Changing EC2 pem file key pair when you have access to the EC2 instance

1
votes

thank you for your time.

I have an EC2 instance, but for security reasons i need to change the pem files associated in .ssh/authorized_keys. I do understand that the public pem file goes into authorized_keys.

I do not want to mount the volume of the ec2 instance to a new one. I am considering as a last option since I do have access to the EC2 instance.

How can this be done?

I have tried: This post Change key pair for ec2 instance the answer by Pat Mcb, but no luck.

Run this command after you download your AWS pem.

ssh-keygen -f YOURKEY.pem -y Then dump the output into authorized_keys.

Or copy pem file to your AWS instance and execute following commands

chmod 600 YOURKEY.pem and then

ssh-keygen -f YOURKEY.pem -y >> ~/.ssh/authorized_keys

But that didn't work for me. If i follow it exactly download aws key pair key, and follow the instructions by coping the key when ssh into the instance, when i do ssh-keygen -f YOURKEY.pem -y >> ~/.ssh/authorized_keys It asks for a passphrase (never had to input one)

What i am doing is the following. I create a new key with ssh-keygen newpem.pem

and the .pub file i copy it in .ssh/authorized_keys

Can someone explain what i am doing incorrectly? Note the authorized_keys file has the correct permissions.

2
amazon-web-servicesamazon-ec2ssh
Rather than describe what you've done, show the exact steps by copying the text from your terminal (both client and server) and copying into a code block in your question. You should also run ssh -v from the client to show exactly what's happening (you should, of course, redact any usernames or hostnames from this output).kdgregory
Did you try steps listed on docs.aws.amazon.com/AWSEC2/latest/UserGuide/… ?ben5556

2 Answers

3
votes

You Don't even need to do all of this just mind few things with AWS EC2 you get a private key for default users . like ec2-user /ubuntu etc.

You are doing the right step

ssh-keygen -t rsa -C "[email protected]"

if it ask for entering any paraphrase leave it blank.

Just press to accept the default location and file name. If the .ssh directory doesn't exist, the system creates one for you.

Enter, and re-enter, if passphrase prompted

you have that key now .

Copy that key

  • Login to your Ec2 server.

    sudo su

    vim ~/.ssh/authorized_keys

    paste the key.

    :wq!

You'll see a key there copy it and save it as a backup somewhere.

Now paste your newly generated key in that file

and save the file.

now final step to take care is the permission, so run the following command.

sudo chmod 700 .ssh && chmod 600 .ssh/authorized_keys

Now you're good to go you.

3
votes

Seems like you want to deprecate the old key and use a new key instead. These steps may help you -

  1. Create a new key pair using the aws console and download it onto your system.

  2. Retrieve the public key from the private key(.pem) file using the command - "ssh-keygen -y"

  3. SSH into the instance using the old key.

  4. Once you have access to the instance add the public key you got in step 2 into the "~/.ssh/authorized_keys" files and then save the file.

  5. Log out of the instance and then try accessing the instance with the new key.

Hope it helps. Thank You !