Friday, 3 February 2017

Multiuser key-based login to AWS EC2 instances

 


This is a step-by-step guide to creating multiple user accounts in Amazon EC2 Linux instances, using individual self-generated key pairs . This helps small organizations to allow multiple users to get access to such instances without having to share keys or accounts.

The public / private key pair is generated on your local machine and the private key is uploaded to S3. When launching the EC2 instance via the wizard, you can now choose to Proceed without a key pair.

For Linux / Mac users :
  1. To create Public and Private keys use the following command
$ ssh-keygen -t rsa -b 4096        (This creates a 4096 bit RSA key pair)
      2. Upload the public key to a folder in your S3 bucket. For example :
S3 > MyBucket > Keypair
      3. Save and secure your private key.


For Windows users :
  1. Use puttygen to generate the keys.
  2. Follow tutorials in DigitalOcean to create SSH keys.
  3. Upload the public key to S3 > MyBucket > Keypair
  4. Save and secure your private key.
The following steps are important during the launch of any Linux AMI.
  1. Ensure the IAM role has a role created with AmazonS3FullAccess policy. This allows the instance to assume a role to access the S3 buckets. This is needed to read the public keys from S3 and copy them to the user profile.

  2. IAM > Roles


    Launch Instance > Configure Instance Details 


  3. Add the following code under the user-data section in Configure Instance details > Advanced Details (as Text) :

######## AWS LINUX #########

#!/bin/bash
useradd user1
usermod -aG wheel user1
mkdir /home/user1/.ssh/
aws s3 cp s3://MyBucket /Keypair/user1-pub.pub     /home/user1/.ssh/authorized_keys

useradd user2
usermod -aG wheel user2
mkdir /home/user2/.ssh/
aws s3 cp s3://MyBucket /Keypair/user2-pub.pub     /home/user2/.ssh/authorized_keys

sudo -i
echo "user1 ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers
echo "user2 ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers

yum update -y

######## UBUNTU #########

#!/bin/bash
apt-get install -y awscli
useradd user1
usermod -aG sudo user1
mkdir /home/user1/.ssh/
aws s3 cp s3://MyBucket /Keypair/user1-pub.pub     /home/user1/.ssh/authorized_keys

useradd user2
usermod -aG sudo user2
mkdir /home/user2/.ssh/
aws s3 cp s3://MyBucket /Keypair/user2-pub.pub     /home/user2/.ssh/authorized_keys

sudo -i
echo "user1 ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers
echo "user2 ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers
exit

apt-get update -y

This setup creates User1 and User2 and adds them to sudo users. The aws s3 cp command copies the users public keys from the S3 folder to their .ssh/authorized_keys path. The last section is to run commands as admin without needing passwords.

There are lots of security improvements that can be recommended here. While not explicitly used in this example, limiting S3 bucket access to a specific bucket and knowing the security implications of disabling password usage in sudo, are few things that can be highlighted. Use them wisely based on your particular needs.

No comments:

Post a Comment

author
Vijay Vikram Shreenivos