the lost logbook

Utkarsh's mind.random() on Programming, India and Startups

Manage multiple Linux Users on 1 Amazon EC2 Instance

22 comments

In an organization of say 5, some times you need to give many people access to the same EC2 Instance. Sharing the private key and the password b/w 5 users is definitely not a good idea!

So, how do you fix this problem? You create multiple accounts on the Linux EC2 instance and generate keys for every individual accounts, here is how you do it:

Step 0. Login by default user, “ec2-user”:

1
static-9:ec2_thelostlogbook utkarsh$ ssh -i my_key.pem ec2-user@111.111.11.111

Step 1. Create a new user, we will call our new user “john”:

1
[ec2-user@ip-11-111-111-111 ~]$ sudo adduser john

Set password for “john” by:

1
2
[ec2-user@ip-11-111-111-111 ~]$ sudo su
[root@ip-11-111-111-111 ec2-user]$ passwd john

Add “john” to sudoer’s list by:

1
[root@ip-11-111-111-111 ec2-user]$ visudo

and add this to the last line:

1
john   ALL = (ALL)    ALL

Alright! We have our new user created, now you need to generate the key file which will be needed to login, like we have my_key.pem in Step 0.

Now, exit and go back to ec2-user, out of root.

Step 2. Creating the public and private keys:

1
[ec2-user@ip-11-111-111-111 ~]$ su john

Enter the password you created for “john” in Step 1.

1
2
3
4
5
6
7
[john@ip-11-111-111-111 ec2-user]$ cd /home/john/
[john@ip-11-111-111-111 ~]$ ssh-keygen -b 1024 -f john -t dsa
[john@ip-11-111-111-111 ~]$ mkdir .ssh
[john@ip-11-111-111-111 ~]$ chmod 700 .ssh
[john@ip-11-111-111-111 ~]$ cat john.pub > .ssh/authorized_keys
[john@ip-11-111-111-111 ~]$ chmod 600 .ssh/authorized_keys
[john@ip-11-111-111-111 ~]$ sudo chown john:ec2-user .ssh

In the above step, john is the user we created and ec2-user is the default user group.

1
[john@ip-11-111-111-111 ~]$ sudo chown john:ec2-user .ssh/authorized_keys

Step 3. Now you just need to download the key called “john”

I use scp to download/upload files from EC2, here is how you can do it:

You will still need to copy the file using ec2-user, since you only have the key for that user name. So, you will need to move the key to ec2-user folder and chmod it to 777.

1
2
[john@ip-11-111-111-111 ~]$ sudo cp john /home/ec2-user/
[john@ip-11-111-111-111 ~]$ sudo chmod 777 /home/ec2-user/john

Now come to local machine’s terminal, where you have my_key.pem file and do this:

1
static-9:ec2_thelostlogbook utkarsh$ scp -i my_key.pem ec2-user@111.111.11.111:/home/ec2-user/john john

The above command will copy the key “john” to the present working directory on your local machine. Once you have copied the key to your local machine, you should delete “/home/ec2-user/john”, since it’s a private key.

Now, one your local machine chmod john to 600.

1
static-9:ec2_thelostlogbook utkarsh$ chmod 600 john

Step 4. Time to test your key:

1
static-9:ec2_thelostlogbook utkarsh$ ssh -i john john@111.111.11.111

So, in this manner, you can setup multiple users to use one EC2 instance!!

PS: Please post your comments if you find any error.

Written by Utkarsh

January 6th, 2011 at 7:11 pm

22 Responses to 'Manage multiple Linux Users on 1 Amazon EC2 Instance'

Subscribe to comments with RSS

  1. Hi Utkarsh,

    I’m curious – what’s the takeup of AWS and Cloud Computing in India? We just launched a Cloud Management Platform – digitalmines.com – and I’m interested in exploring opportunities …

    -Ed

    Ed Byrne

    9 Jan 11 at 2:03 pm

  2. Well, I feel AWS is still a little expensive from Indian perspective. But it is definitely the future of hosting. This Quora thread may help: http://b.qr.ae/fzUZTY

    Utkarsh

    15 Jan 11 at 11:41 am

  3. Awesome post- very helpful. Thanks again for posting. It’s flawless!

    Anna

    25 May 11 at 12:57 pm

  4. Hi. For the last command in step 2. I am prompted for a password. I entered the one I set for the user and I get this error:

    ” is not in the sudoers file. This incident will be reported.”

    I did not set a password on my account, so I try entering nothing, but it asks me to try again.

    How am I suppose to know what password to use to execute a sudo that command?

    Thanks

    Pan

    9 Jul 11 at 4:21 pm

  5. You need to add the user to the sudoer’s file, which can be done like this: visudo and then add “john ALL = (ALL) ALL” at the end.

    Be very careful while editing this file.

