ssh aws key management

For ssh, what's a good strategy to keep logins organized? I'm doing:

ssh -i "suse.pem" ec2- ... at ec2 dot ..

and could add that to aliases. What might be some other approaches to
handling keys and logins? I'm not ssh'ing to dozens of instances -- less
than five.




Re: ssh aws key management

By Karl Auer at 11/12/2017 - 02:44

On Sun, 2017-11-12 at 04:25 +0000, thufir wrote:
Read "man ssh_config" and check out the CertificateFile and
IdentityFile directives. You can either just set up a big list of
identities and they will all be tried in turn, or you can use the Host
directive (I think, I have not tried this myself) to limit each
identity to a particular host.

I suggest you put these things into ~/.ssh/config rather than into the
global ssh configuration file /etc/ssh/ssh_config, though the
permissions on the certificate file should prevent misuse.

All this said, you do not require the AWS-supplied identity unless you
like using multiple identity files. Just add your own ssh public key to
~/.ssh/authorized_keys on the AWS system for the user you want to log
in as - ec2-user or whatever - or make a new user and use that one. If
you delete the AWS-supplied key out of the authorized_keys file, it
will no longer work for logins, which might be useful in some

BTW AWS gives the primary user (e.g ubuntu@host) password-less sudo
access, which is IMHO dangerous (but let's please not have THAT
discussion again). Anyway, if you don't like it you can and IMHO should
fix /etc/sudoers to turn it off. 

Also, for better ssh security you should at a minimum change the ssh
port and turn off password-only logins (i.e., require publickey

Regards, K.

Re: ssh aws key management

By thufir at 11/12/2017 - 03:42

Ohhh, I see. You're suggesting, really, to just use a more regular type
of ssh usage. To my understanding, at least. Yes/no?

That is, I have one or some public keys.

When I want access to a remote system, add my public key to the remote
system. Presto, access? Yes, I want passwordless, key-only, login to
the default "ubuntu" user (because, as you pointed out, it has
passwordless sudo access).

I suppose that the AWS way of doing things is to make it easy for them,
with generating special keys, downloading keys, etc, etc. PITA for me.


Re: ssh aws key management

By Karl Auer at 11/12/2017 - 04:08

On Sun, 2017-11-12 at 07:42 +0000, thufir wrote:
Yes - or at least, the option is available to you. I'm not recommending
it, just telling you about it. There is nothing special about the AWS-
supplied key except (and this IS important) it does not have a
passphrase, and that IMHO means you should not ue it and should make it
unusable. Or adda  passphrase to it :-)

By "passwordless" I mean you should disable the ability to log into
your instance using a password; you should require a previously-
installed public key.

You should DEFINITELY not use keys without passphrases. If you do,
anyone who acquires your keys can log in anywhere you can log in. Two
minutes with your unattended laptop and they are gone. Unless you
encrypted your disks.

They offer you a working key. You do not have to use it.

Regards, K.