

semanage port -a -t ssh_port_t -p tcp #PORTNUMBER

#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key

Ciphers and keying

#RekeyLimit default none

Logging

#SyslogFacility AUTH
#LogLevel INFO

Authentication:

#LoginGraceTime 2m
#PermitRootLogin prohibit-password
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

#PubkeyAuthentication yes

The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2

but this is overridden so installations will only check .ssh/authorized_keys

AuthorizedKeysFile .ssh/authorized_keys

#AuthorizedPrincipalsFile none

For this to work you will also need host keys in /etc/ssh/ssh_known_hosts

#HostbasedAuthentication no

Change to yes if you don’t trust ~/.ssh/known_hosts for

HostbasedAuthentication

#IgnoreUserKnownHosts no

Don’t read the user’s ~/.rhosts and ~/.shosts files

#IgnoreRhosts yes

Explicitly disable PasswordAuthentication. By presetting it, we

avoid the cloud-init set_passwords module modifying sshd_config and

restarting sshd in the default instance launch configuration.

PasswordAuthentication no
PermitEmptyPasswords no

Change to no to disable s/key passwords

#KbdInteractiveAuthentication yes

Kerberos options

#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
#KerberosUseKuserok yes

GSSAPI options

#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no
#GSSAPIEnablek5users no

Set this to ‘yes’ to enable PAM authentication, account processing,

and session processing. If this is enabled, PAM authentication will

be allowed through the KbdInteractiveAuthentication and

PasswordAuthentication. Depending on your PAM configuration,

PAM authentication via KbdInteractiveAuthentication may bypass

the setting of “PermitRootLogin without-password”.

If you just want the PAM account and session checks to run without

PAM authentication, then enable this but set PasswordAuthentication

and KbdInteractiveAuthentication to ‘no’.

WARNING: ‘UsePAM no’ is not supported in Fedora and may cause several

problems.

#UsePAM no

#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS no
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none

no default banner path

#Banner none

override default of no subsystems

Subsystem sftp /usr/libexec/openssh/sftp-server

Example of overriding settings on a per-user basis

#Match User anoncvs

X11Forwarding no

AllowTcpForwarding no

PermitTTY no

ForceCommand cvs server

AuthorizedKeysCommand /opt/aws/bin/eic_run_authorized_keys %u %f
AuthorizedKeysCommandUser ec2-instance-connect
[root@ip-172-31-6-169 .ssh]# vi /etc/ssh/sshd_config
[root@ip-172-31-6-169 .ssh]# cat /etc/ssh/sshd_config

$OpenBSD: sshd_config,v 1.104 2021/07/02 05:11:21 dtucker Exp $

This is the sshd server system-wide configuration file. See

sshd_config(5) for more information.

This sshd was compiled with PATH=/usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin

The strategy used for options in the default sshd_config shipped with

OpenSSH is to specify options with their default value where

possible, but leave them commented. Uncommented options override the

default value.

To modify the system-wide sshd configuration, create a *.conf file under

/etc/ssh/sshd_config.d/ which will be automatically included below

Include /etc/ssh/sshd_config.d/*.conf

If you want to change the port on a SELinux system, you have to tell

SELinux about this change.

semanage port -a -t ssh_port_t -p tcp #PORTNUMBER

#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key

Ciphers and keying

#RekeyLimit default none

Logging

#SyslogFacility AUTH
#LogLevel INFO

Authentication:

#LoginGraceTime 2m
PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

#PubkeyAuthentication yes

The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2

but this is overridden so installations will only check .ssh/authorized_keys

AuthorizedKeysFile .ssh/authorized_keys

#AuthorizedPrincipalsFile none

For this to work you will also need host keys in /etc/ssh/ssh_known_hosts

#HostbasedAuthentication no

Change to yes if you don’t trust ~/.ssh/known_hosts for

HostbasedAuthentication

#IgnoreUserKnownHosts no

Don’t read the user’s ~/.rhosts and ~/.shosts files

#IgnoreRhosts yes

Explicitly disable PasswordAuthentication. By presetting it, we

avoid the cloud-init set_passwords module modifying sshd_config and

restarting sshd in the default instance launch configuration.

