By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

How can I edit or add an SSH keypair for use with EC2 Instance Connect ?

0

After messing up sshd_config on my old RHEL 7.3 Linux instance, I have recovered the ability to login from the internet. I am still using the original keypair, with ~ec2-user/.ssh/authorized_keys . That appears to still be "assigned at launch" in my instance.

However, I cannot login with either EC2 Instance Connect or EC2 Instance Connect Endpoint. The key used, per /var/log/secure, has a different type (ED25519 vs RSA) and fingerprint than the public key in authorized_keys. On the portal web page, I get an error "Error establishing SSH connection to your instance. Try again later."

How can I reset the private key used by EC2 Connect ?

I tried creating another pair under Network & Security/Key Pairs, and importing a "keypair" - which seems to just import the public key, not the private key. I now have 3 RSA keys, but the key that EC2 Connect is using is an ED25519.

(the fingerprint algorithm used in EC2 appears different from the one used in "ssh-keygen -l")

Topics
Compute
Tags
Linux ProvisioningAmazon EC2
Language
English
adaviel
asked 13 days ago115 views
3 Answers
1
Accepted Answer

Hello.

I think the steps in this document will be helpful.
Also, I believe RSA keys are also supported, although it is mentioned in the documentation below.
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-connect-methods.html#ec2-instance-connect-connecting-aws-cli

Requirements for key pairs

  • Supported types: RSA (OpenSSH and SSH2) and ED25519
  • Supported lengths: 2048 and 4096
  • For more information, see Create a key pair using a third-party tool and import the public key to Amazon EC2.

EC2 Instance Connect itself does not need to manage SSH keys; a temporary key for SSH connection is generated and used to connect to the EC2 instance.
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/connect-linux-inst-eic.html

When you connect to an instance using EC2 Instance Connect, the Instance Connect API pushes an SSH public key to the instance metadata where it remains for 60 seconds. An IAM policy attached to your user authorizes your user to push the public key to the instance metadata. The SSH daemon uses AuthorizedKeysCommand and AuthorizedKeysCommandUser, which are configured when Instance Connect is installed, to look up the public key from the instance metadata for authentication, and connects you to the instance.

profile picture
EXPERT
Riku_Kobayashi
answered 13 days ago
profile picture
EXPERT
Osvaldo Marte
reviewed 13 days ago
1

I cannot login with either EC2 Instance Connect or EC2 Instance Connect Endpoint.

There are some Prerequisites for using EIC from your AWS console. They include supported OS, EIC installed in your OS and SG allowing EIC source IPs. (It is possible to install EIC on RHEL/CentOS 7 with SELINUX. Some manual steps are involved, though I suggest a newer OS)

On the portal web page, I get an error "Error establishing SSH connection to your instance. Try again later."

I assume your EC2 is in a public subnet since you are logging in from internet. Can you verify that your EC2 security group allows incoming EC2_INSTANCE_CONNECT IP prefixes for your AWS Region?

See below IP prefixes for different Regions. Do add as source for inbound SSH(TCP 22) to your SG as needed

PS C:\> Get-AWSPublicIpAddressRange -ServiceKey EC2_INSTANCE_CONNECT | Select Region, IpPrefix

