AWS Amazon EC2 - password-less SSH login for non-root users using PEM keypairs

Posted by Mark White on Stack Overflow See other posts from Stack Overflow or by Mark White
Published on 2010-06-16T03:48:13Z Indexed on 2010/06/16 3:52 UTC
Read the original article Hit count: 1048

Filed under:
|

We've got a couple of clusters running on AWS (HAProxy/Solr, PGPool/PostgreSQL) and we've setup scripts to allow new slave instances to be auto-included into the clusters by updating their IPs to config files held on S3, then SSHing to the master instance to kick them to download the revised config and restart the service. It's all working nicely, but in testing we're using our master pem for SSH which means it needs to be stored on an instance. Not good.

I want a non-root user that can use an AWS keypair who will have sudo access to run the download-config-and-restart scripts, but nothing else. rbash seems to be the way to go, but I understand this can be insecure unless setup correctly.

So what security holes are there in this approach:

  • New AWS keypair created for user.pem (not really called 'user')
  • New user on instances: user
  • Public key for user is in ~user/.ssh/authorized_keys (taken by creating new instance with user.pem, and copying it from /root/.ssh/authorized_keys)
  • Private key for user is in ~user/.ssh/user.pem
  • 'user' has login shell of /home/user/bin/rbash
  • ~user/bin/ contains symbolic links to /bin/rbash and /usr/bin/sudo
  • /etc/sudoers has entry "user ALL=(root) NOPASSWD:
  • ~user/.bashrc sets PATH to /home/user/bin/ only
  • ~user/.inputrc has 'set disable-completion on' to prevent double tabbing from 'sudo /' to find paths.
  • ~user/ -R is owned by root with read-only access to user, except for ~user/.ssh which has write access for user (for writing known_hosts), and ~user/bin/* which are +x
  • Inter-instance communication uses 'ssh -o StrictHostKeyChecking=no -i ~user/.ssh/user.pem user@ sudo '

Any thoughts would be welcome.

Mark...

© Stack Overflow or respective owner

Related posts about ssh

Related posts about aws