Practicals Covered:
- Launch an Instance using existing Keys
- Verify Public and Private Keys via logs
- Using same key pair with another user
- Log in to the instance via normal user using his own key pair
- User 'kate' needs to login to Linux instance but her key pair must be generated by PuTTYgen in Windows
Just take an example of purchasing a new antivirus. As we purchase an antivirus, we got a license key inside the pack, which we need to provide at the time of installation. This license key is nothing but a private key, as it is provided privately. Apart from this antivirus server has its public key. As we have multiple keys in our home lock, in the same manner, the server has a limited number of public keys and a lot of private keys, which we got in the box. When we provide our license key, it takes some to verify. During this time antivirus connects to its server and try to communicate with the public key. If both keys got a connection, then we are authorized for license version of that product.
In the same manner, AWS uses SSH key pair. SSH Key Pair has
two types of keys.
- Public Key and
- Private Key
1.
PUBLIC KEY (always
with AWS):
A public key that is copied to the SSH server(s). Anyone
with a copy of the public key can encrypt data which can then only be read by
the person who holds the corresponding private key. Once an SSH server receives
a public key from a user and considers the key trustworthy, the server marks
the key as authorized in its authorized_keys file. Such keys are called
authorized keys. We cannot create any Private Key from Public Key.
2.
PRIVATE KEY (always
with user):
A private key that remains (only) with the user. The
possession of this key is proof of the user's identity. Only a user in
possession of a private key that corresponds to the public key at the server
will be able to authenticate successfully. The private keys need to be stored and
handled carefully, and no copies of the private key should be distributed. The
private keys used for user authentication are called identity keys. We can
create Public Key from Private Key for n number of times.
LINUX AMI
|
WINDOWS AMI
|
Converted into an EC2 instance
|
Converted into an EC2 instance
|
Username: ec2-user
|
Username: Administrator
|
Password never provided in Linux AMI
|
Password provided always in Windows AMI
|
To access Linux instance we need to use Private Key every time
|
The Private key used only once to decrypt the password
|
If private key is lost then we will lose our access to the instance.
But there are 2 ways, UDS (User Data Script) or EBS (Elastic Block Store), by
which we can recover the key
|
After decryption, if we lose the key, then there is no need for the key.
|
Size of the private key is 400 bytes approx
|
|
Cloud-init is the service which inserts the key into Linux
|
EC2Config and EC2Launch are two services who insert the key into
Windows
EC2Config was used in AMIs prior to 2016 and EC2Launch was started after 2016. |
This thing is known as a Bootstrap script in the industry. Means this
will do work at the time of system boot.
|
|
In Linux, Cloud-init stores the key at:
/home/ec2-user/.ssh/authorizes_keys The directory should be '.ssh' with '700' permission and ownership and group should be 'ec2-user' File 'authorized_keys' must have '400' or '600' permission and ownership and the group should be 'ec2-user' |
|
User entry goes to /etc/passwd
|
User entry goes to SAM (Security
Account Manager)
|
##############
## PRACTICAL ##
##############
PRACTICAL-1
LAUNCH A LINUX INSTANCE USING EXISTING KEYS
- Launch an instance
- Get access in PuTTy
- Verify public and private keys via logs
AWS > Services > EC2 > Launch Instance > [*] Free Tier Only > Select 'Amazon Linux 2 AMI (HVM), SSD Volume Type' > Next > Auto-assign Public IP: Enable > Next > Next > click to add a Name tag > Name: linux-srv1 > Next > (*) Select an existing security group > [*] Choose > Review and Launch > Launch > Choose an existing key pair: (choose from your existing one) > Launch Instance > View Instance > RUNNING STAGE
Copy Public IP from EC2 Dashboard (Make sure you selected only the instance which you want to access).
Step 2. GET ACCESS IN PUTTY
Run PuTTy > Paste Public IP > Expand SSH > Click on Auth > Browse > Select private key in '.ppk' file > Open > Login as: ec2-user > GET CONNECTION TO INSTANCE
Step 3. VERIFY PUBLIC AND PRIVATE KEYS VIA LOGS
Here, we need to use some Linux Commands. To learn basic
Linux commands click
here.
$ pwd //to
know present working directory
/home/ec2-user
/home/ec2-user
$ cd /var/log //cd to change
directory
$ ls –l //for
long listing to list the file cloud-init.log
-rw-r--r-- 1 root root 92511 Apr 27 12:48 cloud-init.log
-rw-r--r-- 1 root root 92511 Apr 27 12:48 cloud-init.log
$ cat cloud-init.log | grep key //cat to view file and grep for filtering
Here, we can see that the keys are generated and saved.
$ cd //to
go to the home directory which is /home/ec2-user
$ ls -la
Here, we can see '.ssh' directory with 700 permission,
having user and group 'ec2-user'.
drwx------ 2 ec2-user ec2-user 29 Apr 27 12:48 .ssh
drwx------ 2 ec2-user ec2-user 29 Apr 27 12:48 .ssh
For better understanding of Linux Permissions click
here.
$ cd /home/ec2-user/.ssh //to go inside .ssh
directory
$ ls -la
-rw------- 1 ec2-user ec2-user 390 Apr 27 12:48 authorized_keys
-rw------- 1 ec2-user ec2-user 390 Apr 27 12:48 authorized_keys
$ cat authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCn7VR+XuLJPlPMA3EZE1yT4Cdfhl3LnYDe3CI80E7oDvYl1Q7Wp8Wt+5jQeLBQz9F+SJT9y/jPiMmCMTMxIrTB0k6uuIw/3mdAw2nMHPYBMigZrUb5GA2kdkcjLMKlrwGbqDs2ZpYXpDthDCsBonICDO1jzmJGXya2uHBZsUp1BV5liJSUMTp+uYicaGZqyKxOHncdNyvEzhrDW+kqAxg2ubfF2JDVIFtieS6GQwh7KtKscEzX6XZmN8JS84qETWlsODqDk9NTYxw1yyTM13VP2vrS5GguePaNfLbuqGKXeVjBkN3mKidBlgX/eVKK4YRlHUoAs1gfKLCCygWNwZgd linuxkey
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCn7VR+XuLJPlPMA3EZE1yT4Cdfhl3LnYDe3CI80E7oDvYl1Q7Wp8Wt+5jQeLBQz9F+SJT9y/jPiMmCMTMxIrTB0k6uuIw/3mdAw2nMHPYBMigZrUb5GA2kdkcjLMKlrwGbqDs2ZpYXpDthDCsBonICDO1jzmJGXya2uHBZsUp1BV5liJSUMTp+uYicaGZqyKxOHncdNyvEzhrDW+kqAxg2ubfF2JDVIFtieS6GQwh7KtKscEzX6XZmN8JS84qETWlsODqDk9NTYxw1yyTM13VP2vrS5GguePaNfLbuqGKXeVjBkN3mKidBlgX/eVKK4YRlHUoAs1gfKLCCygWNwZgd linuxkey
We can see that our provided key is present here with the
same name.
Q. What is the location of Ec2ConfigService in Windows?
A. C drive > Windows > AMazon > Ec2ConfigService
Q. What is the location of Ec2ConfigService in Windows?
A. C drive > Windows > AMazon > Ec2ConfigService
PRACTICAL-2
USING SAME KEY PAIR WITH ANOTHER USER
- Create a new user (bob)
- Create .ssh directory inside the home directory of bob user '/home/bob/'
- Change Permission and Ownership
- Copy authorized_keys file from user 'ec2-user' to .ssh folder of bob user
- Change Permission and Ownership
- Launch the session by user bob
$ sudo useradd bob //to
create a new user
$ cat /etc/passwd //to
verify the user named bob is created
ec2-user:x:1000:1000:EC2 Default User:/home/ec2-user:/bin/bash
bob:x:1001:1001::/home/bob:/bin/bash
ec2-user:x:1000:1000:EC2 Default User:/home/ec2-user:/bin/bash
bob:x:1001:1001::/home/bob:/bin/bash
But Bob cannot login yet because Bob does not has private
key posted in .ssh folder as authorized_keys.