PasswordAuthentication no
PermitEmptyPasswords no

Change to no to disable s/key passwords

#KbdInteractiveAuthentication yes

Kerberos options

#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
#KerberosUseKuserok yes

GSSAPI options

#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no
#GSSAPIEnablek5users no

Set this to ‘yes’ to enable PAM authentication, account processing,

and session processing. If this is enabled, PAM authentication will

be allowed through the KbdInteractiveAuthentication and

PasswordAuthentication. Depending on your PAM configuration,

PAM authentication via KbdInteractiveAuthentication may bypass

the setting of “PermitRootLogin without-password”.

If you just want the PAM account and session checks to run without

PAM authentication, then enable this but set PasswordAuthentication

and KbdInteractiveAuthentication to ‘no’.

WARNING: ‘UsePAM no’ is not supported in Fedora and may cause several

problems.

#UsePAM no

#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS no
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none

no default banner path

#Banner none

override default of no subsystems

Subsystem sftp /usr/libexec/openssh/sftp-server

Example of overriding settings on a per-user basis

#Match User anoncvs

X11Forwarding no

AllowTcpForwarding no

PermitTTY no

ForceCommand cvs server

AuthorizedKeysCommand /opt/aws/bin/eic_run_authorized_keys %u %f
AuthorizedKeysCommandUser ec2-instance-connect
[root@ip-172-31-6-169 .ssh]# exit
logout
[ec2-user@ip-172-31-6-169 ~]$ exit
logout
Connection to 3.83.179.143 closed.

