Skip to content

Amazon EC2

Creating New Linux Users and Login Keys on Amazon EC2

In my last installment on Amazon Elastic Cloud Compute (EC2), I discussed how to use an SFTP program to transfer files between a local computer and an EC2 instance. This week, in my final installment in this series, I’ll examine how to create and manage new users and user permissions using the Amazon EC2 command line tools on your local instance.

As discussed previously, Amazon doesn’t use passwords for user management on EC2 instances, but  opts instead for a public key cryptography. When you register a new EC2 instance, Amazon asks if you wish to create a new public/private key pair. You can either reuse an existing public/private key pair, or create a new pair. You can create a new key pair without creating a new AWS instance by clicking the Key Pairs screen in the EC2 Management Console.

You can also create new login key pairs on the Linux command line, using the command ssh-keygen. We’ll see how to use this method in a below.

Creating New Users Associated with a Key Pair

As most readers know, all information about users on Unix variants (including Linux) is stored in the file /etc/passwd. If we look at /etc/passwd for ec2-user, we see that the password field has been x’d out. Usually, this indicates that the password is encrypted in /etc/crypt.

ec2-user:x:222:500:EC2 Default User:/home/ec2-user:/bin/bash

But our EC2 instance isn’t secured by passwords, but by SSH and public key cryptography. If you run the command ls -la in the home directory of ec2-user, you’ll see a hidden folder named .ssh. This directory contains a file called authorized_users that contains the public key portion of the key pair associated with the account ec2-user. When you log in, the Linux server matches this public key against the private key you are using with PuTTY.

So to create a new user and log in with that user using PuTTY, follow these steps.

1. Create a new Linux user with the adduser command. The following command creates a new user and adds it to the ec2-user security group. (You need to run this command using sudo to obtain root permission.)

sudo useradd -g ec2-user testuser1

2. Log in as testuser1 using the sudo and su commands.

sudo su testuser2

3. Go to testuser4’s home directory.

cd /home/testuser4

4. Generate a new public/private key pair for this user using with the ssh-keygen command.

ssh-keygen -b 1024 -f testuser4 -t dsa

5. Create the .ssh/.authorized_keys file with the appropriate ownership and permissions.

[testuser1@ip-10-112-71-77 ~]$ mkdir .ssh
[testuser1@ip-10-112-71-77 ~]$ chmod 700 .ssh
[testuser1@ip-10-112-71-77 ~]$ cat testuser1.pub > .ssh/authorized_keys
[testuser1@ip-10-112-71-77 ~]$ chmod 600 .ssh/authorized_keys
[testuser1@ip-10-112-71-77 ~]$ chown testuser1:testuser1 .ssh
[testuser1@ip-10-112-71-77 ~]$ chown testuser1:testuser1 .ssh/authorized_keys

6. Download the private key file (named testuser1) using WinSCP (or a similar SFTP application), and convert the private key to a PuTTY .ppk file as previously discussed. You can now log in directly as the user testuser1 to your Amazon EC3 instance.

Once you know how to create users and log in as those users using SSH, you can create multiple user accounts and security groups (using the addgroup command), and control logins and permissions to your server.  If you are giving access to vendors or others who need only limited permissions to your server, you should configure your groups such that only the privileged can use the sudo command to obtain root access. You can find more tips for securing your EC2 Linux server on the Amazon AWS Web site.

Be Sociable, Share!
    The following two tabs change content below.

    2 Comments (Add Yours)

    1. Great article ! Saved me a bit of time allocating server access for outside consultants, rather than using the original private key (which is root !).

      Minor typos on your use of testuser1 (2, 3, 4). I assumed u meant only 1 testuser == testuser1

      Also I think the chown (last 2 steps) was not needed, since u already doing a sudo.

      Thanks!

    2. Jay,

      Excellent and helpful set of articles.

      The one answer I didn’t see is how to ensure that the EC2 instance survives shutdown/reboot. AFAIK, when an Instance stops, the default ‘local’ disk is destroyed. If that’s true, then we’ll have to go through the entire process again when we start up a new instance.

      Could you comment on this, and perhaps provide some guidance?

      Thanks!

    Add Your Comment (Get a Gravatar)