Task Passwordless authentication for root user on EC2 (AWS level 2) fails even after getting the desired output please help!

KodeKloud Engineer
,
#1

Question
The Nautilus DevOps team needs to set up a new EC2 instance that can be accessed securely from their landing host (aws-client). The instance should be of type t2.micro and named datacenter-ec2. A new SSH key should be created on the aws-client host if it doesn’t already exist. This key should then be added to the authorized keys of the root user on the EC2 instance, allowing password-less SSH access from the aws-client host.
Answer
~ on :cloud: (us-east-1) ➜ cd .ssh/

~/.ssh on :cloud: (us-east-1) ➜ ls -la
total 24
drwx------ 1 root root 4096 Jul 10 03:09 .
drwx------ 1 root root 4096 Jul 10 03:09 …
-rw------- 1 root root 134 Jul 10 03:09 agent-environment
-r-------- 1 root root 1138 Jul 10 03:09 authorized_keys

~/.ssh on :cloud: (us-east-1) ➜ ssh-keygen -t rsa -f devops-key
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in devops-key
Your public key has been saved in devops-key.pub
The key fingerprint is:
SHA256:E75erqXAZdaJ693b0oMD9G+mAecfKqT1Ab/wZhbX/dE root@aws-client
The key’s randomart image is:
±–[RSA 3072]----+
| |
| |
| . |
| . +o. |
| S.++. .o|
| . + +=+= …E|
| o o+o=oO. o|
| +.…@=…|
| =.o==Bo. |
±—[SHA256]-----+

~/.ssh on :cloud: (us-east-1) ➜ cat devops-key.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDzQREavuBnekkKnn03FifSmzCR0N8MhrJlDGbIv7xeDXS2YG16GlfqXilJ5YnnCxGh5MFECDus+5N1L22bSnye29RCsw+2hkcN87WUNE2v25mQHS7uA/XuUwLpAXDfWj/dlZ9oxIJfHQO8QvE1IREQ8ApQxB7/ZXi2JGT+xPeZejjzjBtYhut8ejitBytQ1vCJ2BHakk0mm+e2VTgYxXOU+SYZ5O08k7JxFOXhWUfZWDrH7Cg6W5Kd4Qe19KzWbZT/AprcmTjPyI4GsKhjWw2+enGGpS1UtFUOwSXAPTySFOTleipP5Na22I/8irnEY6sKAEdCbsvjr3IHp8tGPyvLk4Jgr9uw5h2orYjTZVFhAaJGKKgKMwcMxpCoHdvRbPaK4J2Hm/JRmNNy8lmPCvTJy61TVzDEa7gxSHP4hNU0PrBy1ss71rFPCavbIig4a1lTF9AXs2KSBadZhRSjZPeM1y+aAhh/kX0IQVF99ds5XXyM0xWO/lh5hHH5OX0UI9k= root@aws-client