~/.ssh on :cloud: (us-east-1) ➜ ssh -i devops-key [email protected]
, #_
~_ ####_ Amazon Linux 2023
~~ _#####
~~ ###|
~~ #/ ___ Linux for the Cloud – Amazon Linux 2023 – Amazon Web Services
~~ V~’ ‘->
~~~ /
~~._. _/
_/ _/
_/m/’
Last login: Wed Jul 10 03:28:11 2024
[root@ip-172-31-6-169 ~]#

It is pretty difficult to tell what is going on here, because you did not paste all that output

in a code block

From what I can see

  • You replaced, not added to root’s authorized keys. If there were any keys there already, you overwrote them. If not, then OK. Need to use >> to append to the file.
  • Doesn’t look like you enabled root login in sshd_config. Hard to tell from the mess above, but this line should be uncommented
    #PermitRootLogin prohibit-password
    
    Leaving prohibit-password should allow ssh key login. yes allows any sort of login

I’m sorry for the inconvenience. Please find the steps below. I attempted it again and I am able to log in without password for root user. Please let me know why it’s failing…


~ on ☁️  (us-east-1) ➜  cd .ssh/

~/.ssh on ☁️  (us-east-1) ➜  ssh-keygen -t rsa -f devops-key 
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in devops-key
Your public key has been saved in devops-key.pub
The key fingerprint is:
SHA256:8cu6Wtj1uuaJ4D7Xbe5lu4isvpp9PrU5s3+ANMssiWY root@aws-client
The key's randomart image is:
+---[RSA 3072]----+
|                 |
|                 |
|        .        |
|         o  o    |
|        S.o= +   |
|       oEooo* .  |
|      ooo.o+.oo. |
|     ..=.+=+B+ ..|
|     .**OOO*==+o |
+----[SHA256]-----+

~/.ssh on ☁️  (us-east-1) ➜  ls
agent-environment  authorized_keys  devops-key  devops-key.pub

~/.ssh on ☁️  (us-east-1) ➜  cat devops-key.pub 
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDLPDpzigHmcppC34cBOvHPV/I5p6chNrivbIm/K5Im1ko9rHquiATLWRbCh4BFftikaDo3SwDxPQe2jbFj4aSlfBkjOuCPYuHElYHE0xZkLplUxNlL3r3aYNABsta7fsPks53adqz3kw94KMk/EscWsxcMbD0N7i3uxUwUq5VET1rInqnvJ6NgnZPOVUdrDdAEMhRlLoSi0O6xMr5eYR2kpPtNvXj3BVPkWytonMGa3Vx67N9VuoZMxUI+ODxT35eO+AQCpB3PKr4Ywl60HdiRloVFT+GZF7iveOG/VeKbLlGgzSj2vkAopEmPPNHLJ2IX1RRIwtBAdwtHAd3WzX+geMW7GbKOp4T5fPyzYKqfZEJhj6Ayim13CDWKnr/mgXtvTYsrZvI6vr3+EdCp7EopbTj6whaMbOYCkXd29zxxCO0r3uG+KFxKFgR0sShw6GsrbJGcuBEr3dmF5rnPbtwJArZrEi6o1Ize76UdgU/gbZxpeEtomsfOAAm3aLS48Rk= root@aws-client

~/.ssh on ☁️  (us-east-1) ➜  ssh -i devops-key [email protected]
The authenticity of host '54.157.10.170 (54.157.10.170)' can't be established.
ECDSA key fingerprint is SHA256:MSgGN62vtsLJylHQMTWViyL43rHN5BYtXf5lfL08ldE.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '54.157.10.170' (ECDSA) to the list of known hosts.
   ,     #_
   ~\_  ####_        Amazon Linux 2023
  ~~  \_#####\
  ~~     \###|
  ~~       \#/ ___   https://aws.amazon.com/linux/amazon-linux-2023
   ~~       V~' '->
    ~~~         /
      ~~._.   _/
         _/ _/
       _/m/'
[ec2-user@ip-172-31-24-196 ~]$ ls -la
total 12
drwx------. 3 ec2-user ec2-user  74 Jul 11 00:36 .
drwxr-xr-x. 3 root     root      22 Jul 11 00:36 ..
