Key Pair

Practicals Covered:

1. Launch an Instance using existing Keys
2. Verify Public and Private Keys via logs
3. Using same key pair with another user
4. Log in to the instance via normal user using his own key pair
5. User 'kate' needs to login to Linux instance but her key pair must be generated by PuTTYgen in Windows

Just take an example of purchasing a new antivirus. As we purchase an antivirus, we got a license key inside the pack, which we need to provide at the time of installation. This license key is nothing but a private key, as it is provided privately. Apart from this antivirus server has its public key. As we have multiple keys in our home lock, in the same manner, the server has a limited number of public keys and a lot of private keys, which we got in the box. When we provide our license key, it takes some to verify. During this time antivirus connects to its server and try to communicate with the public key. If both keys got a connection, then we are authorized for license version of that product.

In the same manner, AWS uses SSH key pair. SSH Key Pair has two types of keys.

1. Public Key and
2. Private Key

1. PUBLIC KEY (always with AWS):

A public key that is copied to the SSH server(s). Anyone with a copy of the public key can encrypt data which can then only be read by the person who holds the corresponding private key. Once an SSH server receives a public key from a user and considers the key trustworthy, the server marks the key as authorized in its authorized_keys file. Such keys are called authorized keys. We cannot create any Private Key from Public Key.

2. PRIVATE KEY (always with user):

A private key that remains (only) with the user. The possession of this key is proof of the user's identity. Only a user in possession of a private key that corresponds to the public key at the server will be able to authenticate successfully. The private keys need to be stored and handled carefully, and no copies of the private key should be distributed. The private keys used for user authentication are called identity keys. We can create Public Key from Private Key for n number of times.

LINUX AMI	WINDOWS AMI
Converted into an EC2 instance	Converted into an EC2 instance
Username:  ec2-user	Username: Administrator
Password never provided in Linux AMI	Password provided always in Windows AMI
To access Linux instance we need to use Private Key every time	The Private key used only once to decrypt the password
If private key is lost then we will lose our access to the instance. But there are 2 ways, UDS (User Data Script) or EBS (Elastic Block Store), by which we can recover the key	After decryption, if we lose the key, then there is no need for the key.
Size of the private key is 400 bytes approx
Cloud-init is the service which inserts the key into Linux	EC2Config and EC2Launch are two services who insert the key into Windows EC2Config was used in AMIs prior to 2016 and EC2Launch was started after 2016.
This thing is known as a Bootstrap script in the industry. Means this will do work at the time of system boot.
In Linux, Cloud-init stores the key at: /home/ec2-user/.ssh/authorizes_keys The directory should be '.ssh' with '700' permission and ownership and group should be 'ec2-user' File 'authorized_keys' must have '400' or '600' permission and ownership and the group should be 'ec2-user'
User entry goes to /etc/passwd	User entry goes to SAM (Security Account Manager)

##############

## PRACTICAL ##

##############

PRACTICAL-1

LAUNCH A LINUX INSTANCE USING EXISTING KEYS

1. Launch an instance
2. Get access in PuTTy
3. Verify public and private keys via logs

Step 1. LAUNCH AN INSTANCE

AWS > Services > EC2 > Launch Instance > [*] Free Tier Only > Select 'Amazon Linux 2 AMI (HVM), SSD Volume Type' > Next > Auto-assign Public IP: Enable > Next > Next > click to add a Name tag > Name: linux-srv1 > Next > (*) Select an existing security group > [*] Choose > Review and Launch > Launch > Choose an existing key pair: (choose from your existing one) > Launch Instance > View Instance > RUNNING STAGE

Copy Public IP from EC2 Dashboard (Make sure you selected only the instance which you want to access).

Step 2. GET ACCESS IN PUTTY

Run PuTTy > Paste Public IP > Expand SSH > Click on Auth > Browse > Select private key in '.ppk' file > Open > Login as: ec2-user > GET CONNECTION TO INSTANCE

Step 3. VERIFY PUBLIC AND PRIVATE KEYS VIA LOGS

Here, we need to use some Linux Commands. To learn basic Linux commands click here.

$ pwd                                                                //to know present working directory
/home/ec2-user

$ cd /var/log                                                     //cd to change directory

$ ls –l                                                               //for long listing to list the file cloud-init.log
-rw-r--r--  1 root   root             92511 Apr 27 12:48       cloud-init.log

$ cat cloud-init.log | grep key                        //cat to view file and grep for filtering

Here, we can see that the keys are generated and saved.

$ cd                                                                   //to go to the home directory which is /home/ec2-user

$ ls -la

Here, we can see '.ssh' directory with 700 permission, having user and group 'ec2-user'.
drwx------ 2 ec2-user ec2-user  29 Apr 27 12:48   .ssh

For better understanding of Linux Permissions click here.

