How do I add new user accounts with SSH access to my Amazon EC2 Linux instance?

7 minute read
2

I want to add new user accounts that can connect to my Amazon Elastic Compute Cloud (Amazon EC2) Linux instance using SSH.

Short description

Every Amazon EC2 Linux instance launches with a default system user account with administrative access to the instance. If multiple users require access to the instance, then it's a security best practice to use separate accounts for each user.

You can expedite these steps by using cloud-init and user data. For more information, see How do I add new user accounts with SSH access to my EC2 instance using cloud-init and user data?

Resolution

Create a key pair for the new user account

Create a key pair using the Amazon EC2 console

1.    Open the Amazon EC2 console.

2.    Select Network & Security, Key Pairs.

3.    Select Create key pair.

4.    For Name, enter a descriptive name for the key pair. Amazon EC2 associates the public key with the name that you specify as the key name. A key name can include up to 255 ASCII characters with no leading or trailing spaces.

5.    For Key pair type, choose RSA, ED25519.

6.    For Private key file format, choose the format to save the private key to. Choose pem to save the private key in a format that can be used with OpenSSH. Choose ppk to save the private key in a format that can be used with PuTTY.

7.    To add a tag to the public key, choose Add tag, and enter the key and value for the tag. Repeat for each tag.

8.    Choose Create key pair.

9.    The private key file automatically downloads. The base file name is the name that you specified as the name of your key pair. The file name extension is determined by the file format that you chose. Save the private key file in a safe place.

10.    If you're using an SSH client on a macOS or Linux computer to connect to your Linux instance, then run the following command:

chmod 400 key-pair-name.pem

The preceding command sets the permissions of your private key file so that only you can read it. If you don't set these permissions, then you can't connect to your instance using this key pair. For more information, see Error: Unprotected private key file.

Create a key pair using the AWS Command Line Interface (AWS CLI)

Note: If you receive errors when running AWS CLI commands, make sure that you’re using the most recent version of the AWS CLI.

1.    Use the create-key-pair command to generate the key pair and save the private key to a .pem file.

For --key-name, specify a name for the public key. The name can be up to 255 ASCII characters.

For --key-type, specify rsa or ed25519. If you don't include the --key-type parameter, an rsa key created by default. Note that ED25519 keys aren't supported for Windows instances.

For --key-format, specify pem or ppk. If you don't include the --key-format parameter, a pem file is created by default.

--query "KeyMaterial" prints the private key material to the output.

--output text > my-key-pair.pem saves the private key material in a file with the specified extension. The extension can be .pem or .ppk. The private key can have a name that's different from the public key name, but for ease of use, use the same name.

aws ec2 create-key-pair \
    --key-name my-key-pair \
    --key-type rsa \
    --key-format pem \
    --query "KeyMaterial" \
    --output text > my-key-pair.pem>

2.    If you're using an SSH client on a macOS or Linux computer to connect to your Linux instance, then run the following command:

chmod 400 key-pair-name.pem

The preceding command sets the permissions of your private key file so that only you can read it. If you don't set these permissions, then you can't connect to your instance using this key pair. For more information, see Error: Unprotected private key file.

Add a new user to the EC2 Linux instance

1.    Connect to your Linux instance using SSH.

2.    Use the adduser command to add a new user account to an EC2 instance (replace new_user with the new account name). The following example creates an associated group, home directory, and an entry in the /etc/passwd file of the instance.

$ sudo adduser new_user

The home directory might not be created by default in some configurations. Verify that the home directory was created before continuing.

Note: If you add the new_user to an Ubuntu instance, then include the --disabled-password option to avoid adding a password to the new account:

$ sudo adduser new_user --disabled-password

3.    Change the security context to the new_user account so that folders and files you create have the correct permissions:

$ sudo su - new_user

Note: When you run the sudo su - new_user command, the name at the top of the command shell prompt changes to reflect the new user account context of your shell session.

4.    Create a .ssh directory in the new_user home directory:

$ mkdir .ssh

5.    Use the chmod command to change the .ssh directory's permissions to 700. Changing the permissions restricts access so that only the new_user can read, write, or open the .ssh directory.

$ chmod 700 .ssh

6.    Use the touch command to create the authorized_keys file in the .ssh directory:

$ touch .ssh/authorized_keys

7.    Use the chmod command to change the .ssh/authorized_keys file permissions to 600. Changing the file permissions restricts read or write access to the new_user.

$ chmod 600 .ssh/authorized_keys

Retrieve the public key for your key pair

Retrieve the public key for your key pair using the method that applies to your configuration:

Verify your key pair's fingerprint

After you import your own public key or retrieve the public key for your key pair, follow the steps at Verify your key pair's fingerprint.

Update and verify the new user account credentials

After you retrieve the public key, confirm that you have permission to add the public key to the .ssh/authorized_keys file for this account:

1.    Run the Linux cat command in append mode:

$ cat >> .ssh/authorized_keys

2.    Paste the public key into the .ssh/authorized_keys file and then press Enter.

Note: For most Linux command line interfaces, the Ctrl+Shift+V key combination pastes the contents of the clipboard into the command line window. For the PuTTY command line interface, right-click to paste the contents of the clipboard into the PuTTY command line window.

3.    Press and hold Ctrl+d to exit cat and return to the command line session prompt.

Verify that the new user can use SSH to connect to the EC2 instance

1.    Run the following command from a command line prompt on your local computer:

$ ssh -i /path/new_key_pair.pem new_user@public_dns_name_of_EC2_Linux_instance

To connect to your EC2 Linux instance using SSH from Windows, follow the steps at Connect to your Linux instance from Windows using PuTTY.

Note: If you receive errors when trying to connect, then see Troubleshoot connecting to your instance.

2.    Run the id command from the instance's command line to view the user and group information created for the new_user account:

$ id

The id command returns information similar to the following:

uid=1004(new_user) gid=1004(new_user) groups=1004(new_user)

3.    Distribute the private key file to your new user.

Related information

Manage users on your Linux instance

AWS OFFICIAL
AWS OFFICIALUpdated 2 years ago