August 14, 2009

Password protecting AMI instance

Hello All,

 I have a Fedora instance running at Amazon EC2. 

I log in into the instance using Keypair using following command:

 ssh -i key.pem root@instance.com

where key.pem is a keypair and instance.com is a running instance.

 

I am able to log in into the system without the issues. But I want system to prompt for a password too along with keypair.

How to do it?

Hi Ralph, Thanx for the answer :) Its took ages to get this answer ;)

Hi Ralph,

Thanx for the answer :) Its took ages to get this answer ;)

Like  (0 likes)

Hello Kunal, ...

Hello Kunal,

please bear in mind that the whole purpose of a ssh-based login is to replace the password login with something more secure, the use of a secret key to provide a digital signature instead of a cleartext password (on the wire).

That's why it is a bad idea to return to password logins. Here is how you can proceed:

Usually the secret key resides only on your local machine, but with EC2 it also is stored here without protection. Another bad idea.
That, in essence, is the reason why you are not requested for a root password when you use your key.pem.

If you protect your secret key with a password and reliably remove the unprotected one, everyone who wants to login as root on the instance will have to provide this password in order to get access to your instance.

Personally, I would not use the old one for this purpose, as someone might have copied this unprotected file already. So you need to create a new one, which also will be unprotected. But then you can simply set a password with the following command and remove the unprotected file from the system:

ssh-keygen -p -P "" -N "thisisthenewpassword" -f yourunprotected.pem

This command would overwrite the unprotected file with the new password protected rewritten secret key.

If you use it you would be prompted for the password to unlock the (protected) secret key and then it is used to create a digital signature which eventually lets you log into the instance.

Ralph

Like  (0 likes)

Tried to figure out how it works. But I guess it doesnt work the way I wanted...

Tried to figure out how it works. But I guess it doesnt work the way I wanted.
So we decided to go with password login.

I edited the sshd_config file and set the:
PasswordAuthentication Yes

And disabled the root login..

Like  (0 likes)