- Newest
- Most votes
- Most comments
Hi,
It is unclear to me what you mean by "root keypair", but perhaps you'll find the information you need in the following documentation:
- Delete your public key on Amazon EC2 - https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/delete-key-pair.html
- Add or remove a public key on your instance - https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/replacing-key-pair.html
I hope this helps!
Kind regards, Marilyn AWS
Thanks Marilyn.
As for my purpose, I found the solution. I replace public keys for root & for ec2-user on my instance; afterwards no one can login into my server using the old private key.
- However, although I deleted these public keys, I am still able to login to my instance via ec2 instance connect.
- How is this possible?! (I thought ec2 uses the private key for this; as it seems it may uses a different approach and I can login to my machine without usage of any keypairs from ec2 dashboard?)
- The 'old' (default/beginner) keypair is still being shown as default keypair in my ec2 instance dashboard. - I don't know how to replace that here.
My wish would be, that there is a way to delete this old key, and replace it. Also in the ec2 dashboard.
[And that even via ec2 instance connect, I won't be able to login to my machine anymore, once I deleted the old public key / replaced keypair.]
It is a strange feeling, that I am still able to connect to my instance via ec2 instance connect, although I have deleted the public key (for my beginner/default instance keypair) on the machine.
Thank you, God bless, Andy
Hi Andy,
I'm sorry this is so confusing! Hopefully the information below will clear things up. I'll have to post multiple comments due to the restriction of number of characters allowed in a comment.
- However, although I deleted these public keys, I am still able to login to my instance via ec2 instance connect. How is this possible?! (I thought ec2 uses the private key for this; as it seems it may uses a different approach and I can login to my machine without usage of any keypairs from ec2 dashboard?)
Answer: This is how EC2 Instance Connect works: When you connect to an instance using EC2 Instance Connect, the EC2 Instance Connect API pushes a one-time-use SSH public key to the instance metadata where it remains for 60 seconds. An IAM policy attached to your IAM user authorizes your IAM user to push the public key to the instance metadata. The SSH daemon uses AuthorizedKeysCommand and AuthorizedKeysCommandUser, which are configured when EC2 Instance Connect is installed, to look up the public key from the instance metadata for authentication, and connects you to the instance.
You can find more information about EC2 Instance Connect at this link: https://docs.aws.amazon.com/en_us/AWSEC2/latest/UserGuide/Connect-using-EC2-Instance-Connect.html
EC2 Instance Connect is not using your key pairs that you created and uploaded to Amazon EC2 or which you created by using Amazon EC2. EC2 Instance Connect creates its own one-time use keys. The IAM policy will restrict who can connect to the instance with EC2 Instance Connect.
- The 'old' (default/beginner) keypair is still being shown as default keypair in my ec2 instance dashboard. - I don't know how to replace that here.
Answer: The EC2 instance dashboard continues to display which key pair was specified at launch, even if you delete that key pair. We mention that here in the doc: https://docs.aws.amazon.com/en_us/AWSEC2/latest/UserGuide/describe-keys.html#identify-key-pair-specified-at-launch. Please see the note in the blue box that calls this out.
My wish would be, that there is a way to delete this old key, and replace it. Also in the ec2 dashboard.
Answer: The EC2 dashboard just shows what key was specified at launch. If you've subsequently deleted the key from the instance, you won't be able to connect to the instance using that key. I'm sorry that this is confusing.
It is a strange feeling, that I am still able to connect to my instance via ec2 instance connect, although I have deleted the public key (for my beginner/default instance keypair) on the machine.
Please read the documentation about EC2 Instance Connect at this link: https://docs.aws.amazon.com/en_us/AWSEC2/latest/UserGuide/Connect-using-EC2-Instance-Connect.html
You can allow who can access an instance by creating an IAM policy and attaching that IAM policy to any user who should connect to your instance.
I hope this helps! It's a lot of info to take in, but hopefully by reading the documentation carefully, you'll get the information you need.
Thank you very much Marilyn. That was a Very good answer to my question!
You're welcome! Glad I could help.
Relevant content
- asked 5 months ago
- asked a year ago
- asked 2 years ago
AWS OFFICIALUpdated 10 months ago- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 7 months ago
- AWS OFFICIALUpdated a month ago
Thanks. I mean the default keypair, which you give your instance, when you start it for the first time. You can see the keypair name in the ec2 instance settings.
You can use it to ssh into your machine with username root / or ec2-user.
I don't know how to replace this one keypair.
Although I deleted public keys for both, root user & ec2-user, I still can login to my machine from my ec2 dashboard (ec2 instance connect) - with both, root or ec2-user. How is this actually possible? It shouldn't be, right?
There seems to be no solution for this.
You guys from aws need to think about how users may replace that default (beginner) keypair with another one.
Hi Andy,
The public key is stored in two different places:
If you want to get rid of the key pair on your instance, you must delete it from the instance. The documentation at this link https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/replacing-key-pair.html explains how to do it.
On the page linked above, we say this:
To delete the public key from the instance, you need to edit
~/.ssh/authorized_keysand delete the public key in that file. The steps for how to do this are in the page linked above.Kind regards, Marilyn