User management on linux based EC2 in AWS

      No Comments on User management on linux based EC2 in AWS

Multiple Users

If you’re the only one who needs to access EC2 instances, then having just one default account created at instance launch is good enough. However, what do you do when you need to give access to more users? This AWS guide is a good place to start. It details a step-by-step guide to adding a new user. After trying it out, I felt that there were few important steps missing, such as generating the key from the instance and giving SU privilege to the new user. So I will try to address these issues on this post.

Add a new user

The first thing is, of course, SSH into your EC2 instance. Once logged in, issue the following command.

$ sudo adduser newuser

Note that AWS guide says you should add –disabled-password option to avoid adding a password to the account.

Now that the user has been created, switch to the new account.

$ sudo su - newuser

You should see a newuser prompt now. Check that you are in newuser‘s home directory

$ pwd
/home/newuser

If not, issue cd to change to newuser‘s home directory.

Creating SSH key

In order for newuser to access this instance, the account needs an SSH key. SSH key is stored under .ssh/authorized_keys file. So, create the directory first.

$ mkdir .ssh
$ chmod 700 .ssh

This will create the directory and give appropriate permission (owner read, write, open only).

Create an SSH key.

$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/newuser/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/newuser/.ssh/id_rsa.
Your public key has been saved in /home/newuser/.ssh/id_rsa.pub.

You can accept default values and create the key without a passphrase.

Let’s rename the public key file.

$ mv .ssh/id_rsa.pub .ssh/authorized_keys

Give the appropriate permission to the key file.

$ chmod 600 .ssh/authorized_keys

Important: Save the .ssh/id_rsa file locally. This is basically the same as the key pair file you download when you create a key pair from the AWS management console.

$ cat .ssh/id_rsa
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEA7kBPMcVU3EMw5k2B6tdhzGSxGepZn2rdZaRZZ+3qvcl5fW3r
LhGA4mU0S2qfaz0l4Y3G+JpiJQQ2Rv1bidUXYC5JbcfG1F0Xn5NHSUI5ZOQl0cha
tYVwY2B4mig8YFkqNhF3N9vISg/DWKD9Xc06e7nw46I1ME48iROdGpt37D6enjVi
41vUK6UN8kf2WLTvNV9rYfQ/NZsGY9UrAWTsUEZbMWSu593cir9bMGtqtWcihBPS
Zxt4xgTNuuhylZQJFsCLMxzdxuXruUZ4GT43JHkqB4VHyFSafW1QuqHJAQgI8HnO
J1lXNfW8XXkMRNFTQzElxiNDZGWGNEekn+7rPQIDAQABAoIBAQDreUoMcfFGZW4+
INrHxaoWPmq/p1x+8Drzi3UGACKjAy79JhdsB8ave8EszKvVbLE09VBzQvq/hSM0
FJJVbvPUjsrqIqpEF+ISSJkLMdXR/p/WcEQe5kzHG4D3M89Alr/egnKnFaUmdd/n
h+4CuKUVxhfsk9Qn8xtni6gZtRDYvr7bjUS/Ceh+OzBn3F6rYLMSm9gVXLTfga7b
hzd8dCkHmge/abeA0wRAOAptfDCjnKh+VmCzonwk3DKTalejnrhS1DAI6RkPr6V1
2gycsvTG1xs7saNHuV4YlFAkQ1JWcujJ2mJmPY9NFMt+I5OJu/lj9cUMSXG/CuC4
lR5ZJPaBAoGBAP4YVY4k9jkv6/bXAmlMzAhK+o8Txc2rJEKa/etJLx7Aq/tfVwuc
4UvrDXXq6EE0ZSmcpIHaB7OliJAvgoctB50ieYvfmWBM+tJoh3m6WhrILz3gHdz9
3JxW6iMU3sYfGU4T9bWGk8JhBZW+TdG1xc2Gsbdw1LB1eI7plzOXYs/hAoGBAPAJ
kTYfUtaEBKGeDI2i652Nbd1zY4yV2ymnPwwSm5VujM0EEDoX5smkZqFMZQ6nLXBZ
cT0/iHcnv4u1wT6LXtkuRliFQZ0pku1gSc6i3ygeif8M7J/WNVWoYNSNpKnUvy7p
pAqWTGgiEvTIse1YmsCAtxc3mo1ZzODkd++wyDbdAoGBAPCJaLRfGReZ3e6WK5oz
MRLIp9i6Bw5jbLgAsU8CwLCEBEq6PlSn9j9ADEYMUkEnsHxr5O9nztKpaVXVI+OD
JSoDcLyQt0kKloaInXcGijXAO7h/aMXDLAxz2sHLB/jVh8b57ighdc8UuYy/0jsr
sEyXrbTSAwXorm/bgV89eDUBAoGANwyapuTsJJJGVaJfkqQIkSt8RMtPy1Aa4SSg
Cu7Bi7W8yM/jwM72eMwhVWCl1IR2oUuB8t/9NgaBoVLfrK5d5ET+kRKOh7KfJZ1t
j9w+fX7zevDF26pOtQRWoKiTWPeXmPSwUFVD1KXr3wOf+qTVaMycMNDpuv0bRYBg
GTJb2GkCgYASL7YFGci3l+KdifBgQXtzD3EflSdORJLqEZzYiHsIDt6unbF916Ny
0znccHJvB2iFptWVJy/XYgi8+Y4a74SSsWa0D2eJcQKznpDdd62yLnL85yv4M2Zp
j5qi99ZAFJty3LrACf8iwau3Fq7G2Xk/vGayJmftjO4SO63sMEXAMPLE
-----END RSA PRIVATE KEY-----
$ rm .ssh/id_rsa

Copy everything from —–BEGIN RSA PRIVATE KEY—– to —–END RSA PRIVATE KEY—– and paste it into a text editor and save a local copy. I delete the key file after I save a local copy. This file is like the .pem key file you download when you create a key pair from the AWS management console. So you should always keep a secure copy of it.

Test to see if you can login with the key file. If you use putty on Windows OS, convert the key to .ppk file with puttygen.

sudo privilege

The user should be able to login now. If you wish to give sudo privilege to newuser, then you should add newuser to the sudoers list. From the root account, do the following.

$ sudo visudo

Under

root    ALL=(ALL)       ALL

add two more lines, so it looks like this.

root    ALL=(ALL)       ALL
newuser ALL=(ALL)       ALL
newuser ALL=NOPASSWD:  ALL

The second line gives sudo privilege to newuser and the third line allows newuser to use sudo without a password (this is optional).

Login with newuser again and test the sudo command.

If everything works, then you’re done! Repeat as necessary for additional users.

Changing keys

If you simply wish to change the key/key pair assigned to a user, then repeat the steps from ssh-keygen and overwrite the .ssh/authorized_keys file. This method can be used to change the key pair you obtained at the instance launch. When you’re changing keys for a root user account (ec2-user/root/ubuntu), make sure you are able to log in with the new key from a different workstation before exiting the terminal session or you might lock yourself out of the instance!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.