-rw-r--r--. 1 ec2-user ec2-user  18 Jan 28  2023 .bash_logout
-rw-r--r--. 1 ec2-user ec2-user 141 Jan 28  2023 .bash_profile
-rw-r--r--. 1 ec2-user ec2-user 492 Jan 28  2023 .bashrc
drwx------. 2 ec2-user ec2-user  29 Jul 11 00:36 .ssh
[ec2-user@ip-172-31-24-196 ~]$ cat .ssh/authorized_keys 
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDLPDpzigHmcppC34cBOvHPV/I5p6chNrivbIm/K5Im1ko9rHquiATLWRbCh4BFftikaDo3SwDxPQe2jbFj4aSlfBkjOuCPYuHElYHE0xZkLplUxNlL3r3aYNABsta7fsPks53adqz3kw94KMk/EscWsxcMbD0N7i3uxUwUq5VET1rInqnvJ6NgnZPOVUdrDdAEMhRlLoSi0O6xMr5eYR2kpPtNvXj3BVPkWytonMGa3Vx67N9VuoZMxUI+ODxT35eO+AQCpB3PKr4Ywl60HdiRloVFT+GZF7iveOG/VeKbLlGgzSj2vkAopEmPPNHLJ2IX1RRIwtBAdwtHAd3WzX+geMW7GbKOp4T5fPyzYKqfZEJhj6Ayim13CDWKnr/mgXtvTYsrZvI6vr3+EdCp7EopbTj6whaMbOYCkXd29zxxCO0r3uG+KFxKFgR0sShw6GsrbJGcuBEr3dmF5rnPbtwJArZrEi6o1Ize76UdgU/gbZxpeEtomsfOAAm3aLS48Rk= devops-key
[ec2-user@ip-172-31-24-196 ~]$ sudo su -
[root@ip-172-31-24-196 ~]# cp /home/ec2-user/.ssh/authorized_keys >> /root/.ssh/authorized_keys 
cp: missing destination file operand after '/home/ec2-user/.ssh/authorized_keys'
Try 'cp --help' for more information.
[root@ip-172-31-24-196 ~]# cat /home/ec2-user/.ssh/authorized_keys >> /root/.ssh/authorized_keys 
[root@ip-172-31-24-196 ~]# cat /root/.ssh/authorized_keys
no-port-forwarding,no-agent-forwarding,no-X11-forwarding,command="echo 'Please login as the user \"ec2-user\" rather than the user \"root\".';echo;sleep 10;exit 142" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDLPDpzigHmcppC34cBOvHPV/I5p6chNrivbIm/K5Im1ko9rHquiATLWRbCh4BFftikaDo3SwDxPQe2jbFj4aSlfBkjOuCPYuHElYHE0xZkLplUxNlL3r3aYNABsta7fsPks53adqz3kw94KMk/EscWsxcMbD0N7i3uxUwUq5VET1rInqnvJ6NgnZPOVUdrDdAEMhRlLoSi0O6xMr5eYR2kpPtNvXj3BVPkWytonMGa3Vx67N9VuoZMxUI+ODxT35eO+AQCpB3PKr4Ywl60HdiRloVFT+GZF7iveOG/VeKbLlGgzSj2vkAopEmPPNHLJ2IX1RRIwtBAdwtHAd3WzX+geMW7GbKOp4T5fPyzYKqfZEJhj6Ayim13CDWKnr/mgXtvTYsrZvI6vr3+EdCp7EopbTj6whaMbOYCkXd29zxxCO0r3uG+KFxKFgR0sShw6GsrbJGcuBEr3dmF5rnPbtwJArZrEi6o1Ize76UdgU/gbZxpeEtomsfOAAm3aLS48Rk= devops-key
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDLPDpzigHmcppC34cBOvHPV/I5p6chNrivbIm/K5Im1ko9rHquiATLWRbCh4BFftikaDo3SwDxPQe2jbFj4aSlfBkjOuCPYuHElYHE0xZkLplUxNlL3r3aYNABsta7fsPks53adqz3kw94KMk/EscWsxcMbD0N7i3uxUwUq5VET1rInqnvJ6NgnZPOVUdrDdAEMhRlLoSi0O6xMr5eYR2kpPtNvXj3BVPkWytonMGa3Vx67N9VuoZMxUI+ODxT35eO+AQCpB3PKr4Ywl60HdiRloVFT+GZF7iveOG/VeKbLlGgzSj2vkAopEmPPNHLJ2IX1RRIwtBAdwtHAd3WzX+geMW7GbKOp4T5fPyzYKqfZEJhj6Ayim13CDWKnr/mgXtvTYsrZvI6vr3+EdCp7EopbTj6whaMbOYCkXd29zxxCO0r3uG+KFxKFgR0sShw6GsrbJGcuBEr3dmF5rnPbtwJArZrEi6o1Ize76UdgU/gbZxpeEtomsfOAAm3aLS48Rk= devops-key
[root@ip-172-31-24-196 ~]# vi /root/.ssh/authorized_keys
[root@ip-172-31-24-196 ~]# cat /root/.ssh/authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDLPDpzigHmcppC34cBOvHPV/I5p6chNrivbIm/K5Im1ko9rHquiATLWRbCh4BFftikaDo3SwDxPQe2jbFj4aSlfBkjOuCPYuHElYHE0xZkLplUxNlL3r3aYNABsta7fsPks53adqz3kw94KMk/EscWsxcMbD0N7i3uxUwUq5VET1rInqnvJ6NgnZPOVUdrDdAEMhRlLoSi0O6xMr5eYR2kpPtNvXj3BVPkWytonMGa3Vx67N9VuoZMxUI+ODxT35eO+AQCpB3PKr4Ywl60HdiRloVFT+GZF7iveOG/VeKbLlGgzSj2vkAopEmPPNHLJ2IX1RRIwtBAdwtHAd3WzX+geMW7GbKOp4T5fPyzYKqfZEJhj6Ayim13CDWKnr/mgXtvTYsrZvI6vr3+EdCp7EopbTj6whaMbOYCkXd29zxxCO0r3uG+KFxKFgR0sShw6GsrbJGcuBEr3dmF5rnPbtwJArZrEi6o1Ize76UdgU/gbZxpeEtomsfOAAm3aLS48Rk= devops-key
