How do I add new user AWS accounts with SSH access to my Amazon EC2 Linux instance?
I want to add new user accounts that can connect to my Amazon Elastic Compute Cloud (Amazon EC2) Linux instance using SSH.
Short description
Every Amazon EC2 Linux instance launches with a default system user account that has administrative access to the instance. If multiple users require access to the instance, then it's a security best practice to use separate accounts for each user.
Use cloud-init and user data to expedite the resolution steps. For more information, see How do I use cloud-init and user data to add new user AWS accounts with SSH access to my EC2 Linux instance?
Resolution
Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshoot AWS CLI errors. Also, make sure that you're using the most recent AWS CLI version.
Create a key pair for the new user account
Choose one of the following methods to create a key pair for a new user account:
- Create a key pair, or use an existing one, for the new user.
- If you use the command line to create your own key pair, then see create-key-pair and New-EC2KeyPair Cmdlet for key type and bit length.
- If you use a third-party tool to create your own key pair, then be sure that your key matches the guidelines. For more information, see Create a key pair using a third-party tool and import the public key to Amazon EC2.
Create a key pair in the Amazon EC2 console
Complete the following steps:
- Open the Amazon EC2 console.
- Select Network & Security, Key Pairs.
- Select Create key pair.
- For Name, enter a descriptive name for the key pair. Amazon EC2 associates the public key with the name that you specify as the key name. A key name can include up to 255 ASCII characters with no leading or trailing spaces.
- For Key pair type, choose RSA, ED25519.
- For Private key file format, choose the format to save the private key to. Choose pem to save the private key in a format that OpenSSH can use. Choose ppk to save the private key in a format that PuTTY can use.
- To add a tag to the public key, choose Add tag, and enter the key and value for the tag. Repeat for each tag.
- Choose Create key pair.
- The private key file automatically downloads. The base file name is the name that you specified as the name of your key pair. The file name extension is determined by the file format that you chose. Save the private key file in a safe place.
- If you're using an SSH client on a macOS or Linux computer to connect to your Linux instance, then run the following command:
The preceding command sets the permissions of your private key file so that only you can read it. If you don't set these permissions, then you can't use this key pair to connect to your instance. For more information, see Error: Unprotected private key file.chmod 400 key-pair-name.pem
Create a key pair in the AWS CLI
Complete the following steps:
-
Use the create-key-pair command to generate the key pair and save the private key to a .pem file.
For --key-name, specify a name for the public key. The name can be up to 255 ASCII characters.
For --key-type, specify rsa or ed25519. If you don't include the --key-type parameter, then an rsa key is created by default. Note that ED25519 keys aren't supported for Windows instances.
For --key-format, specify pem or ppk. If you don't include the --key-format parameter, then a pem file is created by default.
--query "KeyMaterial" prints the private key material to the output.
--output text > my-key-pair.pem saves the private key material in a file with the specified extension. The extension can be .pem or .ppk. The private key can have a name that's different from the public key name. It's a best practice to use the same name.aws ec2 create-key-pair \ --key-name my-key-pair \ --key-type rsa \ --key-format pem \ --query "KeyMaterial" \ --output text > my-key-pair.pem>
-
If you're using an SSH client on a macOS or Linux computer to connect to your Linux instance, then run the following command:
chmod 400 key-pair-name.pem
The preceding command sets the permissions of your private key file so that only you can read it. If you don't set these permissions, then you can't connect to your instance using this key pair. For more information, see Error: Unprotected private key file.
Add a new user to the EC2 Linux instance
Complete the following steps:
-
Use the adduser command to add a new user account to an EC2 instance (replace new_user with the new account name). The following example creates an associated group, home directory, and an entry in the /etc/passwd file of the instance.
$ sudo adduser new_user
The home directory might not be created by default in some configurations. Verify that the home directory was created before you complete step 3.
Note: If you add the new_user to an Ubuntu instance, then include the --disabled-password option to avoid adding a password to the new account:$ sudo adduser new_user --disabled-password
-
Use the su command to switch the user to the new_user account, so that the folders and files that you create have the correct permissions:
$ sudo su - new_user
Note: When you run the preceding command, the name of the command shell prompt changes to reflect the new user account of your shell session.
-
To create a .ssh directory in the new_user home directory, run the following command:
$ mkdir .ssh
-
To use the chmod command to change the .ssh directory's permissions to 700, run the following command. Changes to the permissions restricts access so that only the new_user can read, write, or open the .ssh directory.
$ chmod 700 .ssh
-
To use the touch command to create the authorized_keys file in the .ssh directory, run the following command:
$ touch .ssh/authorized_keys
-
To use the chmod command to change the .ssh/authorized_keys file permissions to 600, run the following command. Changes to the file permissions restricts read or write access to the new_user.
$ chmod 600 .ssh/authorized_keys
Retrieve the public key for your key pair
To retrieve the public key for your key pair use one of the following methods:
- Create a key pair using a third-party tool and import the public key to Amazon EC2.
- Retrieve the public key from the private key material.
- Retrieve the public key for your key pair through instance metadata.
Verify your key-pair fingerprint
After you import or retrieve the public key for your key pair, follow the steps in Verify the fingerprint of your key pair.
Update and verify the new user account credentials
After you retrieve the public key, check that you have permission to add the public key to the .ssh/authorized_keys file for this account:
-
From the new_user account you switched to in the preceding steps, run the Linux cat command in append mode:
$ cat >> .ssh/authorized_keys
-
Paste the public key into the .ssh/authorized_keys file, and then press Enter.
Note: For most Linux command line interfaces, the Ctrl+Shift+V key combination pastes the contents of the clipboard into the command line window. For the PuTTY command line interface, right-click to paste the contents of the clipboard into the PuTTY command line window. -
Press and hold Ctrl+d to exit cat and return to the command line session prompt.
Verify that the new user can use SSH to connect to the EC2 instance
Complete the following steps:
-
Run the following command:
$ ssh -i /path/new_key_pair.pem new_user@public_dns_name_of_EC2_Linux_instance
To use SSH to connect to your EC2 Linux instance from Windows, see Connect to your Linux instance using PuTTY. For more information, see Troubleshoot issues connecting to your Amazon EC2 Linux instance.
$ ssh -i /path/new_key_pair.pem new_user@public_dns_name_of_EC2_Linux_instance
-
To view the user and group information created for the new_user account, run the following id command:
$ id
The following is an example of the output:
uid=1004(new_user) gid=1004(new_user) groups=1004(new_user)
-
Distribute the private key file to your new user.
Related information
Related videos
Relevant content
- Accepted Answerasked a year agolg...
- Accepted Answerasked 2 years agolg...
- asked 2 years agolg...
- AWS OFFICIALUpdated 4 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 3 months ago