~/.ssh on :cloud: (us-east-1) ➜ ssh -i devops-key [email protected]
The authenticity of host ‘3.83.179.143 (3.83.179.143)’ can’t be established.
ECDSA key fingerprint is SHA256:srMXzPuBX6Klk7KcPeSttPfveerwRnXGj737bIv0SEY.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added ‘3.83.179.143’ (ECDSA) to the list of known hosts.
, #_
~_ ####_ Amazon Linux 2023
~~ _#####
~~ ###|
~~ #/ ___ Linux for the Cloud – Amazon Linux 2023 – Amazon Web Services
~~ V~’ ‘->
~~~ /
~~._. _/
_/ _/
_/m/’
[ec2-user@ip-172-31-6-169 ~]$ pwd
/home/ec2-user
[ec2-user@ip-172-31-6-169 ~]$ ls -la
total 12
drwx------. 3 ec2-user ec2-user 74 Jul 10 03:25 .
drwxr-xr-x. 3 root root 22 Jul 10 03:25 …
-rw-r–r–. 1 ec2-user ec2-user 18 Jan 28 2023 .bash_logout
-rw-r–r–. 1 ec2-user ec2-user 141 Jan 28 2023 .bash_profile
-rw-r–r–. 1 ec2-user ec2-user 492 Jan 28 2023 .bashrc
drwx------. 2 ec2-user ec2-user 29 Jul 10 03:25 .ssh
[ec2-user@ip-172-31-6-169 ~]$ cat /home/ec2-user/.ssh/authorized_keys > /root/.ssh/authorized_keys
-bash: /root/.ssh/authorized_keys: Permission denied
[ec2-user@ip-172-31-6-169 ~]$ sudo cat /home/ec2-user/.ssh/authorized_keys > /root/.ssh/authorized_keys
-bash: /root/.ssh/authorized_keys: Permission denied
[ec2-user@ip-172-31-6-169 ~]$ sudo su -
[root@ip-172-31-6-169 ~]# ls -la
total 20
dr-xr-x—. 3 root root 103 Jun 28 01:05 .
dr-xr-xr-x. 18 root root 237 Jun 28 01:04 …
-rw-r–r–. 1 root root 18 Feb 2 2023 .bash_logout
-rw-r–r–. 1 root root 141 Feb 2 2023 .bash_profile
-rw-r–r–. 1 root root 429 Feb 2 2023 .bashrc
-rw-r–r–. 1 root root 100 Feb 2 2023 .cshrc
drwx------. 2 root root 29 Jul 10 03:25 .ssh
-rw-r–r–. 1 root root 129 Feb 2 2023 .tcshrc
[root@ip-172-31-6-169 ~]# cat /home/ec2-user/.ssh/authorized_keys > /root/.ssh/authorized_keys
[root@ip-172-31-6-169 ~]# cat /root/.ssh/authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDzQREavuBnekkKnn03FifSmzCR0N8MhrJlDGbIv7xeDXS2YG16GlfqXilJ5YnnCxGh5MFECDus+5N1L22bSnye29RCsw+2hkcN87WUNE2v25mQHS7uA/XuUwLpAXDfWj/dlZ9oxIJfHQO8QvE1IREQ8ApQxB7/ZXi2JGT+xPeZejjzjBtYhut8ejitBytQ1vCJ2BHakk0mm+e2VTgYxXOU+SYZ5O08k7JxFOXhWUfZWDrH7Cg6W5Kd4Qe19KzWbZT/AprcmTjPyI4GsKhjWw2+enGGpS1UtFUOwSXAPTySFOTleipP5Na22I/8irnEY6sKAEdCbsvjr3IHp8tGPyvLk4Jgr9uw5h2orYjTZVFhAaJGKKgKMwcMxpCoHdvRbPaK4J2Hm/JRmNNy8lmPCvTJy61TVzDEa7gxSHP4hNU0PrBy1ss71rFPCavbIig4a1lTF9AXs2KSBadZhRSjZPeM1y+aAhh/kX0IQVF99ds5XXyM0xWO/lh5hHH5OX0UI9k= devops-key
[root@ip-172-31-6-169 ~]# cd .ssh
[root@ip-172-31-6-169 .ssh]# ls -la
total 4
drwx------. 2 root root 29 Jul 10 03:25 .
dr-xr-x—. 3 root root 103 Jun 28 01:05 …
-rw-------. 1 root root 564 Jul 10 03:28 authorized_keys
[root@ip-172-31-6-169 .ssh]# cat /etc/ss
ssh/ ssl/ sssd/
[root@ip-172-31-6-169 .ssh]# cat /etc/ssh/sshd_config

$OpenBSD: sshd_config,v 1.104 2021/07/02 05:11:21 dtucker Exp $

This is the sshd server system-wide configuration file. See

sshd_config(5) for more information.

This sshd was compiled with PATH=/usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin

The strategy used for options in the default sshd_config shipped with

OpenSSH is to specify options with their default value where

possible, but leave them commented. Uncommented options override the

default value.

To modify the system-wide sshd configuration, create a *.conf file under

/etc/ssh/sshd_config.d/ which will be automatically included below

Include /etc/ssh/sshd_config.d/*.conf

If you want to change the port on a SELinux system, you have to tell

SELinux about this change.

semanage port -a -t ssh_port_t -p tcp #PORTNUMBER

#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key

Ciphers and keying

#RekeyLimit default none

Logging

#SyslogFacility AUTH
#LogLevel INFO

Authentication:

#LoginGraceTime 2m
#PermitRootLogin prohibit-password
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

#PubkeyAuthentication yes

The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2

but this is overridden so installations will only check .ssh/authorized_keys

AuthorizedKeysFile .ssh/authorized_keys

#AuthorizedPrincipalsFile none

For this to work you will also need host keys in /etc/ssh/ssh_known_hosts

#HostbasedAuthentication no

Change to yes if you don’t trust ~/.ssh/known_hosts for

HostbasedAuthentication

#IgnoreUserKnownHosts no

Don’t read the user’s ~/.rhosts and ~/.shosts files

#IgnoreRhosts yes

Explicitly disable PasswordAuthentication. By presetting it, we

avoid the cloud-init set_passwords module modifying sshd_config and

restarting sshd in the default instance launch configuration.

PasswordAuthentication no
PermitEmptyPasswords no

Change to no to disable s/key passwords

#KbdInteractiveAuthentication yes

Kerberos options

#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
#KerberosUseKuserok yes

GSSAPI options

#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no
#GSSAPIEnablek5users no

Set this to ‘yes’ to enable PAM authentication, account processing,