[root@ip-172-31-24-196 ~]# ls -la 
total 24
dr-xr-x---.  3 root root  119 Jul 11 00:40 .
dr-xr-xr-x. 18 root root  237 Jul  5 19:25 ..
-rw-r--r--.  1 root root   18 Feb  2  2023 .bash_logout
-rw-r--r--.  1 root root  141 Feb  2  2023 .bash_profile
-rw-r--r--.  1 root root  429 Feb  2  2023 .bashrc
-rw-r--r--.  1 root root  100 Feb  2  2023 .cshrc
drwx------.  2 root root   29 Jul 11 00:40 .ssh
-rw-r--r--.  1 root root  129 Feb  2  2023 .tcshrc
-rw-------.  1 root root 2305 Jul 11 00:40 .viminfo
[root@ip-172-31-24-196 ~]# cd .ssh/
[root@ip-172-31-24-196 .ssh]# ls -la
total 4
drwx------. 2 root root  29 Jul 11 00:40 .
dr-xr-x---. 3 root root 119 Jul 11 00:40 ..
-rw-------. 1 root root 564 Jul 11 00:40 authorized_keys
[root@ip-172-31-24-196 .ssh]# vi /etc/ssh/sshd_config
[root@ip-172-31-24-196 .ssh]# cat /etc/ssh/sshd_config | grep -i "password-prohibit"
[root@ip-172-31-24-196 .ssh]# cat /etc/ssh/sshd_config | grep -i "password"
PermitRootLogin prohibit-password
# Explicitly disable PasswordAuthentication. By presetting it, we
# avoid the cloud-init set_passwords module modifying sshd_config and
PasswordAuthentication no
PermitEmptyPasswords no
# Change to no to disable s/key passwords
# PasswordAuthentication.  Depending on your PAM configuration,
# the setting of "PermitRootLogin without-password".
# PAM authentication, then enable this but set PasswordAuthentication
[root@ip-172-31-24-196 .ssh]# exit 
logout
[ec2-user@ip-172-31-24-196 ~]$ exit 
logout
Connection to 54.157.10.170 closed.

~/.ssh on ☁️  (us-east-1) ➜  cd ~

~ on ☁️  (us-east-1) ➜  ssh -i ~/.ssh/devops-key [email protected]
   ,     #_
   ~\_  ####_        Amazon Linux 2023
  ~~  \_#####\
  ~~     \###|
  ~~       \#/ ___   https://aws.amazon.com/linux/amazon-linux-2023
   ~~       V~' '->
    ~~~         /
      ~~._.   _/
         _/ _/
       _/m/'
Last login: Thu Jul 11 00:38:10 2024
[root@ip-172-31-24-196 ~]# 

So where exactly does it fail and what does it say when it tells you it is failed? I just did that lab and it is able to pass without having to edit sshd_config

As long as you have the following working before you end the lab (IP address of EC2 instance is different every time)

~ on ☁️  (us-east-1) ➜ ssh 52.91.52.216

and it logs directly in as root, then it should pass the question.

It passed after trying multiple times. Thank you.

~ on ☁️  (us-east-1) ➜  cd .ssh/

~/.ssh on ☁️  (us-east-1) ➜  ssh-keygen -t rsa -f dev-key
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in dev-key
Your public key has been saved in dev-key.pub
The key fingerprint is:
SHA256:9MYa92rto047j8IUu3hcez4/+avmZEQwagJw5/IUn8E root@aws-client
The key's randomart image is:
+---[RSA 3072]----+
|   ..o o.. o     |
