If you’re the only one who needs to access EC2 instances, then having just one default account created at instance launch is good enough. However, what do you do when you need to give access to more users? This AWS guide is a good place to start. It details a step-by-step guide to adding a new user. After trying it out, I felt that there were few important steps missing, such as generating the key from the instance and giving SU privilege to the new user. So I will try to address these issues on this post.
Add a new user
The first thing is, of course, SSH into your EC2 instance. Once logged in, issue the following command.
$ sudo adduser newuser
Note that AWS guide says you should add –disabled-password option to avoid adding a password to the account.
Now that the user has been created, switch to the new account.
$ sudo su - newuser
You should see a newuser prompt now. Check that you are in newuser‘s home directory
$ pwd /home/newuser
If not, issue cd to change to newuser‘s home directory.
Creating SSH key
In order for newuser to access this instance, the account needs an SSH key. SSH key is stored under .ssh/authorized_keys file. So, create the directory first.
$ mkdir .ssh $ chmod 700 .ssh
This will create the directory and give appropriate permission (owner read, write, open only).
Create an SSH key.
$ ssh-keygen Generating public/private rsa key pair. Enter file in which to save the key (/home/newuser/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/newuser/.ssh/id_rsa. Your public key has been saved in /home/newuser/.ssh/id_rsa.pub.
You can accept default values and create the key without a passphrase.
Let’s rename the public key file.
$ mv .ssh/id_rsa.pub .ssh/authorized_keys
Give the appropriate permission to the key file.
$ chmod 600 .ssh/authorized_keys
Important: Save the .ssh/id_rsa file locally. This is basically the same as the key pair file you download when you create a key pair from the AWS management console.
$ cat .ssh/id_rsa -----BEGIN RSA PRIVATE KEY----- MIIEpAIBAAKCAQEA7kBPMcVU3EMw5k2B6tdhzGSxGepZn2rdZaRZZ+3qvcl5fW3r LhGA4mU0S2qfaz0l4Y3G+JpiJQQ2Rv1bidUXYC5JbcfG1F0Xn5NHSUI5ZOQl0cha tYVwY2B4mig8YFkqNhF3N9vISg/DWKD9Xc06e7nw46I1ME48iROdGpt37D6enjVi 41vUK6UN8kf2WLTvNV9rYfQ/NZsGY9UrAWTsUEZbMWSu593cir9bMGtqtWcihBPS Zxt4xgTNuuhylZQJFsCLMxzdxuXruUZ4GT43JHkqB4VHyFSafW1QuqHJAQgI8HnO J1lXNfW8XXkMRNFTQzElxiNDZGWGNEekn+7rPQIDAQABAoIBAQDreUoMcfFGZW4+ INrHxaoWPmq/p1x+8Drzi3UGACKjAy79JhdsB8ave8EszKvVbLE09VBzQvq/hSM0 FJJVbvPUjsrqIqpEF+ISSJkLMdXR/p/WcEQe5kzHG4D3M89Alr/egnKnFaUmdd/n h+4CuKUVxhfsk9Qn8xtni6gZtRDYvr7bjUS/Ceh+OzBn3F6rYLMSm9gVXLTfga7b hzd8dCkHmge/abeA0wRAOAptfDCjnKh+VmCzonwk3DKTalejnrhS1DAI6RkPr6V1 2gycsvTG1xs7saNHuV4YlFAkQ1JWcujJ2mJmPY9NFMt+I5OJu/lj9cUMSXG/CuC4 lR5ZJPaBAoGBAP4YVY4k9jkv6/bXAmlMzAhK+o8Txc2rJEKa/etJLx7Aq/tfVwuc 4UvrDXXq6EE0ZSmcpIHaB7OliJAvgoctB50ieYvfmWBM+tJoh3m6WhrILz3gHdz9 3JxW6iMU3sYfGU4T9bWGk8JhBZW+TdG1xc2Gsbdw1LB1eI7plzOXYs/hAoGBAPAJ kTYfUtaEBKGeDI2i652Nbd1zY4yV2ymnPwwSm5VujM0EEDoX5smkZqFMZQ6nLXBZ cT0/iHcnv4u1wT6LXtkuRliFQZ0pku1gSc6i3ygeif8M7J/WNVWoYNSNpKnUvy7p pAqWTGgiEvTIse1YmsCAtxc3mo1ZzODkd++wyDbdAoGBAPCJaLRfGReZ3e6WK5oz MRLIp9i6Bw5jbLgAsU8CwLCEBEq6PlSn9j9ADEYMUkEnsHxr5O9nztKpaVXVI+OD JSoDcLyQt0kKloaInXcGijXAO7h/aMXDLAxz2sHLB/jVh8b57ighdc8UuYy/0jsr sEyXrbTSAwXorm/bgV89eDUBAoGANwyapuTsJJJGVaJfkqQIkSt8RMtPy1Aa4SSg Cu7Bi7W8yM/jwM72eMwhVWCl1IR2oUuB8t/9NgaBoVLfrK5d5ET+kRKOh7KfJZ1t j9w+fX7zevDF26pOtQRWoKiTWPeXmPSwUFVD1KXr3wOf+qTVaMycMNDpuv0bRYBg GTJb2GkCgYASL7YFGci3l+KdifBgQXtzD3EflSdORJLqEZzYiHsIDt6unbF916Ny 0znccHJvB2iFptWVJy/XYgi8+Y4a74SSsWa0D2eJcQKznpDdd62yLnL85yv4M2Zp j5qi99ZAFJty3LrACf8iwau3Fq7G2Xk/vGayJmftjO4SO63sMEXAMPLE -----END RSA PRIVATE KEY----- $ rm .ssh/id_rsa
Copy everything from —–BEGIN RSA PRIVATE KEY—– to —–END RSA PRIVATE KEY—– and paste it into a text editor and save a local copy. I delete the key file after I save a local copy. This file is like the .pem key file you download when you create a key pair from the AWS management console. So you should always keep a secure copy of it.
Test to see if you can login with the key file. If you use putty on Windows OS, convert the key to .ppk file with puttygen.
The user should be able to login now. If you wish to give sudo privilege to newuser, then you should add newuser to the sudoers list. From the root account, do the following.
$ sudo visudo
root ALL=(ALL) ALL
add two more lines, so it looks like this.
root ALL=(ALL) ALL newuser ALL=(ALL) ALL newuser ALL=NOPASSWD: ALL
The second line gives sudo privilege to newuser and the third line allows newuser to use sudo without a password (this is optional).
Login with newuser again and test the sudo command.
If everything works, then you’re done! Repeat as necessary for additional users.
If you simply wish to change the key/key pair assigned to a user, then repeat the steps from ssh-keygen and overwrite the .ssh/authorized_keys file. This method can be used to change the key pair you obtained at the instance launch. When you’re changing keys for a root user account (ec2-user/root/ubuntu), make sure you are able to log in with the new key from a different workstation before exiting the terminal session or you might lock yourself out of the instance!