and session processing. If this is enabled, PAM authentication will

be allowed through the KbdInteractiveAuthentication and

PasswordAuthentication. Depending on your PAM configuration,

PAM authentication via KbdInteractiveAuthentication may bypass

the setting of “PermitRootLogin without-password”.

If you just want the PAM account and session checks to run without

PAM authentication, then enable this but set PasswordAuthentication

and KbdInteractiveAuthentication to ‘no’.

WARNING: ‘UsePAM no’ is not supported in Fedora and may cause several

problems.

#UsePAM no

#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS no
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none

no default banner path

#Banner none

override default of no subsystems

Subsystem sftp /usr/libexec/openssh/sftp-server

Example of overriding settings on a per-user basis

#Match User anoncvs

X11Forwarding no

AllowTcpForwarding no

PermitTTY no

ForceCommand cvs server

AuthorizedKeysCommand /opt/aws/bin/eic_run_authorized_keys %u %f
AuthorizedKeysCommandUser ec2-instance-connect
[root@ip-172-31-6-169 .ssh]# vi /etc/ssh/sshd_config
[root@ip-172-31-6-169 .ssh]# cat /etc/ssh/sshd_config

$OpenBSD: sshd_config,v 1.104 2021/07/02 05:11:21 dtucker Exp $

This is the sshd server system-wide configuration file. See

sshd_config(5) for more information.

This sshd was compiled with PATH=/usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin

The strategy used for options in the default sshd_config shipped with

OpenSSH is to specify options with their default value where

possible, but leave them commented. Uncommented options override the

default value.

To modify the system-wide sshd configuration, create a *.conf file under

/etc/ssh/sshd_config.d/ which will be automatically included below

Include /etc/ssh/sshd_config.d/*.conf

If you want to change the port on a SELinux system, you have to tell

SELinux about this change.

semanage port -a -t ssh_port_t -p tcp #PORTNUMBER

#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key

Ciphers and keying

#RekeyLimit default none

Logging

#SyslogFacility AUTH
#LogLevel INFO

Authentication:

#LoginGraceTime 2m
PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

#PubkeyAuthentication yes

The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2

but this is overridden so installations will only check .ssh/authorized_keys

AuthorizedKeysFile .ssh/authorized_keys

#AuthorizedPrincipalsFile none

For this to work you will also need host keys in /etc/ssh/ssh_known_hosts

#HostbasedAuthentication no

Change to yes if you don’t trust ~/.ssh/known_hosts for

HostbasedAuthentication

#IgnoreUserKnownHosts no

Don’t read the user’s ~/.rhosts and ~/.shosts files

#IgnoreRhosts yes

Explicitly disable PasswordAuthentication. By presetting it, we

avoid the cloud-init set_passwords module modifying sshd_config and

restarting sshd in the default instance launch configuration.

PasswordAuthentication no
PermitEmptyPasswords no

Change to no to disable s/key passwords

#KbdInteractiveAuthentication yes

Kerberos options

#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
#KerberosUseKuserok yes

GSSAPI options

#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no
#GSSAPIEnablek5users no

Set this to ‘yes’ to enable PAM authentication, account processing,

and session processing. If this is enabled, PAM authentication will

be allowed through the KbdInteractiveAuthentication and

PasswordAuthentication. Depending on your PAM configuration,

PAM authentication via KbdInteractiveAuthentication may bypass

the setting of “PermitRootLogin without-password”.

If you just want the PAM account and session checks to run without

PAM authentication, then enable this but set PasswordAuthentication

and KbdInteractiveAuthentication to ‘no’.

WARNING: ‘UsePAM no’ is not supported in Fedora and may cause several

problems.

#UsePAM no

#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS no
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none

no default banner path

#Banner none

override default of no subsystems

Subsystem sftp /usr/libexec/openssh/sftp-server

Example of overriding settings on a per-user basis

#Match User anoncvs

X11Forwarding no

AllowTcpForwarding no

PermitTTY no

ForceCommand cvs server

AuthorizedKeysCommand /opt/aws/bin/eic_run_authorized_keys %u %f
AuthorizedKeysCommandUser ec2-instance-connect
[root@ip-172-31-6-169 .ssh]# exit
logout
[ec2-user@ip-172-31-6-169 ~]$ exit
logout
Connection to 3.83.179.143 closed.

~/.ssh on :cloud: (us-east-1) ➜ ssh -i devops-key [email protected]
, #_
~_ ####_ Amazon Linux 2023
~~ _#####
~~ ###|
~~ #/ ___ Linux for the Cloud – Amazon Linux 2023 – Amazon Web Services
~~ V~’ ‘->
~~~ /
~~._. _/
_/ _/
_/m/’
Last login: Wed Jul 10 03:28:11 2024
[root@ip-172-31-6-169 ~]#