|    . + oE+ o    |
|     . +.=   .   |
|      +.+o  .    |
|       .So=  .   |
|        o=...    |
|       =.o.o.o . |
|      . *.++B.o  |
|       . +*B**o+o|
+----[SHA256]-----+

~/.ssh on ☁️  (us-east-1) ➜  ls -la
total 32
drwx------ 1 root root 4096 Jul 11 23:37 .
drwx------ 1 root root 4096 Jul 11 23:36 ..
-rw------- 1 root root  134 Jul 11 23:36 agent-environment
-r-------- 1 root root 1138 Jul 11 23:36 authorized_keys
-rw------- 1 root root 2602 Jul 11 23:37 dev-key
-rw-r--r-- 1 root root  569 Jul 11 23:37 dev-key.pub

~/.ssh on ☁️  (us-east-1) ➜  ssh-add ~/.ssh/devops-key
/root/.ssh/devops-key: No such file or directory

~/.ssh on ☁️  (us-east-1) ✖ ssh-add ~/.ssh/dev-key
Identity added: /root/.ssh/dev-key (root@aws-client)
~/.ssh on ☁️  (us-east-1) ➜  cat dev-key.pub 
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDFO1fn0PFEjqO9tmUjtdL9XmlHH3skXAGSmhhnkSIF4Le9zsYKmH+01I8yaV/Nk7Ur68H++JM+cgwtJ1UvXjJ07IWRZp2TJpfDIhhKkY6Mm3eZQEvkuEuyS/0VCUe0Ww0xd8okTZdL4ULKWowrjduzvmq+nSviQ/cbHgcoNdQGeYJZYCfHawwdFIYqKdNhdWWQC4iFhZ8ReDemkgRN+F/T8OhbjyG81hi8Pj8IAflMm6NSoA+w/Lk14spJLUk3BHOrd20Bgez47zQg974xajEgFDDGdYxxXHqwPAO+QEEsMTXjMvMJPb9r/AL9T1M9cGEOmN2Xz+TJYbdwfEPVOX5BUTfLWJQkXla0/5nqT9KwnoVZbGZhx8/O5uj6iuqwZ/C3ALmSsn0LseSne8fpW/0n0vqpHdpur5LyWiLzTkwa8MQORv0UY1kZSQpI4n8hYLSpw2fZSzJh7+tYlNmValxCOJxfa6BNT/zLeC8vVApuKB3e/q+KpVLqKPnb2wg0pnM= root@aws-client

~/.ssh on ☁️  (us-east-1) ➜  ssh [email protected]
The authenticity of host '35.153.183.7 (35.153.183.7)' can't be established.
ECDSA key fingerprint is SHA256:/I7U7rhjTbRN5kMplivr4ZHtGwy1XAC+99//0TajhrA.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '35.153.183.7' (ECDSA) to the list of known hosts.
   ,     #_
   ~\_  ####_        Amazon Linux 2023
  ~~  \_#####\
  ~~     \###|
  ~~       \#/ ___   https://aws.amazon.com/linux/amazon-linux-2023
   ~~       V~' '->
    ~~~         /
      ~~._.   _/
         _/ _/
       _/m/'
[ec2-user@ip-172-31-35-134 ~]$ sudo su -
[root@ip-172-31-35-134 ~]# vi ~/.ssh/authorized_keys 
[root@ip-172-31-35-134 ~]# cat ~/.ssh/authorized_keys 
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDFO1fn0PFEjqO9tmUjtdL9XmlHH3skXAGSmhhnkSIF4Le9zsYKmH+01I8yaV/Nk7Ur68H++JM+cgwtJ1UvXjJ07IWRZp2TJpfDIhhKkY6Mm3eZQEvkuEuyS/0VCUe0Ww0xd8okTZdL4ULKWowrjduzvmq+nSviQ/cbHgcoNdQGeYJZYCfHawwdFIYqKdNhdWWQC4iFhZ8ReDemkgRN+F/T8OhbjyG81hi8Pj8IAflMm6NSoA+w/Lk14spJLUk3BHOrd20Bgez47zQg974xajEgFDDGdYxxXHqwPAO+QEEsMTXjMvMJPb9r/AL9T1M9cGEOmN2Xz+TJYbdwfEPVOX5BUTfLWJQkXla0/5nqT9KwnoVZbGZhx8/O5uj6iuqwZ/C3ALmSsn0LseSne8fpW/0n0vqpHdpur5LyWiLzTkwa8MQORv0UY1kZSQpI4n8hYLSpw2fZSzJh7+tYlNmValxCOJxfa6BNT/zLeC8vVApuKB3e/q+KpVLqKPnb2wg0pnM= dev-key
[root@ip-172-31-35-134 ~]# exit 
logout
[ec2-user@ip-172-31-35-134 ~]$ exit 
logout
Connection to 35.153.183.7 closed.

~/.ssh on ☁️  (us-east-1) ➜  ssh [email protected]
   ,     #_
   ~\_  ####_        Amazon Linux 2023
  ~~  \_#####\
  ~~     \###|
  ~~       \#/ ___   https://aws.amazon.com/linux/amazon-linux-2023
   ~~       V~' '->
    ~~~         /
