NAMEWITHELD12
asked on
how can I create an instance in AWS that i can login with a key OR username
how can I have an instace of CENTOS in AWS and be able to login with one user that has a key and other user that will be only able to login with user name and password
is this possible?
thanks
is this possible?
thanks
This step through of creating an instance will help though it is not centos specific but has a good general overview https://aws.amazon.com/premiumsupport/knowledge-center/create-linux-instance/
Otherwise this is CENTOS specific andfl follow the link in the table to directly configure and launch an instance. There is another into CentOS on AWS using Ansible.
https://wiki.centos.org/Cloud/AWS
https://wiki.centos.org/Cloud/Manage/Ansible
In those setup, when a new EC2 instance is created you assign a key pair to be able to login initially.
https://blog.tinned-software.net/ssh-passwordless-login-with-ssh-key/
For the other user using password, and you be enabling the PasswordAuthentication for the new user to connect remotely
https://coderwall.com/p/j5nk9w/access-ec2-linux-box-over-ssh-without-pem-file
Just a note, passwords are less secure than certificates and deteriorates the security of your instance. Also for CentOS 7.x, you can set root password for EC2 after first time login with your .pem file. After login just type sudo passwd and it will ask new password for root user.
https://aws.amazon.com/premiumsupport/knowledge-center/set-change-root-linux/
Otherwise this is CENTOS specific andfl follow the link in the table to directly configure and launch an instance. There is another into CentOS on AWS using Ansible.
https://wiki.centos.org/Cloud/AWS
https://wiki.centos.org/Cloud/Manage/Ansible
In those setup, when a new EC2 instance is created you assign a key pair to be able to login initially.
https://blog.tinned-software.net/ssh-passwordless-login-with-ssh-key/
For the other user using password, and you be enabling the PasswordAuthentication for the new user to connect remotely
https://coderwall.com/p/j5nk9w/access-ec2-linux-box-over-ssh-without-pem-file
Just a note, passwords are less secure than certificates and deteriorates the security of your instance. Also for CentOS 7.x, you can set root password for EC2 after first time login with your .pem file. After login just type sudo passwd and it will ask new password for root user.
https://aws.amazon.com/premiumsupport/knowledge-center/set-change-root-linux/
Trying to do what you're attempting can become a nightmare to maintain, if you have many users.
The easy way to do this is just to clone the private keyfile for multiple users, as I'm guessing your trying to provide a mechanism where multiple users can login + end up with the same system view or into the same home directory.
The easy way to do this is just to clone the private keyfile for multiple users, as I'm guessing your trying to provide a mechanism where multiple users can login + end up with the same system view or into the same home directory.
Agree that is guidance in single user for the sake of better understanding the behind scene. In fact, you can install only one Amazon EC2 key pair on an instance. So if you want to allow multiple users to log in, they must all have a copy of the private key, which is not a recommended security practice. This is also advised by AWS.
Refer - AWS managing user @ http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/managing-users.html
Consider personal keyset which is preferred hence AWS OpsWork can advocate this
Refer - AWS managing user @ http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/managing-users.html
Consider personal keyset which is preferred hence AWS OpsWork can advocate this
For Linux stacks, AWS OpsWorks Stacks provides a simpler and more flexible way to manage SSH key pairs.Refer - AWS managing SSH @ http://docs.aws.amazon.com/opsworks/latest/userguide/security-ssh-access.html
-Each user registers a personal key pair.
They store the private key locally and register the public key with AWS OpsWorks Stacks, as described in Registering an IAM User's Public SSH Key.
-When you set user permissions for a stack, you specify which users should have SSH access to the stack's instances.
AWS OpsWorks Stacks automatically creates a system user on the stack's instances for each authorized user and installs their public key. The user can then use the corresponding private key to log in, as described in Logging In with SSH.
Using personal SSH keys has the following advantages.
-There's no need to manually configure keys on the instances; AWS OpsWorks Stacks automatically installs the appropriate public keys on every instance.
-AWS OpsWorks Stacks installs only authorized users' personal public keys.
Unauthorized users cannot use their personal private key to gain access to instances. With Amazon EC2 key pairs, any user with the corresponding private key can log in, with or without authorized SSH access.
ASKER
Ok , I have have created a user and modifyied the SSHD_config file and I am getting this error when attempting to restart the service
Jun 26 15:25:53 ip-172-31-9-111 systemd[1]: Starting OpenSSH server daemon...