$ cd  /home/ec2-user/.ssh                          //to go inside .ssh directory

$ ls -la
-rw------- 1 ec2-user ec2-user 390 Apr 27 12:48 authorized_keys

$ cat authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCn7VR+XuLJPlPMA3EZE1yT4Cdfhl3LnYDe3CI80E7oDvYl1Q7Wp8Wt+5jQeLBQz9F+SJT9y/jPiMmCMTMxIrTB0k6uuIw/3mdAw2nMHPYBMigZrUb5GA2kdkcjLMKlrwGbqDs2ZpYXpDthDCsBonICDO1jzmJGXya2uHBZsUp1BV5liJSUMTp+uYicaGZqyKxOHncdNyvEzhrDW+kqAxg2ubfF2JDVIFtieS6GQwh7KtKscEzX6XZmN8JS84qETWlsODqDk9NTYxw1yyTM13VP2vrS5GguePaNfLbuqGKXeVjBkN3mKidBlgX/eVKK4YRlHUoAs1gfKLCCygWNwZgd linuxkey

We can see that our provided key is present here with the same name.

Q. What is the location of Ec2ConfigService in Windows?
A. C drive > Windows > AMazon > Ec2ConfigService

PRACTICAL-2

USING SAME KEY PAIR WITH ANOTHER USER

1. Create a new user (bob)
2. Create .ssh directory inside the home directory of bob user '/home/bob/'
3. Change Permission and Ownership
4. Copy authorized_keys file from user 'ec2-user' to .ssh folder of bob user
5. Change Permission and Ownership
6. Launch the session by user bob

Step 1. CREATE A NEW USER NAMED 'BOB':

$ sudo useradd bob                           //to create a new user

$ cat  /etc/passwd                             //to verify the user named bob is created
ec2-user:x:1000:1000:EC2 Default User:/home/ec2-user:/bin/bash
bob:x:1001:1001::/home/bob:/bin/bash

But Bob cannot login yet because Bob does not has private key posted in .ssh folder as authorized_keys.

Login as root user. So that we could execute any command without any permission  issue:

$ sudo su -                                     //this command will switch to the root user and $ sign will change to #

Now, this is a root user who have full privileges and can perform any task. Now our task is to make a .ssh directory and copy authorized_keys file to Bob's home directory. In the case of 'ec2-user' AWS created the .ssh directory but this user bob is created by us. So, we need to provide everything to him.

Step 2. CREATE '.ssh' DIRECTORY INSIDE THE HOME DIRECTORY OF bob USER '/home/bob/'

# mkdir  /home/bob/.ssh
drwxr-xr-x 2 root root   6 Apr 27 13:37 .ssh

This command created .ssh directory but permission and ownership are changed. So, we need to update them accordingly.

Step 3. CHANGE PERMISSION AND OWNERSHIP

# chmod 700 /home/bob/.ssh                                   //to change the permission
drwx------ 2 root root   6 Apr 27 13:37 .ssh

# chown bob:bob /home/bob/.ssh                         //to change ownership and group
drwx------ 2 bob  bob    6 Apr 27 13:37 .ssh

Now, our directory part is done. We have .ssh directory with 700 permission with bob user ownership and group. This is the time to copy authorized_keys file.

First, Go inside .ssh directory:

# cd /home/ec2-user/.ssh

Now, copy authorized_keys file to this location. For copying on the same location in the destination part we could use only a dot (.)

Step 4. COPY 'authorized_keys' FILE FROM USER 'ec2-user' TO .ssh FOLDER OF bob USER

# cp /home/ec2-user/.ssh/authorized_keys .

Here, in the case of file, we need to perform the same thing, we need to provide permission 600 and ownership of bob user.

Step 5. CHANGE PERMISSION AND OWNERSHIP

# chmod 600 /home/bob/.ssh/authorized_keys
-rw------- 1 root root 390 Apr 27 13:50 authorized_keys

# chown bob:bob /home/bob/.ssh/authorized_keys
-rw------- 1 bob bob 390 Apr 27 13:50 authorized_keys

Now, we have provided authorized keys to bob. This is the time to launch the session once again with bob user.

Step 6. LAUNCH THE SESSION BY USER 'bob'

Run PuTTy > Paste Public IP from EC2 Dashboard > Expend SSH > Click on Auth > Browse > Select private key in '.ppk' file > Open > Login as: ec2-user > GET CONNECTION TO INSTANCE > Login as: bob

Q. How to provide sudo permissions to a normal user 'jack'?

A. The root user needs to update jack entry in '/etc/sudoers' file.

# vi /etc/sudoers                                             //go to line number 93 and type

jack     ALL=(ALL)       ALL

:wq                                                                        //for save and quit

(To copy a line we can press y two times and press p once to paste in next line).