#2

It is pretty difficult to tell what is going on here, because you did not paste all that output

in a code block

From what I can see

  • You replaced, not added to root’s authorized keys. If there were any keys there already, you overwrote them. If not, then OK. Need to use >> to append to the file.
  • Doesn’t look like you enabled root login in sshd_config. Hard to tell from the mess above, but this line should be uncommented
    #PermitRootLogin prohibit-password
    Leaving prohibit-password should allow ssh key login. yes allows any sort of login
#3

I’m sorry for the inconvenience. Please find the steps below. I attempted it again and I am able to log in without password for root user. Please let me know why it’s failing…


~ on ☁️  (us-east-1) ➜  cd .ssh/

~/.ssh on ☁️  (us-east-1) ➜  ssh-keygen -t rsa -f devops-key 
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in devops-key
Your public key has been saved in devops-key.pub
The key fingerprint is:
SHA256:8cu6Wtj1uuaJ4D7Xbe5lu4isvpp9PrU5s3+ANMssiWY root@aws-client
The key's randomart image is:
+---[RSA 3072]----+
|                 |
|                 |
|        .        |
|         o  o    |
|        S.o= +   |
|       oEooo* .  |
|      ooo.o+.oo. |
|     ..=.+=+B+ ..|
|     .**OOO*==+o |
+----[SHA256]-----+

~/.ssh on ☁️  (us-east-1) ➜  ls
agent-environment  authorized_keys  devops-key  devops-key.pub

~/.ssh on ☁️  (us-east-1) ➜  cat devops-key.pub 
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDLPDpzigHmcppC34cBOvHPV/I5p6chNrivbIm/K5Im1ko9rHquiATLWRbCh4BFftikaDo3SwDxPQe2jbFj4aSlfBkjOuCPYuHElYHE0xZkLplUxNlL3r3aYNABsta7fsPks53adqz3kw94KMk/EscWsxcMbD0N7i3uxUwUq5VET1rInqnvJ6NgnZPOVUdrDdAEMhRlLoSi0O6xMr5eYR2kpPtNvXj3BVPkWytonMGa3Vx67N9VuoZMxUI+ODxT35eO+AQCpB3PKr4Ywl60HdiRloVFT+GZF7iveOG/VeKbLlGgzSj2vkAopEmPPNHLJ2IX1RRIwtBAdwtHAd3WzX+geMW7GbKOp4T5fPyzYKqfZEJhj6Ayim13CDWKnr/mgXtvTYsrZvI6vr3+EdCp7EopbTj6whaMbOYCkXd29zxxCO0r3uG+KFxKFgR0sShw6GsrbJGcuBEr3dmF5rnPbtwJArZrEi6o1Ize76UdgU/gbZxpeEtomsfOAAm3aLS48Rk= root@aws-client

