Questions about SSH EC2 logon

0

I am just trying to clarify my understanding around remote access to EC2 Linux instances, I always use Ubuntu. Part of my confusion probably comes from 20 years as a Windows admin LOL!

  1. You can only access your instance via ssh with key pairs, not with a password, correct? And this is a AWS requirement, not a general Linux requirement, correct?
  2. If 1. is true, the only way to add other sysadmin users is to share the default Ubuntu user and private key, or adduser, create new keys and manually edit settings like the .ssh/authorized_keys file.
  3. There is no root login. So is my understanding correct? To confuse me further I read this in AWS documentation:

Note By default, password authentication and root login are disabled, and sudo is enabled. To log in to your instance, you must use a key pair. For more information about logging in, see Connect to your Linux instance. * You can allow password authentication and root login for your instance.* For more information, see the documentation for your operating system.


So the second paragraph seems to indicate that you can configure ssh access without key pairs? Confusing because everywhere else AWS tells you no. And I am not sure exactly what OS documentation this is referring to. Okay, of course I understand key pairs and the security advantage. But it it can be problematic or I do not know the work arounds. For example I was following a tutorial on installing a web application on Ubuntu. The first step was to login with root, and create a user necessary for the application. Well, I couldn't login with root so I did sudo adduser, and add the permissions neccessary. But when I su -newuser, the user never worked correctly for the project. Just one example. Thank you!

Barry
asked 8 months ago518 views
2 Answers
0
Accepted Answer

The first step was to login with root, and create a user necessary for the application. Well, I couldn't login with root

Assuming you're logged in as ubuntu, try sudo su -to become root.

But when I su -newuser, the user never worked correctly for the project

A ubuntu (or root) try sudo su - newuser.

The question about why this is needed is really an SSH question rather than an AWS question.

You're correct that it's for security reasons that Linux EC2s created from Amazon AMIs are accessible only using an SSH key, with the private key known only to you. Passwords are not allowed, and direct login as root is not allowed.

Think for a minute what would happen if passwords were allowed out-of-the-box. You'd have a scenario where, as soon as an IP address came alive on an IP address in the AWS address range, bots would start attacking it on port 22, trying to find a way in using simple dictionary words for the password to well-known accounts like ec2-user, ubuntu, centos as well as root. You can say that the user should protect themselves with strong passwords and limit the security group rules (and you'd be right) but there's still too much of an exposure there for AWS to offer this up as a service to their customers.

It is possible to enable passwords for SSH, and/or to enable direct login as root, and quick google search will tell you what these are (I don't think it's wise even for me to post links to these in this reply).

There's no restriction on trying these out yourself, I would just caution that if something goes wrong and the SSH config gets messed up enough then you can lose access to the whole EC2 instance. Have a play around on a throwaway EC2 instance, and if possible limit port 22 of the security group to just your IP address. Even better, access via a bastion host (that is exposed to the internet, accessible only by SSH keys) and place your password-enabled EC2 in a private subnet behind that.

It's hard to think of a use-case that would require password access to a Linux EC2 and that couldn't use keys, but you may have one. If you need to do it then be careful, and even then only on EC2s that are not exposed to the internet, such as those in a private subnet or accessible only over Direct Connect or VPN.

profile picture
EXPERT
Steve_M
answered 8 months ago
profile picture
EXPERT
reviewed 3 months ago
  • Steve, thank you for your detailed response. I am beginning to see that my questions arise from my experience in the private cloud and data center rather than public. I have 25 years as a sysadmin/engineer but all in the private data center, and I have not done much with Linux/Unix for the last 20 years except for accessing the shell for VMware or Linux based appliances. So here I am learning AWS and refreshing my Linux skills. So yes anytime you want to access EC2 remotely it is exposing it to the world, so thanks for the reminder and I understand. And as much as I prefer remote terminal access via SSH, I do realize there is access via the management console, and yesterday I was accidentally forced to learn how to enable Session Manager. I do have a question though, if you don't mind. How are groups that need access managed? For example my last job was with a huge healthcare organization, and I was on a team of 10 sysadmins and engineers. We were responsible for 800 servers, mostly Windows but with Linux based appliances and servers as well. We all had to have access to these for support and troubleshooting. Since the Linux servers were not in the Microsoft AD security context, they kept user names and passwords in password vaults. So in the case of a workload or project in AWS EC2 servers, how is team access managed? Are Linux users and certificates manually created for each? Or maybe only something like Session Manager and IAM? Again, thak yo for engaging with me on this

  • So in the case of a workload or project in AWS EC2 servers, how is team access managed?

    A project I'm working on just now has a bunch of EC2s that authenticate with the org's on-prem AD over a Direct Connect link (these EC2s are not exposed to the internet). The EC2s are not computer objects in AD in the same way as on-prem Windows computers are, but the Linx sssd service has been setup by-and-large to authenticate with AD in the same way as the on-prem Linux hosts.

    You mention you don't have that functionality (Linux authenticating with AD) so the model you would choose would depend on the site setup, the org's security requirements, the size of the cloud environment, and so on.

    If the hosts are not accessed over the internet, which would typically mean there's a Direct Connect or VPN, then this security posture might mean password access is back in play. If it's just one host which only a handful of users will ever log into then it may be easiest just to setup local users, with password complexity and expiry rules set in Linux, in compliance with security policies (there's obviously nothing stopping each user setting up their own SSH key to work alongside this).

    As the number of users and/or the number of servers grew, this would become unwieldy and a better solution may start to present itself.

  • Steve, thank you for your extended comments, very helpful as I continue on my learning journey here.

0

I also have seen several installation guides where the instructions start like this: Prerequisites A server running Ubuntu 22.04. A Valid domain name is pointed to your server IP. A root password is configured on the server.

So my question, not being a Linux expert, is that root password necessary? Why don't they suggest a regular user with SUDO? This particular snippet comes from a guide to installing Fork, a simple CMS platform using MySQL and NGINX

Barry
answered 7 months ago
  • Not having seen the Fork installation doc then I can't really answer that. It may be that the installation script has to be run directly as root rather than using sudo, it may be that whoever wrote the doc and/or the software is just used to doing it all as root, or it may just be more convenient to do that way rather than prefix a while list of commands with sudo ( sudo mkdir [such-and-such-folder] ; sudo unzip [package-name].zip ; sudo install.sh ; sudo [look-through-the-logs] ; sudo [enable and start the service] ; sudo [clean-up-after-yourself-when-youre-done] and so on )

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions