Ubuntu 16.04 allows ssh login with AWS users, but only when using private key.
mclounie opened this issue · 9 comments
Operating System: (Ubuntu 16.04)
AWS CLI Version: (aws-cli/1.11.13 Python/3.5.2 Linux/4.4.0-1020-aws botocore/1.4.70)
I cannot seem to get your program to work. Here are the steps i followed:
- Fresh Ubuntu instance using AWS AMI, apt-get update, apt-get upgrade, installed awscli.
- Attached your pre-made IAM role to it along with another role allowing 22 among other ports.
- Retrieved public key from instance via ~/.ssh/authorized_keys and uploaded successfully to IAM user.
- As root, ran install.sh with no flags which returned
Cloning into 'aws-ec2-ssh'... remote: Counting objects: 394, done. remote: Compressing objects: 100% (21/21), done. remote: Total 394 (delta 17), reused 38 (delta 13), pack-reused 350 Receiving objects: 100% (394/394), 177.13 KiB | 0 bytes/s, done. Resolving deltas: 100% (199/199), done. Checking connectivity... done. Can not import IAM user **REMOVED** User name is longer than 32 characters. Can not import IAM user **REMOVED** User name is longer than 32 characters.
- All users on AWS account were created successfully in /home/*
- I can ssh into the instance with each user but only if I use "-i" with the private key.
I have tried different ssh flags to ignore the lack of key to no avail.
As a side note, your blog has great stuff! Has helped me many a time.
Hi @mclounie What is the IAM user name you use?
michael.clounie
ok. that's fine.
can you show me the ssh command you are using? why do you think that it is an issue if you have ot provide the private key with the ssh -i option? What behaviour are you expecting?
ssh -i ~/.ssh/key.pem michael.clounie@ec2-xx-x-x-xxx.us-xxxx-1.compute.amazonaws.com
I think that answers my question though. I saw step five under install via install.sh script which made me think that you could login without the ssh key simply by pulling it for each user from IAM when needed.
Install via install.sh script
- Connect to the EC2 instance via ssh $Username@$PublicName with $Username being your IAM user, and $PublicName with the stack's output
You would need to load the public key into your IAM user using the IAM console or aws iam upload-ssh-public-key. This is the same requirement as using ssh with AWS CodeCommit.
Once you have the public key for your corresponding private key loaded, can you let the group know if things are working as expected?
@mclounie any news in this issue?
I meant to imply resolution in that last comment apologies.
As i understand it, with this program the user still needs to ssh with the ' -i ' flag followed by the key-pair that was uploaded to IAM, and added as a trusted public key (via your program) to the server itself.
At first glance I thought that your program could allow a user to ssh into an instance without a keypair. For instance, ssh checks the user's aws cli config locally, verifies that he has a trusted key on the server, and finally allows him to ssh simply with 'michael.clounie@ec2-us-west-xxxxxxx' rather than with a keypair.
If this is the case please let me know I'd love to have that.
In any case the program has proven most useful regardless of this feature. Thanks!
you can configure the default location of your key. in this case, you don't have to specify the -i flag. But you always need a key to login with this solution.
Ok I thought so thanks.