~/.ssh on ☁️  (us-east-1) ➜  ssh -i devops-key [email protected]
The authenticity of host '54.157.10.170 (54.157.10.170)' can't be established.
ECDSA key fingerprint is SHA256:MSgGN62vtsLJylHQMTWViyL43rHN5BYtXf5lfL08ldE.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '54.157.10.170' (ECDSA) to the list of known hosts.
   ,     #_
   ~\_  ####_        Amazon Linux 2023
  ~~  \_#####\
  ~~     \###|
  ~~       \#/ ___   https://aws.amazon.com/linux/amazon-linux-2023
   ~~       V~' '->
    ~~~         /
      ~~._.   _/
         _/ _/
       _/m/'
[ec2-user@ip-172-31-24-196 ~]$ ls -la
total 12
drwx------. 3 ec2-user ec2-user  74 Jul 11 00:36 .
drwxr-xr-x. 3 root     root      22 Jul 11 00:36 ..
-rw-r--r--. 1 ec2-user ec2-user  18 Jan 28  2023 .bash_logout
-rw-r--r--. 1 ec2-user ec2-user 141 Jan 28  2023 .bash_profile
-rw-r--r--. 1 ec2-user ec2-user 492 Jan 28  2023 .bashrc
drwx------. 2 ec2-user ec2-user  29 Jul 11 00:36 .ssh
[ec2-user@ip-172-31-24-196 ~]$ cat .ssh/authorized_keys 
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDLPDpzigHmcppC34cBOvHPV/I5p6chNrivbIm/K5Im1ko9rHquiATLWRbCh4BFftikaDo3SwDxPQe2jbFj4aSlfBkjOuCPYuHElYHE0xZkLplUxNlL3r3aYNABsta7fsPks53adqz3kw94KMk/EscWsxcMbD0N7i3uxUwUq5VET1rInqnvJ6NgnZPOVUdrDdAEMhRlLoSi0O6xMr5eYR2kpPtNvXj3BVPkWytonMGa3Vx67N9VuoZMxUI+ODxT35eO+AQCpB3PKr4Ywl60HdiRloVFT+GZF7iveOG/VeKbLlGgzSj2vkAopEmPPNHLJ2IX1RRIwtBAdwtHAd3WzX+geMW7GbKOp4T5fPyzYKqfZEJhj6Ayim13CDWKnr/mgXtvTYsrZvI6vr3+EdCp7EopbTj6whaMbOYCkXd29zxxCO0r3uG+KFxKFgR0sShw6GsrbJGcuBEr3dmF5rnPbtwJArZrEi6o1Ize76UdgU/gbZxpeEtomsfOAAm3aLS48Rk= devops-key
[ec2-user@ip-172-31-24-196 ~]$ sudo su -
[root@ip-172-31-24-196 ~]# cp /home/ec2-user/.ssh/authorized_keys >> /root/.ssh/authorized_keys 
cp: missing destination file operand after '/home/ec2-user/.ssh/authorized_keys'
Try 'cp --help' for more information.
[root@ip-172-31-24-196 ~]# cat /home/ec2-user/.ssh/authorized_keys >> /root/.ssh/authorized_keys 
[root@ip-172-31-24-196 ~]# cat /root/.ssh/authorized_keys
no-port-forwarding,no-agent-forwarding,no-X11-forwarding,command="echo 'Please login as the user \"ec2-user\" rather than the user \"root\".';echo;sleep 10;exit 142" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDLPDpzigHmcppC34cBOvHPV/I5p6chNrivbIm/K5Im1ko9rHquiATLWRbCh4BFftikaDo3SwDxPQe2jbFj4aSlfBkjOuCPYuHElYHE0xZkLplUxNlL3r3aYNABsta7fsPks53adqz3kw94KMk/EscWsxcMbD0N7i3uxUwUq5VET1rInqnvJ6NgnZPOVUdrDdAEMhRlLoSi0O6xMr5eYR2kpPtNvXj3BVPkWytonMGa3Vx67N9VuoZMxUI+ODxT35eO+AQCpB3PKr4Ywl60HdiRloVFT+GZF7iveOG/VeKbLlGgzSj2vkAopEmPPNHLJ2IX1RRIwtBAdwtHAd3WzX+geMW7GbKOp4T5fPyzYKqfZEJhj6Ayim13CDWKnr/mgXtvTYsrZvI6vr3+EdCp7EopbTj6whaMbOYCkXd29zxxCO0r3uG+KFxKFgR0sShw6GsrbJGcuBEr3dmF5rnPbtwJArZrEi6o1Ize76UdgU/gbZxpeEtomsfOAAm3aLS48Rk= devops-key
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDLPDpzigHmcppC34cBOvHPV/I5p6chNrivbIm/K5Im1ko9rHquiATLWRbCh4BFftikaDo3SwDxPQe2jbFj4aSlfBkjOuCPYuHElYHE0xZkLplUxNlL3r3aYNABsta7fsPks53adqz3kw94KMk/EscWsxcMbD0N7i3uxUwUq5VET1rInqnvJ6NgnZPOVUdrDdAEMhRlLoSi0O6xMr5eYR2kpPtNvXj3BVPkWytonMGa3Vx67N9VuoZMxUI+ODxT35eO+AQCpB3PKr4Ywl60HdiRloVFT+GZF7iveOG/VeKbLlGgzSj2vkAopEmPPNHLJ2IX1RRIwtBAdwtHAd3WzX+geMW7GbKOp4T5fPyzYKqfZEJhj6Ayim13CDWKnr/mgXtvTYsrZvI6vr3+EdCp7EopbTj6whaMbOYCkXd29zxxCO0r3uG+KFxKFgR0sShw6GsrbJGcuBEr3dmF5rnPbtwJArZrEi6o1Ize76UdgU/gbZxpeEtomsfOAAm3aLS48Rk= devops-key
[root@ip-172-31-24-196 ~]# vi /root/.ssh/authorized_keys
[root@ip-172-31-24-196 ~]# cat /root/.ssh/authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDLPDpzigHmcppC34cBOvHPV/I5p6chNrivbIm/K5Im1ko9rHquiATLWRbCh4BFftikaDo3SwDxPQe2jbFj4aSlfBkjOuCPYuHElYHE0xZkLplUxNlL3r3aYNABsta7fsPks53adqz3kw94KMk/EscWsxcMbD0N7i3uxUwUq5VET1rInqnvJ6NgnZPOVUdrDdAEMhRlLoSi0O6xMr5eYR2kpPtNvXj3BVPkWytonMGa3Vx67N9VuoZMxUI+ODxT35eO+AQCpB3PKr4Ywl60HdiRloVFT+GZF7iveOG/VeKbLlGgzSj2vkAopEmPPNHLJ2IX1RRIwtBAdwtHAd3WzX+geMW7GbKOp4T5fPyzYKqfZEJhj6Ayim13CDWKnr/mgXtvTYsrZvI6vr3+EdCp7EopbTj6whaMbOYCkXd29zxxCO0r3uG+KFxKFgR0sShw6GsrbJGcuBEr3dmF5rnPbtwJArZrEi6o1Ize76UdgU/gbZxpeEtomsfOAAm3aLS48Rk= devops-key
[root@ip-172-31-24-196 ~]# ls -la 
total 24
dr-xr-x---.  3 root root  119 Jul 11 00:40 .
dr-xr-xr-x. 18 root root  237 Jul  5 19:25 ..
-rw-r--r--.  1 root root   18 Feb  2  2023 .bash_logout
-rw-r--r--.  1 root root  141 Feb  2  2023 .bash_profile
-rw-r--r--.  1 root root  429 Feb  2  2023 .bashrc
-rw-r--r--.  1 root root  100 Feb  2  2023 .cshrc
drwx------.  2 root root   29 Jul 11 00:40 .ssh
-rw-r--r--.  1 root root  129 Feb  2  2023 .tcshrc
-rw-------.  1 root root 2305 Jul 11 00:40 .viminfo
[root@ip-172-31-24-196 ~]# cd .ssh/
[root@ip-172-31-24-196 .ssh]# ls -la
total 4
drwx------. 2 root root  29 Jul 11 00:40 .
dr-xr-x---. 3 root root 119 Jul 11 00:40 ..
-rw-------. 1 root root 564 Jul 11 00:40 authorized_keys
[root@ip-172-31-24-196 .ssh]# vi /etc/ssh/sshd_config
[root@ip-172-31-24-196 .ssh]# cat /etc/ssh/sshd_config | grep -i "password-prohibit"
[root@ip-172-31-24-196 .ssh]# cat /etc/ssh/sshd_config | grep -i "password"
PermitRootLogin prohibit-password
# Explicitly disable PasswordAuthentication. By presetting it, we
# avoid the cloud-init set_passwords module modifying sshd_config and
PasswordAuthentication no
PermitEmptyPasswords no
# Change to no to disable s/key passwords
# PasswordAuthentication.  Depending on your PAM configuration,
# the setting of "PermitRootLogin without-password".
# PAM authentication, then enable this but set PasswordAuthentication
[root@ip-172-31-24-196 .ssh]# exit 
logout
[ec2-user@ip-172-31-24-196 ~]$ exit 
logout
Connection to 54.157.10.170 closed.

