How can I restrict access to ec2-user, make it only accessible via su?


Hello, how would I restrict access to ec2-user via putty? So I have two accounts in my instance, user and ec2-user. I want to make it so that I ssh into user and su into ec2-user. So, I have 2 problems.

1.) I can still just ssh using .ppk into ec2-user. So I need some help in how to disable access via .ppk to ec2-user that way the only way to access it is using su - via individual accounts.

2.) I ssh into user but then it asks me for a password to authenticate and not a .ppk. I ideally would like to use putty and just connect directly using the .ppk as authentication rather than a password. That way I can su - into ec2-user.

1 Answer

Before doing anything, it's advisable to spin up a throwaway EC2 to practise this on first, as if anything goes wrong you could find yourself unable to login using any account. Once you're confident you know the process, apply the steps to the host you want to work on for real.

The easiest way to deny SSH access for ec2-user is to add an entry for DenyUsers ec2-user to /etc/ssh/sshd_config and then restart the SSH service sudo systemctl restart sshd


This keyword can be followed by a list of user name patterns, separated by spaces. Login is disallowed for user names that match one of the patterns.

Alternatively, you can remove the private key for ec2-user (on Amazon Linux, will be in /home/ec2-user/.ssh/authorized_keys ) and once there is no private key to match your public key, any attempted login with it will fail.

For part 2 you need to generate a new keypair in PuTTYgen (other tools are available, but you mention you're using PuTTY), then upload the private key to the Linux host. Convert it to OpenSSH format ssh-keygen -i -f puttygen_key > openssh_key and then append the contents of openssh_key to ~user/.ssh/authorized_keys and make sure the .ssh directory and the authorized_keys file are readable only by user.

If you get stuck, do a Google search for something like linux setup passwordless ssh and you will get pages and pages of helpful answers.

profile picture
answered 2 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions