In my last installment on Amazon Elastic Cloud Compute (EC2), I discussed how to use an SFTP program to transfer files between a local computer and an EC2 instance. This week, in my final installment in this series, I’ll examine how to create and manage new users and user permissions using the Amazon EC2 command line tools on your local instance.
As discussed previously, Amazon doesn’t use passwords for user management on EC2 instances, but opts instead for a public key cryptography. When you register a new EC2 instance, Amazon asks if you wish to create a new public/private key pair. You can either reuse an existing public/private key pair, or create a new pair. You can create a new key pair without creating a new AWS instance by clicking the Key Pairs screen in the EC2 Management Console.
You can also create new login key pairs on the Linux command line, using the command ssh-keygen. We’ll see how to use this method in a below.
Creating New Users Associated with a Key Pair
As most readers know, all information about users on Unix variants (including Linux) is stored in the file /etc/passwd. If we look at /etc/passwd for ec2-user, we see that the password field has been x’d out. Usually, this indicates that the password is encrypted in /etc/crypt.
ec2-user:x:222:500:EC2 Default User:/home/ec2-user:/bin/bash
But our EC2 instance isn’t secured by passwords, but by SSH and public key cryptography. If you run the command ls -la in the home directory of ec2-user, you’ll see a hidden folder named .ssh. This directory contains a file called authorized_users that contains the public key portion of the key pair associated with the account ec2-user. When you log in, the Linux server matches this public key against the private key you are using with PuTTY.
So to create a new user and log in with that user using PuTTY, follow these steps.
1. Create a new Linux user with the adduser command. The following command creates a new user and adds it to the ec2-user security group. (You need to run this command using sudo to obtain root permission.)
sudo useradd -g ec2-user testuser1
sudo su testuser2
cd /home/testuser4
4. Generate a new public/private key pair for this user using with the ssh-keygen command.
ssh-keygen -b 1024 -f testuser4 -t dsa
5. Create the .ssh/.authorized_keys file with the appropriate ownership and permissions.
[testuser1@ip-10-112-71-77 ~]$ mkdir .ssh
[testuser1@ip-10-112-71-77 ~]$ chmod 700 .ssh
[testuser1@ip-10-112-71-77 ~]$ cat testuser1.pub > .ssh/authorized_keys
[testuser1@ip-10-112-71-77 ~]$ chmod 600 .ssh/authorized_keys
[testuser1@ip-10-112-71-77 ~]$ chown testuser1:testuser1 .ssh
[testuser1@ip-10-112-71-77 ~]$ chown testuser1:testuser1 .ssh/authorized_keys
6. Download the private key file (named testuser1) using WinSCP (or a similar SFTP application), and convert the private key to a PuTTY .ppk file as previously discussed. You can now log in directly as the user testuser1 to your Amazon EC3 instance.
Once you know how to create users and log in as those users using SSH, you can create multiple user accounts and security groups (using the addgroup command), and control logins and permissions to your server. If you are giving access to vendors or others who need only limited permissions to your server, you should configure your groups such that only the privileged can use the sudo command to obtain root access. You can find more tips for securing your EC2 Linux server on the Amazon AWS Web site.
The post Creating New Linux Users and Login Keys on Amazon EC2 appeared first on CodingThis.