~/.ssh on ☁️  (us-east-1) ➜  cd ~

~ on ☁️  (us-east-1) ➜  ssh -i ~/.ssh/devops-key [email protected]
   ,     #_
   ~\_  ####_        Amazon Linux 2023
  ~~  \_#####\
  ~~     \###|
  ~~       \#/ ___   https://aws.amazon.com/linux/amazon-linux-2023
   ~~       V~' '->
    ~~~         /
      ~~._.   _/
         _/ _/
       _/m/'
Last login: Thu Jul 11 00:38:10 2024
[root@ip-172-31-24-196 ~]#
#4

So where exactly does it fail and what does it say when it tells you it is failed? I just did that lab and it is able to pass without having to edit sshd_config

As long as you have the following working before you end the lab (IP address of EC2 instance is different every time)

~ on ☁️  (us-east-1) ➜ ssh 52.91.52.216

and it logs directly in as root, then it should pass the question.

#5

It passed after trying multiple times. Thank you.

~ on ☁️  (us-east-1) ➜  cd .ssh/

~/.ssh on ☁️  (us-east-1) ➜  ssh-keygen -t rsa -f dev-key
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in dev-key
Your public key has been saved in dev-key.pub
The key fingerprint is:
SHA256:9MYa92rto047j8IUu3hcez4/+avmZEQwagJw5/IUn8E root@aws-client
The key's randomart image is:
+---[RSA 3072]----+
|   ..o o.. o     |
|    . + oE+ o    |
|     . +.=   .   |
|      +.+o  .    |
|       .So=  .   |
|        o=...    |
|       =.o.o.o . |
|      . *.++B.o  |
|       . +*B**o+o|
+----[SHA256]-----+

~/.ssh on ☁️  (us-east-1) ➜  ls -la
total 32
drwx------ 1 root root 4096 Jul 11 23:37 .
drwx------ 1 root root 4096 Jul 11 23:36 ..
-rw------- 1 root root  134 Jul 11 23:36 agent-environment
-r-------- 1 root root 1138 Jul 11 23:36 authorized_keys
-rw------- 1 root root 2602 Jul 11 23:37 dev-key
-rw-r--r-- 1 root root  569 Jul 11 23:37 dev-key.pub

~/.ssh on ☁️  (us-east-1) ➜  ssh-add ~/.ssh/devops-key
/root/.ssh/devops-key: No such file or directory