      ~~._.   _/
         _/ _/
       _/m/'
Last login: Thu Jul 11 23:42:27 2024
[root@ip-172-31-35-134 ~]# 
1 Like

Thanks for your help, for me this was the key:
~/.ssh on :cloud: (us-east-1) :heavy_multiplication_x: ssh-add ~/.ssh/dev-key
then I solved the problem.

you launch instance with devops-key and then you connect with publicip i am not able to launch instance devops-key is there anything i am missing can you explain thanks

Steps:

  • create a ssh key-pair on the aws-client.
  • create instance(datacenter-ec2) from AWS console and connect to it from there itself.
  • copy the public key that gets created in step 1.
  • paste it in the authorized_keys file of the root user in datacenter-ec2 instance.

that’s it you should be able to ssh from the aws-client to datacenter-ec2, don’t complicate the task.

@Srikanth_Reddy i am still not getting the final result i have run these commands
ssh-keygen -t rsa -f devops-key
launch ec2 instance
copy devops-key.pub
paste into /root/.ssh/autherised_keys but iam not able to log in [email protected]: Permission denied (publickey,gssapi-keyex,gssapi-with-mic).

Did you edit sshd_config on the EC2 instance to permit root login? By default, direct login as root is not allowed by any means.

See my post above Task Passwordless authentication for root user on EC2 (AWS level 2) fails even after getting the desired output please help! - #2 by Alistair_KodeKloud

@Alistair_KodeKloud
I remember doing this task recently and I didn’t have to change the sshd_config. :thinking:

@Nagireddy
did you try to login as root instead of ec2-user and specify your private key path as you aren’t using default name while generating? Also I think it is just a typo in the authorized_keys file name.
ssh -i <private_key_path> root@<ip_address>
If it didn’t work edit the sshd_config file as suggested by @Alistair_KodeKloud.

Unusual. It’s generally an accepted baseline security consideration to disable remote root logins by default, and is usually how a default installation of sshd is configured.

I tried that task again, I can confirm that I didn’t have to edit the sshd_config file to be able to login(via ssh) as root.

At least we know the task is solvable, and doesn’t have bugs :slight_smile:

i have successfully completed this task but i have added the devops.pub key in authorized keys in ec2 instance and same copied into autherised keys then working fine thanks for your assistance @Alistair_KodeKloud @Srikanth_Reddy Nagireddy

@Alistair_KodeKloud
How to accessible ec2 instance from aws-client without .pem key ?

I am trying to connect ec2 instance through generate pub key but cant accessible.

~/.ssh on :cloud: (us-east-1) ➜ ls -la
total 32
drwx------ 1 root root 4096 Jan 11 19:18 .
drwx------ 1 root root 4096 Jan 11 19:02 …
-rw------- 1 root root 134 Jan 11 19:02 agent-environment
-r-------- 1 root root 1138 Jan 11 19:02 authorized_keys
-rw------- 1 root root 2602 Jan 11 19:18 nautituls
-rw-r–r-- 1 root root 569 Jan 11 19:18 nautituls.pub