PRACTICAL-3

LOGIN TO INSTANCE VIA NORMAL USER USING HIS OWN KEY PAIR

1. Create a new user (steve)
2. Assign a password for user steve
3. Switch to user steve
4. Generate and verify public and private keys
5. Copy private key to the laptop
6. Copy public key to the instance home dir .ssh/authorized_keys)
7. Convert .pem in laptop to .ppk
8. Launch the session by user steve

Step 1. CREATE A NEW USER (steve)

$ sudo su -                                                          //to become root user

# useradd steve              

Step 2. ASSIGN A PASSWORD FOR USER steve

# passwd stave *****
confirm password *****

Step 3. SWITCH TO USER steve

# su - steve

Step 4. GENERATE AND VERIFY PUBLIC AND PRIVATE KEY

$ ssh-keygen -t rsa                                          //rsa is an algorithm

enter > enter > enter > Keys are generated

To Verify:

$ ls -la /home/steve/.ssh
-rw------- 1 steve steve 1679 Apr 27 15:20 id_rsa
-rw-r--r-- 1 steve steve  431 Apr 27 15:20 id_rsa.pub

Here, 'id_rsa' is a private key and 'id_rsa.pub' is a public key.

Step 5. COPY PRIVATE KEY TO LAPTOP

$ cat id_rsa

Select all the contents, this will be copied automatically.

Now, open notepad in laptop and paste the contents in notepad in laptop and Save As 'stevekey.pem'.

Step 6. COPY PUBLIC KEY TO THE INSTANCE

$ cp id_rsa.pub authorized_keys
-rw-r--r-- 1 steve steve  431 Apr 27 15:34 authorized_keys
-rw------- 1 steve steve 1679 Apr 27 15:20 id_rsa
-rw-r--r-- 1 steve steve  431 Apr 27 15:20 id_rsa.pub

Step 7. CONVERT .pem FILE IN .ppk FORMAT

Run PuTTYgen.exe > Load > Navigate to and select stevekey.pem > Save Private Key > Save that file as 'stevekey.ppk'.

Step 8. LAUNCH THE SESSION BY USER steve

Run PuTTy > Paste Public IP from EC2 Dashboard > Expand SSH > Click on Auth > Browse > Select steve generated private key ' stevekey.ppk' file > Open > Login as: steve > SUCCESSFUL

PRACTICAL-4

USER 'kate' NEEDS TO LOGIN TO LINUX INSTANCE BUT HER KEY PAIR MUST BE GENERATED BY PUTTYGEN IN WINDOWS

1. Login by user 'ec2-user'
2. Create a user named 'kate'
3. Generate keys from PuTTYgen
4. Copy that public key in kate's .ssh folder as 'authorized_keys' and provide proper permissions and ownership
5. Run the instance by using kate user credentials 

Step 1. LOGIN BY USER 'ec2-user'

Run PuTTy > Paste Public IP from EC2 Dashboard > Expand SSH > Click on Auth > Browse > Select existing private key > Open > Login as: 'ec2-user' <hit enter>

Step 2. CREATE A USER NAMED 'kate'

$ sudo su -                                        //switch to root user

# useradd kate                                  //create user 'kate'

# passwd kate                                  //provide password to 'kate' user
New Password: *****
Retype Password: *****

Step 3. GENERATE KEYS FROM PuTTYgen

Run PuTTYgen > Generate > copy the Public Key under section 'Key' > Paste it in notepad

Now click on Save Private Key and save it as 'katekeys.ppk'.

Step 4. COPY THAT PUBLIC KEY IN kate's '.ssh' FOLDER AS 'authorized_keys' AND PROVIDE PROPER PERMISSIONS AND OWNERSHIP TO BOTH '.ssh' FOLDER and 'authorized_keys' FILE

# mkdir /home/kate/.ssh                                                       //create .ssh directory

# chmod 700 /home/kate/.ssh                                              //give 700 permission to .ssh directory

# chown kate:kate /home/kate/.ssh                                      //give 'kate' user ownership & group

# cd /home/kate/.ssh                                                            //change directory to .ssh

# vi authorized_keys                                                            //create a file named 'authorized_keys'

//here, paste key copied in notepad and save

:wq

# chmod 600 /home/kate/.ssh/authorized_keys                   //give 700 permission to the file

# chown kate:kate /home/kate/.ssh/authorized_keys           //give 'kate' user ownership & group

Step 5. RUN THE INSTANCE BY USING 'kate' USER CREDENTIALS

Run PuTTy > Paste Public IP from EC2 Dashboard > Expand SSH > Click on Auth > Browse > Select private key created for 'kate' user > Open > Login as: kate <hit enter>

ENJOY………