Login as root user. So that we could execute any command without
any permission issue:
$ sudo su - //this
command will switch to the root user and $ sign will change to #
Now, this is a root user who have full privileges and can
perform any task. Now our task is to make a .ssh directory and copy authorized_keys
file to Bob's home directory. In the case of 'ec2-user' AWS created the .ssh
directory but this user bob is created by us. So, we need to provide everything
to him.
Step 2. CREATE '.ssh' DIRECTORY INSIDE THE HOME DIRECTORY OF bob
USER '/home/bob/'
# mkdir /home/bob/.ssh
drwxr-xr-x 2 root root 6 Apr 27 13:37 .ssh
drwxr-xr-x 2 root root 6 Apr 27 13:37 .ssh
This command created .ssh directory but permission and
ownership are changed. So, we need to update them accordingly.
Step 3. CHANGE PERMISSION AND OWNERSHIP
# chmod 700 /home/bob/.ssh //to
change the permission
drwx------ 2 root root 6 Apr 27 13:37 .ssh
drwx------ 2 root root 6 Apr 27 13:37 .ssh
# chown bob:bob /home/bob/.ssh //to change ownership and group
drwx------ 2 bob bob 6 Apr 27 13:37 .ssh
drwx------ 2 bob bob 6 Apr 27 13:37 .ssh
Now, our directory part is done. We have .ssh directory with
700 permission with bob user ownership and group. This is the time to copy
authorized_keys file.
First, Go inside .ssh directory:
# cd /home/ec2-user/.ssh
Now, copy authorized_keys file to this location. For copying
on the same location in the destination part we could use only a dot (.)
Step 4. COPY 'authorized_keys' FILE FROM USER 'ec2-user' TO .ssh
FOLDER OF bob USER
# cp /home/ec2-user/.ssh/authorized_keys .
Here, in the case of file, we need to perform the same thing,
we need to provide permission 600 and ownership of bob user.
Step 5. CHANGE PERMISSION AND OWNERSHIP
# chmod 600 /home/bob/.ssh/authorized_keys
-rw------- 1 root root 390 Apr 27 13:50 authorized_keys
-rw------- 1 root root 390 Apr 27 13:50 authorized_keys
# chown bob:bob /home/bob/.ssh/authorized_keys
-rw------- 1 bob bob 390 Apr 27 13:50 authorized_keys
-rw------- 1 bob bob 390 Apr 27 13:50 authorized_keys
Now, we have provided authorized keys to bob. This is the
time to launch the session once again with bob user.
Step 6. LAUNCH THE SESSION BY USER 'bob'
Run PuTTy > Paste Public IP from EC2
Dashboard > Expend SSH > Click on Auth > Browse > Select private
key in '.ppk' file > Open > Login as: ec2-user > GET CONNECTION TO
INSTANCE > Login as: bob
Q. How to provide sudo permissions to a normal user 'jack'?
A. The root user needs to update jack entry in '/etc/sudoers'
file.
# vi /etc/sudoers //go
to line number 93 and type
jack ALL=(ALL) ALL
:wq //for
save and quit
(To copy a line we can
press y two times and press p once to paste in next line).
PRACTICAL-3
LOGIN TO INSTANCE VIA NORMAL USER USING HIS OWN KEY
PAIR
- Create a new user (steve)
- Assign a password for user steve
- Switch to user steve
- Generate and verify public and private keys
- Copy private key to the laptop
- Copy public key to the instance home dir .ssh/authorized_keys)
- Convert .pem in laptop to .ppk
- Launch the session by user steve
Step 1. CREATE A NEW USER (steve)
$ sudo su - //to
become root user
# useradd steve
Step 2. ASSIGN A PASSWORD FOR USER steve
# passwd stave *****
confirm password *****
confirm password *****
Step 3. SWITCH TO USER steve
# su - steve
Step 4. GENERATE AND VERIFY PUBLIC AND PRIVATE KEY
$ ssh-keygen -t rsa //rsa
is an algorithm
enter > enter > enter > Keys are generated
To Verify:
$ ls -la /home/steve/.ssh
-rw------- 1 steve steve 1679 Apr 27 15:20 id_rsa
-rw-r--r-- 1 steve steve 431 Apr 27 15:20 id_rsa.pub
-rw------- 1 steve steve 1679 Apr 27 15:20 id_rsa
-rw-r--r-- 1 steve steve 431 Apr 27 15:20 id_rsa.pub
Here, 'id_rsa' is a private key and 'id_rsa.pub' is a public
key.
Step 5. COPY PRIVATE KEY TO LAPTOP
$ cat id_rsa
Select all the contents, this will be copied automatically.
Now, open notepad in laptop and paste the contents in notepad in
laptop and Save As 'stevekey.pem'.
Step 6. COPY PUBLIC KEY TO THE INSTANCE
$ cp id_rsa.pub authorized_keys
-rw-r--r-- 1 steve steve 431 Apr 27 15:34 authorized_keys
-rw------- 1 steve steve 1679 Apr 27 15:20 id_rsa
-rw-r--r-- 1 steve steve 431 Apr 27 15:20 id_rsa.pub
-rw-r--r-- 1 steve steve 431 Apr 27 15:34 authorized_keys
-rw------- 1 steve steve 1679 Apr 27 15:20 id_rsa
-rw-r--r-- 1 steve steve 431 Apr 27 15:20 id_rsa.pub
Step 7. CONVERT .pem FILE IN .ppk FORMAT
Run PuTTYgen.exe > Load > Navigate to and select stevekey.pem
> Save Private Key > Save that file as 'stevekey.ppk'.
Step 8. LAUNCH THE SESSION BY USER steve
Run PuTTy > Paste Public IP from EC2 Dashboard > Expand SSH > Click on Auth > Browse > Select steve generated private key ' stevekey.ppk' file > Open > Login as: steve > SUCCESSFUL
PRACTICAL-4
USER 'kate' NEEDS TO LOGIN TO LINUX
INSTANCE BUT HER KEY PAIR MUST BE GENERATED BY PUTTYGEN IN WINDOWS
- Login by user 'ec2-user'
- Create a user named 'kate'
- Generate keys from PuTTYgen
- Copy that public key in kate's .ssh folder as 'authorized_keys' and provide proper permissions and ownership
- Run the instance by using kate user credentials
Run PuTTy > Paste Public IP from EC2 Dashboard >
Expand SSH > Click on Auth > Browse > Select existing private key >
Open > Login as: 'ec2-user' <hit enter>
Step 2. CREATE A USER NAMED 'kate'
$ sudo su - //switch to root user
# useradd kate //create user 'kate'
# passwd kate //provide password to 'kate' user
New Password: *****
Retype Password: *****
New Password: *****
Retype Password: *****
Step 3. GENERATE KEYS FROM PuTTYgen
Run PuTTYgen > Generate > copy the Public Key under section 'Key' > Paste it in notepad
Now click on Save Private Key and save it as 'katekeys.ppk'.
Step 4. COPY THAT PUBLIC KEY IN kate's '.ssh' FOLDER AS 'authorized_keys'
AND PROVIDE PROPER PERMISSIONS AND OWNERSHIP TO BOTH '.ssh' FOLDER and 'authorized_keys'
FILE
# mkdir /home/kate/.ssh //create .ssh directory
# chmod 700 /home/kate/.ssh //give 700 permission to .ssh directory
# chown kate:kate /home/kate/.ssh //give 'kate' user ownership & group
# cd /home/kate/.ssh //change directory to .ssh
# vi authorized_keys //create a file named 'authorized_keys'
//here, paste key copied in notepad and save
:wq
# chmod 600 /home/kate/.ssh/authorized_keys //give 700 permission to the file
# chown kate:kate /home/kate/.ssh/authorized_keys //give 'kate' user ownership & group
Step 5. RUN THE INSTANCE BY USING 'kate' USER CREDENTIALS
Run PuTTy > Paste Public IP from EC2 Dashboard >
Expand SSH > Click on Auth > Browse > Select private key created for 'kate'
user > Open > Login as: kate <hit enter>
ENJOY………
No comments:
Post a Comment