Jun 26 15:25:53 ip-172-31-9-111 sshd[9316]: /etc/ssh/sshd_config line 85: Directive 'ChallengeResponseAuthenti cation' is not allowed within a Match block
Jun 26 15:25:53 ip-172-31-9-111 systemd[1]: sshd.service: main process exited, code=exited, status=255/n/a
Jun 26 15:25:53 ip-172-31-9-111 systemd[1]: Failed to start OpenSSH server daemon.
Jun 26 15:25:53 ip-172-31-9-111 systemd[1]: Unit sshd.service entered failed state.
Jun 26 15:25:53 ip-172-31-9-111 systemd[1]: sshd.service failed.
Jun 26 15:25:53 ip-172-31-9-111 systemd[1]: Starting OpenSSH server daemon...
Jun 26 15:25:53 ip-172-31-9-111 sshd[9316]: /etc/ssh/sshd_config line 85: Directive 'ChallengeResponseAuthenti
Jun 26 15:25:53 ip-172-31-9-111 systemd[1]: sshd.service: main process exited, code=exited, status=255/n/a
Jun 26 15:25:53 ip-172-31-9-111 systemd[1]: Failed to start OpenSSH server daemon.
Jun 26 15:25:53 ip-172-31-9-111 systemd[1]: Unit sshd.service entered failed state.
Jun 26 15:25:53 ip-172-31-9-111 systemd[1]: sshd.service failed.
ASKER
ok if I rem out the offending line , I get this
Jun 26 15:31:43 ip-172-31-9-111 systemd[1]: Starting OpenSSH server daemon...
Jun 26 15:31:43 ip-172-31-9-111 sshd[9340]: /etc/ssh/sshd_config line 96: Directive 'GSSAPICleanupCredentials' is not allowed within a Match block
Jun 26 15:31:43 ip-172-31-9-111 systemd[1]: sshd.service: main process exited, code=exited, status=255/n/a
Jun 26 15:31:43 ip-172-31-9-111 systemd[1]: Failed to start OpenSSH server daemon.
Jun 26 15:31:43 ip-172-31-9-111 systemd[1]: Unit sshd.service entered failed state.
Jun 26 15:31:43 ip-172-31-9-111 systemd[1]: sshd.service failed.
I am so lost , what is going on here?
Jun 26 15:31:43 ip-172-31-9-111 systemd[1]: Starting OpenSSH server daemon...
Jun 26 15:31:43 ip-172-31-9-111 sshd[9340]: /etc/ssh/sshd_config line 96: Directive 'GSSAPICleanupCredentials'
Jun 26 15:31:43 ip-172-31-9-111 systemd[1]: sshd.service: main process exited, code=exited, status=255/n/a
Jun 26 15:31:43 ip-172-31-9-111 systemd[1]: Failed to start OpenSSH server daemon.
Jun 26 15:31:43 ip-172-31-9-111 systemd[1]: Unit sshd.service entered failed state.
Jun 26 15:31:43 ip-172-31-9-111 systemd[1]: sshd.service failed.
I am so lost , what is going on here?
To end up a match block with openssh 6.5p1 or above, use the line: Match all
ASKER
Ok I give up I changed the authentication to all the users need password to get it.
I think it is not possible to have just some users with passwords and some with a key
I think it is not possible to have just some users with passwords and some with a key
ASKER
btan , I dont know what you mean
I am new to Centos
thanks !!!
I am new to Centos
thanks !!!
Likely best to start with latest version of your code.
After years of wrestling with RedHat/Fedora/Centos, I switched to Ubuntu + things like major OS updates + even software package updates just work far better... Software upgrades tend to work. Machines tend to survive major OS upgrades + remain bootable.
Independent of what OS Distro you choose, pick the latest stable version. This way you can easily post questions to each software packages discussion forums also.
Refer to my previous posting for the easy way to do this.
The most secure way is once you have your instance running, ssh into your instance + create a separate user account for each user + provide them with their own ssh key file.
Then add them to the sudo group, if they require taking admin level actions.
After years of wrestling with RedHat/Fedora/Centos, I switched to Ubuntu + things like major OS updates + even software package updates just work far better... Software upgrades tend to work. Machines tend to survive major OS upgrades + remain bootable.
Independent of what OS Distro you choose, pick the latest stable version. This way you can easily post questions to each software packages discussion forums also.
Refer to my previous posting for the easy way to do this.
The most secure way is once you have your instance running, ssh into your instance + create a separate user account for each user + provide them with their own ssh key file.
Then add them to the sudo group, if they require taking admin level actions.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
thanks
You will need configure it something like
PasswordAuthentication no
Match User bob
PasswordAuthentication yes
This means that all users can't log in with a password expect the user with the username "bob".