1

I'm going to keep this quick. A friend of mine's dev locked him out of his EC2. Now I'm not familiar with Amazon EC2, but I've setup my fair share of keypairs.

Note: I will get the PEM/PPK (private key) from the dev, but I'm going to need to lock him out.

The question I'm posing is the proper process of creating a new pair. I noticed in the control panel you can generate a new private key. So..

1.) Where is the public key? I need to add it to .ssh/authorized_keys, but where is it?

2.) What account does the public key go to when generated from the panel?

3.) Can I disable keypairs for the moment to get proper access to make sure the key isn't refused with EC2?

I might have left something out here, an EC2 "gotcha". Any insight on this matter would be greatly appreciated.

Cheers.

wesside
  • 113
  • 3

2 Answers2

5

You can't add new key pairs to existing instances like that.

If you're well and truly locked out of an instance, your best option is shutting it down (not terminating!), unattaching its EBS root volume, attaching that root volume to another instance, and adding your public key in the right spot on that new instance. Reattach to the original instance and start it back up and you've got access.

ceejayoz
  • 32,469
  • 7
  • 81
  • 105
3

I'll answer your specific questions below, but the Amazon getting started guide might be a handy general resource for you or your friend. (Unlike most of the online documentation I'm used to, it's actually pretty good.)

1.) Where is the public key? I need to add it to .ssh/authorized_keys, but where is it?

On the instance itself.

Alternate answer with slightly more of a walkthrough.

2.) What account does the public key go to when generated from the panel?

EC2 key pairs are instance-specific, so it doesn't go to an Amazon account, it goes to an EC2 instance. If you mean which machine account, root.

3.) Can I disable keypairs for the moment to get proper access to make sure the key isn't refused with EC2?

Nope. EC2 uses certificate-based authentication only.

From Amazon's EC2 "getting started" guide:

Under Choose a Key Pair, you can choose from any existing key pairs you already created, or you can create a new one. For this example, we’ll create a key pair:

Important

Do not select the None option. If you launch an instance without a key pair, you can't connect to your instance.

Community
  • 1
HopelessN00b
  • 53,385
  • 32
  • 133
  • 208
  • Alright so, I had created a secondary private key in the control panel, tried to connect with it and it refused it every time. – wesside Aug 31 '12 at 04:15
  • Isn't always root that gets the keypair. On Ubuntu instances it's the ubuntu user. – ceejayoz Aug 31 '12 at 04:15
  • @wes Doesn't work that way. Keypairs are attached to an instance on creation. You can't add one after the fact. – ceejayoz Aug 31 '12 at 04:18
  • So does it automatically add it to the authorized_keys? – wesside Aug 31 '12 at 04:18
  • Ah I see, so when I do make an additional int he panel, HopelessN00b said it goes to the instance, but where on the instance? – wesside Aug 31 '12 at 04:19
  • Adding a keypair in the EC2 console doesn't do anything to existing instances. It only makes it available if you want to launch a new instance. When you create an instance, you select a keypair. There's no way to have EC2 edit `authorized_keys` on your behalf post-creation. – ceejayoz Aug 31 '12 at 04:20
  • Alright, so I need to change it. I'll generate the public key from the private key when I get on the server. From this article, I hear you can generate a new key/pair instance on restart, is this as easy as it sounds? – wesside Aug 31 '12 at 04:23
  • Oh no, don't get me wrong. I plan on editing it myself. – wesside Aug 31 '12 at 04:24