~/.ssh on ☁️  (us-east-1) ✖ ssh-add ~/.ssh/dev-key
Identity added: /root/.ssh/dev-key (root@aws-client)
~/.ssh on ☁️  (us-east-1) ➜  cat dev-key.pub 
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDFO1fn0PFEjqO9tmUjtdL9XmlHH3skXAGSmhhnkSIF4Le9zsYKmH+01I8yaV/Nk7Ur68H++JM+cgwtJ1UvXjJ07IWRZp2TJpfDIhhKkY6Mm3eZQEvkuEuyS/0VCUe0Ww0xd8okTZdL4ULKWowrjduzvmq+nSviQ/cbHgcoNdQGeYJZYCfHawwdFIYqKdNhdWWQC4iFhZ8ReDemkgRN+F/T8OhbjyG81hi8Pj8IAflMm6NSoA+w/Lk14spJLUk3BHOrd20Bgez47zQg974xajEgFDDGdYxxXHqwPAO+QEEsMTXjMvMJPb9r/AL9T1M9cGEOmN2Xz+TJYbdwfEPVOX5BUTfLWJQkXla0/5nqT9KwnoVZbGZhx8/O5uj6iuqwZ/C3ALmSsn0LseSne8fpW/0n0vqpHdpur5LyWiLzTkwa8MQORv0UY1kZSQpI4n8hYLSpw2fZSzJh7+tYlNmValxCOJxfa6BNT/zLeC8vVApuKB3e/q+KpVLqKPnb2wg0pnM= root@aws-client

~/.ssh on ☁️  (us-east-1) ➜  ssh [email protected]
The authenticity of host '35.153.183.7 (35.153.183.7)' can't be established.
ECDSA key fingerprint is SHA256:/I7U7rhjTbRN5kMplivr4ZHtGwy1XAC+99//0TajhrA.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '35.153.183.7' (ECDSA) to the list of known hosts.
   ,     #_
   ~\_  ####_        Amazon Linux 2023
  ~~  \_#####\
  ~~     \###|
  ~~       \#/ ___   https://aws.amazon.com/linux/amazon-linux-2023
   ~~       V~' '->
    ~~~         /
      ~~._.   _/
         _/ _/
       _/m/'
[ec2-user@ip-172-31-35-134 ~]$ sudo su -
[root@ip-172-31-35-134 ~]# vi ~/.ssh/authorized_keys 
[root@ip-172-31-35-134 ~]# cat ~/.ssh/authorized_keys 
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDFO1fn0PFEjqO9tmUjtdL9XmlHH3skXAGSmhhnkSIF4Le9zsYKmH+01I8yaV/Nk7Ur68H++JM+cgwtJ1UvXjJ07IWRZp2TJpfDIhhKkY6Mm3eZQEvkuEuyS/0VCUe0Ww0xd8okTZdL4ULKWowrjduzvmq+nSviQ/cbHgcoNdQGeYJZYCfHawwdFIYqKdNhdWWQC4iFhZ8ReDemkgRN+F/T8OhbjyG81hi8Pj8IAflMm6NSoA+w/Lk14spJLUk3BHOrd20Bgez47zQg974xajEgFDDGdYxxXHqwPAO+QEEsMTXjMvMJPb9r/AL9T1M9cGEOmN2Xz+TJYbdwfEPVOX5BUTfLWJQkXla0/5nqT9KwnoVZbGZhx8/O5uj6iuqwZ/C3ALmSsn0LseSne8fpW/0n0vqpHdpur5LyWiLzTkwa8MQORv0UY1kZSQpI4n8hYLSpw2fZSzJh7+tYlNmValxCOJxfa6BNT/zLeC8vVApuKB3e/q+KpVLqKPnb2wg0pnM= dev-key
[root@ip-172-31-35-134 ~]# exit 
logout
[ec2-user@ip-172-31-35-134 ~]$ exit 
logout
Connection to 35.153.183.7 closed.

~/.ssh on ☁️  (us-east-1) ➜  ssh [email protected]
   ,     #_
   ~\_  ####_        Amazon Linux 2023
  ~~  \_#####\
  ~~     \###|
  ~~       \#/ ___   https://aws.amazon.com/linux/amazon-linux-2023
   ~~       V~' '->
    ~~~         /
      ~~._.   _/
         _/ _/
       _/m/'
Last login: Thu Jul 11 23:42:27 2024
[root@ip-172-31-35-134 ~]#
1 Like
#6

Thanks for your help, for me this was the key:
~/.ssh on :cloud: (us-east-1) :heavy_multiplication_x: ssh-add ~/.ssh/dev-key
then I solved the problem.