    Utkarsh

    13 Jul 11 at 3:53 pm

  6. I have followed the steps above and when I do the final login via ssh I get the following:

    OpenSSH_5.2p1, OpenSSL 0.9.8r 8 Feb 2011
    debug1: Reading configuration data /etc/ssh_config
    debug1: Connecting to —-removed——– port 22.
    debug1: Connection established.
    debug1: identity file —removed—l type -1
    debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3
    debug1: match: OpenSSH_5.3 pat OpenSSH*
    debug1: Enabling compatibility mode for protocol 2.0
    debug1: Local version string SSH-2.0-OpenSSH_5.2
    debug1: SSH2_MSG_KEXINIT sent
    debug1: SSH2_MSG_KEXINIT received
    debug1: kex: server->client aes128-ctr hmac-md5 none
    debug1: kex: client->server aes128-ctr hmac-md5 none
    debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
    debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
    debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
    debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
    debug1: Host '—removed—' is known and matches the RSA host key.
    debug1: Found key in /Users/–removed–/.ssh/known_hosts:5
    debug1: ssh_rsa_verify: signature correct
    debug1: SSH2_MSG_NEWKEYS sent
    debug1: expecting SSH2_MSG_NEWKEYS
    debug1: SSH2_MSG_NEWKEYS received
    debug1: SSH2_MSG_SERVICE_REQUEST sent
    debug1: SSH2_MSG_SERVICE_ACCEPT received
    debug1: Authentications that can continue: publickey
    debug1: Next authentication method: publickey
    debug1: Trying private key: –removed–
    debug1: read PEM private key done: type DSA
    debug1: Authentications that can continue: publickey
    debug1: No more authentication methods to try.
    Permission denied (publickey).

    All the –remove– entry are actual values. Removed to protect the system and myself.

    What is going wrong and stopping me from connecting.

    Thank you in advance

    Al Methot

    30 Sep 11 at 11:39 pm

  7. This can be caused due to any one of these:

    When you do: ssh -i john john@111.111.11.111
    1. Make sure there is a file named john, i.e. the above command will read:

    ssh -i /path/to/private/key your_id@your-server-ip

    Or

    2. Make sure you are using the correct private key.

    Utkarsh

    1 Oct 11 at 12:36 am

  8. The issues was the file name for the private key had a dash. Thanks for narrowing the issue to key file.

    Al Methot

    2 Oct 11 at 4:26 pm

  9. This is just what I needed. Thanks!

    akhatib

    6 Nov 11 at 11:47 am

  10. Thought I’d share the official article regarding this: http://aws.amazon.com/articles/1233

    Zane Matthew

    19 Dec 11 at 3:07 pm

  11. How would i create just a user and limit his permissions only to a directory and nothing else. Just needs to upload/modify site files.

    thanks

    Luke

    14 May 12 at 2:08 pm

  12. Thanks! That’s very helpful!
    I return here each time to be sure I do every step right.

    mdob

    14 Jun 12 at 7:29 am

  13. Thank you so much. Finally instructions that work, all the best for you. Í

  14. Thanks for the tutorial. Very helpful. I now get permission denied when I try and edit scp to /var/www/html . I tried adding the new user to a group but It won’t let me. I can add ec2-user to a group and root to a group, but the new user won’t update. Any suggestions?

    Spencer

    31 Jul 12 at 4:31 pm

  15. Fantastic tutorial!
    Thank you, made my day!

    Mike

    1 Oct 12 at 11:04 am

  16. how I get SFTP without key file???
    I need conect dreamweaver…

    dave

    20 Feb 13 at 6:53 am

  17. Thanks Utkarsh, works like a champ!

    hamid

    27 Feb 13 at 5:13 pm

  18. Great tutorial. Here are some notes for Windows Putty users:

    1. Copy “john” key file to local pc from /home/ec2-user/ from Step 3 above. I used WinSCP.
    2. Rename the file to john.pem on your local machine
    3. Use PuttyGen to convert the pem file to ppk format.
    4. Using Putty, set Connection/SSH/Auth to point to john.ppk, point to your server IP, Open
    5. User is: john

    Walla!

    erok210

    26 May 13 at 4:18 am

  19. Nice! Very useful. Saved me a bunch of time with creating users on mi micro instance. I was getting confused with IAM

    Boni

    4 Jul 13 at 6:05 pm

  20. Hello! Thanks for the tips. Just a quick comment: When you’re copying the john.pub file to the authorized_keys file, don’t you want to do an append (two greater than symbols)?

    Instead of: cat john.pub > .ssh/authorized_keys
    Use this? cat john.pub >> .ssh/authorized_keys

    As it stands right now, I think it’s overwriting the existing authorzized_keys file. Is that correct? Or am I missing something? Thanks!

    Jeff

    2 Oct 13 at 9:40 am

  21. Thanks great article worked first time. Now I need to script this for the rest of my team. AS THE AUTHOR SAYS PLEASE HAVE A SECOND TERMINAL OPEN TO YOUR AWS INSTANCE!!!

    Simon stevens

    31 Oct 13 at 4:43 pm

  22. Hi, please update on when you copy the john.pub to authorized_keys? and from where?

    Nijisha

    3 Feb 15 at 8:24 pm

Leave a Reply

*

Page optimized by WP Minify WordPress Plugin