Changing EC2 pem file key pair when you have access to the EC2 instance

Question

thank you for your time.

I have an EC2 instance, but for security reasons i need to change the pem files associated in .ssh/authorized_keys. I do understand that the public pem file goes into authorized_keys.

I do not want to mount the volume of the ec2 instance to a new one. I am considering as a last option since I do have access to the EC2 instance.

How can this be done?

I have tried: This post Change key pair for ec2 instance the answer by Pat Mcb, but no luck.

Run this command after you download your AWS pem.

ssh-keygen -f YOURKEY.pem -y Then dump the output into authorized_keys.

Or copy pem file to your AWS instance and execute following commands

chmod 600 YOURKEY.pem and then

ssh-keygen -f YOURKEY.pem -y >> ~/.ssh/authorized_keys

But that didn't work for me. If i follow it exactly download aws key pair key, and follow the instructions by coping the key when ssh into the instance, when i do ssh-keygen -f YOURKEY.pem -y >> ~/.ssh/authorized_keys It asks for a passphrase (never had to input one)

What i am doing is the following. I create a new key with ssh-keygen newpem.pem

and the .pub file i copy it in .ssh/authorized_keys

Can someone explain what i am doing incorrectly? Note the authorized_keys file has the correct permissions.

Answer 1

Okay I figured out my problem. First of all I had been hacked by a hacker apparently because I didn't know that permitpasswordlogin: yes DISABLES pubkey authentication.... I thought it was additional security. So i used a very loose password that could be easily guessed. Anyways, I believe this because I went to the root folder and found that there was actually a new key in the root named "el patrono 1337" which actually means "the master/boss" in spanish... LOL. Anyways... So i changed that back to my secure key (made a new one actually) and then I went to login as ec2-user and couldnt, but could as root. was driving me crazy for 30 minutes or so until I realized I had accidentally changed the owner of my ec2-user folder to root and therefore ssh was not searching the ec2-user .ssh/authorized_keys when I tried to log in. Wow very glad that's over lol. And just fyi guys I don't think the hacker installed anything malicious, but I did get tipped off that he tried to ssh into other people's servers (who claim they get attacked by ssh alot according to the aws abuse report) from my machine. I'm running a very simple website with zero sensitive data etc. He didn't even block me out of the machine by disabling password authentication.(i guess he didn't want me to know?). I will build a new instance from scratch next time I want to add anything(will be pretty soon) just to be on the safe side.

Answer 2

Following are the steps to change your keypair on AWS EC2.

1. Login to AWS Console. Go to the Network and Security >> Keypair.

2. Give the name of your keypair (mykeypair) and keytype (RSA) and Private keyformat (.pem). and click on the create keypair. It will ask you to download .pem file in your local machine. Save it at and remember the location.

3. Login to your EC2 instance and go to the .ssh. location. Create a new file called (mykeypair.pem) and paste the content from the file we downloaded in step no.2

4. Run the command: sudo chmod 600 mykeypair.pem

5. Run the command: ssh-keygen -f mykeypair.pem -y and it will generate some content. Copy that content. Open the file called autherized_keys and remove all the content from it.

6. Paste the copied content that we have generated in the previous step. Also enter your file name (mykeypair) in last after entering space.

7. Reboot your instance. Go to the puttygen and generate the .ppk file using the pem file you have downloaded from the keypair. You will be able to login your ec2 with the newly generated .ppk from putty.

Answer 3

You Don't even need to do all of this just mind few things with AWS EC2 you get a private key for default users . like ec2-user /ubuntu etc.

You are doing the right step

ssh-keygen -t rsa -C "your_email@example.com"

if it ask for entering any paraphrase leave it blank.

Just press to accept the default location and file name. If the .ssh directory doesn't exist, the system creates one for you.

Enter, and re-enter, if passphrase prompted

you have that key now .

Copy that key

• Login to your Ec2 server.

  sudo su

  vim ~/.ssh/authorized_keys

  paste the key.

  :wq!

You'll see a key there copy it and save it as a backup somewhere.

Now paste your newly generated key in that file

and save the file.

now final step to take care is the permission, so run the following command.

sudo chmod 700 .ssh && chmod 600 .ssh/authorized_keys

Now you're good to go you.

Answer 4

Seems like you want to deprecate the old key and use a new key instead. These steps may help you -

1. Create a new key pair using the aws console and download it onto your system.

2. Retrieve the public key from the private key(.pem) file using the command - "ssh-keygen -y"

3. SSH into the instance using the old key.

4. Once you have access to the instance add the public key you got in step 2 into the "~/.ssh/authorized_keys" files and then save the file.

5. Log out of the instance and then try accessing the instance with the new key.

Hope it helps. Thank You !