Region         IpPrefix
------         --------
cn-north-1     43.196.20.40/29
cn-northwest-1 43.192.155.8/29
us-gov-east-1  18.252.4.0/30
us-gov-west-1  15.200.28.80/30
af-south-1     13.244.121.196/30
ap-east-1      43.198.192.104/29
ap-northeast-1 3.112.23.0/29
ap-northeast-2 13.209.1.56/29
ap-northeast-3 15.168.105.160/29
ap-south-1     13.233.177.0/29
ap-south-2     18.60.252.248/29
ap-southeast-1 3.0.5.32/29
ap-southeast-2 13.239.158.0/29
ap-southeast-3 43.218.193.64/29
ap-southeast-4 16.50.248.80/29
ca-central-1   35.183.92.176/29
eu-central-1   3.120.181.40/29
eu-central-2   16.63.77.8/29
eu-north-1     13.48.4.200/30
eu-south-1     15.161.135.164/30
eu-south-2     18.101.90.48/29
eu-west-1      18.202.216.48/29
eu-west-2      3.8.37.24/29
eu-west-3      35.180.112.80/29
il-central-1   51.16.183.224/29
me-central-1   3.29.147.40/29
me-south-1     16.24.46.56/29
sa-east-1      18.228.70.32/29
us-east-1      18.206.107.24/29
us-east-2      3.16.146.0/29
us-west-1      13.52.6.112/29
us-west-2      18.237.140.160/29

Once verified, try to connect with EIC from AWS EC2 console.

EIC from console does not use your SSH key pair. If you want to use SSH with EIC from your desktop, refer to Connect using your own key and SSH client

AWS
EXPERT
Mike_L
answered 13 days ago
0

Short answer to my problem: RHEL 7 is too old and never supported EC2 Connect in the first place.

Short answer to the question as asked: "How can I edit or add an SSH keypair for use with EC2 Instance Connect ?":

You need to install the ec2-instance-connect package on the instance OS, which retrieves a public key on the fly.

More detail

I created this instance in 2016, running RHEL 7.3. There's a good chance that EC2 Instance Connect didn't exist back than, or that I never used it, and forgot. (2019, per comment below)

So, here's what I found out:

EC2 Instance Connect does not use $HOME/.ssh/authorized_keys with a static public key, as is set up for regular SSH access when you create the instance. It uses AuthorizedKeysCommand in sshd_config, via an Amazon RPM package ec2-instance-connect which modifies sshd_config when installed. Per ec2-instance-connect-prerequisites, ec2-instance-connect is not supported in RHEL 7, only 8 and 9.

I imported ec2-instance-connect-1.1-19.amzn2.noarch.rpm and installed it manually, ignoring the dependency on a later openssh. It failed with an error in /var/log/secure

sshd[21836]: error: Could not stat AuthorizedKeysCommand "/opt/aws/bin/eic_run_authorized_keys %u %f": No such file or directory

Removing the "%u %f" in sshd_config fixed that.

Currently, it runs and connects properly when sshd is started by hand as /usr/sbin/sshd, but not when sshd is started via "systemctl start sshd.service". In that case it errors with "error: AuthorizedKeysCommand /opt/aws/bin/eic_run_authorized_keys returned status 7", apparently failing to retrieve IMDS_TOKEN in eic_curl_authorized_keys.

I will probably abandon this instance altogether and switch to a new Lightsail one, where IPv6 works out of the box (as does web Connect), so I won't pursue this any further.

( I ran sshd on an alternate port to retain access, with an added security rule, while I took sshd on port 22 up and down with systemctl)

adaviel
answered 11 days ago
  • Mike_L EXPERT
    11 days ago

    EIC was introduced in 2019 (https://aws.amazon.com/blogs/compute/new-using-amazon-ec2-instance-connect-for-ssh-access-to-your-ec2-instances/) I have installed and configured EIC on RHEL 7 before. Does your RHEL have SELINUX enabled? Create a new question if interested, and I can provide the required steps. Though I would suggest you go for a newer OS as RHEL 7 EOL this year

  • adaviel
    10 days ago

    Mike_L: I've terminated the RHEL7 and switched to a Lightsail instance. I only had a DNS server running so I had no investment, just some curiosity about what was going on. SELINUX was available in RHEL6 but seemed more trouble than it was worth, breaking old code and procedures. I forget the default setting in 7. Probably on, and I don't recall turning it off, but the point is moot.

  • Mike_L EXPERT
    10 days ago

    Agree, best to migrate away from RHEL 7. SELinux is on by default, which blocks EIC from working properly. You need to compile policy module package for EIC to work.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content