~/.ssh on :cloud: (us-east-1) ➜ ssh -i nautituls [email protected]
The authenticity of host ‘44.213.88.15 (44.213.88.15)’ can’t be established.
ECDSA key fingerprint is SHA256:8D5U+CnFaRfu3fU96ZUaAoAM0JE/uEj6YqsqPEjja8c.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added ‘44.213.88.15’ (ECDSA) to the list of known hosts.
[email protected]: Permission denied (publickey,gssapi-keyex,gssapi-with-mic).

You created this with ssh-keygen right? And the task is the task as described further up this thread?

Now you need to get the content of this file into the authorized_keys file for root on the ec2 instance. You can login to the EC2 instance from the AWS console, edit the required file, then you should be able to do

ssh -i ~/.ssh/nautituls root@<ip addres>

Hi @Alistair_KodeKloud Thanks for reply… Now access ec2 from aws-client but task still not completed. getting this error :

SSH access is not configured correctly for instance xfusion-ec2

Since this lab seems to be causing so much confusion, let’s walk through it.

You need to do the following steps

  1. Deploy an EC2 instance using the AWS console. Choose Amazon Linux as the type. In the settings page, ensure it is using GP2 disk type. It does not require a key pair. We are going to create that later. Launch the instance, and then edit its name to the name stated in the question (e.g. datacenter-ec2 or whatever it asks). Note that if you forget to set the name or set it incorrectly, the task will fail as the grader will not be able to locate the EC2 instance.
  2. When the instance has finished launching, connect to it. Right click instance, select Connect, then select EC2 Instance Connect. You should get a terminal on the instance logged in as ec2-user. Now do sudo -i to become root.
  3. Back at the lab terminal, create a key pair
    ssh-keygen
    
    Accept the defaults.
  4. Run the following
    cat .ssh/id_rsa.pub
    
    Copy the key output
  5. Back at the EC2 instance in the console
    vi .ssh/authorized_keys
    
    Paste the key you copied to the end of this file. Save and exit vi.
    Note the public IP address of the EC2 instance, you will need it in the next step.
  6. Back at the lab terminal, test the connection. The IP address will be different for you.
    ~ on ☁️  (us-east-1) ➜  ssh [email protected]
    The authenticity of host '54.161.54.252 (54.161.54.252)' can't be established.
    ECDSA key fingerprint is SHA256:WL/GGUvz1UrPoMWJgP8ECq4z7rMUkkCVoM8uRj1jPGM.
    Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
    Warning: Permanently added '54.161.54.252' (ECDSA) to the list of known hosts.
       ,     #_
       ~\_  ####_        Amazon Linux 2023
      ~~  \_#####\
      ~~     \###|
      ~~       \#/ ___   https://aws.amazon.com/linux/amazon-linux-2023
       ~~       V~' '->
        ~~~         /
          ~~._.   _/
             _/ _/
           _/m/'
    [root@ip-172-31-43-159 ~]# 
    
    

We are done.

image

@Alistair_KodeKloud Done… Thank you…!