Reputation: 33
How to replace .pem file in aws
Situation : So Basically I have Ec2 instance and to login to Ec2 instance, first I will login to jump server and then I login to my instance with private ip, and all my pem files are stored inside the jump server and in private instance(EC2 instance).
What I have Done : I have edited sshd-config file with "PasswordAuthentication No and change it to PasswordAuthentication Yes" and created password like "xyz123" now I able to login to my machine with,
ssh ubuntu@ipadrrs and psswd:xyz123
but this is not serving my open item.
what I am looking for : actually I used to share my .pem file to my team member to access instance, and if I enable password with ip they still can login with username and password and if they leave my org if they have my pem file handy still they can access my instance with pem file or password.
what is the best way to avoid this problem.
will Active directory will help here or LDAP will help here?if so how?
Please help me with quires.
Upvotes: 1
Views: 364
Answers (2)
Reputation: 2184
The best solution now is to use AWS Systems Manager Session Manager. This requires no pem sharing. SSH access direct from the browser, I am using this and I did not find any issues. Also, entire sessions can be audited.
Otherwise, rotate your key pairs. But I am not sure if there is an AWS way to do it. Also, use the best practices by enabling security groups to open only to known ips instead of the entire whole.
Upvotes: 1
Reputation: 354
Here you can convert your jump server to a SSH Bastion server. The same can be done using setting up iptables rules on this server. Below mentioned is the example of a rule which you can setup:
iptables -t nat -A PREROUTING -d xx.xx.xx.xx -p tcp --dport yyyy -j DNAT --to zz.zz.zz.zz:22
Here xx.xx.xx.xx is the private IP of the SSH bastion server. yyyy is the port which will be used for inbound access. zz.zz.zz.zz will be the private IP of the destination server. This rule simply means that you ssh into a machine using port yyyy, which will port forward the traffic to port 22 on zz.zz.zz.zz machine.
In this case you will only have to configure SSH public on the destination machine(zz.zz.zz.zz) only and the client machine will have the private key. Command to connect from the client machine will be ssh -i <path-to-private-key> username@BastionPublicIP -p yyyy
Below mentioned are the ports to be opened at security groups:
- Bastion - Inbound - yyyy(from your IP)
- Bastion - Inbound - 22(from your IP)
- Destionation - Inbound - 22(from bastion machine)
I suggest, you use an Amazon Linux AMI for SSH Bastion server.
Upvotes: 0
Related Questions
- generate pem File for EC2 Instance at Amazon
- Changing EC2 pem file key pair when you have access to the EC2 instance
- Can you move the .pem key to a different directory or will that affect your ability to ssh (provided you use the correct path when you ssh)?
- Amazon EC2 replace old pem file with a new pem file
- How to change pem file for an ec2-instance without creating new ec2-instance?
- How to regenerate new pem file using old pem file
- How to delete/deactivate the current PEM file and create new one in AWS?
- connecting via ssh using pem file
- How to change EC2 Public Key?
- How to ssh into an EC2 without using the .pem file