Configure the EC2 firewall
First we need to open a port on the EC2 firewall, for SSH communication, and limit access to the public IP address of our client computer.
To find the client's IP address enter
curl jsonip.com
Using a security group of trader, the defauly SSH port of 22, and a client IP address of 111.40.27.251, we'll open the port using the EC2 command line tool
ec2-authorize trader -p 22 -s <your public IP address>
Generate the Key Pair
You can create your own key pair and upload the public key to Amazon using ec2-import-keypair , or Amazon can generate the key pair for you using ec2-create-keypair.
A benefit of using your own keys is that you can use this same key across regions, with the Amazon generated key it's only valid for the region used when the key was generated.
When you create a new EC2 instance Amazon will append the public key to /home/<user>/.ssh/authorized_keys
We'll generate the keys using both methods.
First create a directory where we will store the private key
mkdir ~/.ec2
Amazon Key Pair generation
The following ec2-create-keypair command will create a new RSA key pair with the name ec2-keypair. Amazon will store the public key and the command will output the private key to the console.
ec2-create-keypair ec2-keypair
Outputs to your console the private key and associated details
KEYPAIR ec2-keypair1f:51:ae:28:bf:89:e9:d8:1f:25:5d:37:2d:7d:b8:ca:9f:f5:f1:6f -----BEGIN RSA PRIVATE KEY----- MIIEoQIBAAKCAQBuLFg5ujHrtm1jnutSuoO8Xe56LlT+HM8v/xkaa39EstM3/aFxTHgElQiJLChp HungXQ29VTc8rc1bW0lkdi23OH5eqkMHGhvEwqa0HWASUMll4o3o/IX+0f2UcPoKCOVUR+jx71Sg 5AU52EQfanIn3ZQ8lFW7Edp5a3q4DhjGlUKToHVbicL5E+g45zfB95wIyywWZfeW/UUF3LpGZyq/ ebIUlq1qTbHkLbCC2r7RTn8vpQWp47BGVYGtGSBMpTRP5hnbzzuqj3itkiLHjU39S2sJCJ0TrJx5dummy -----END RSA PRIVATE KEY-----
Now we will copy the private key to ~/.ec2/ec2-keypair.pem
echo "-----BEGIN RSA PRIVATE KEY-----
MIIEoQIBAAKCAQBuLFg5ujHrtm1jnutSuoO8Xe56LlT+HM8v/xkaa39EstM3/aFxTHgElQiJLChp
HungXQ29VTc8rc1bW0lkdi23OH5eqkMHGhvEwqa0HWASUMll4o3o/IX+0f2UcPoKCOVUR+jx71Sg
5AU52EQfanIn3ZQ8lFW7Edp5a3q4DhjGlUKToHVbicL5E+g45zfB95wIyywWZfeW/UUF3LpGZyq/
ebIUlq1qTbHkLbCC2r7RTn8vpQWp47BGVYGtGSBMpTRP5hnbzzuqj3itkiLHjU39S2sJCJ0TrJx5dummy
-----END RSA PRIVATE KEY-----" > ~/.ec2/ec2-keypair.pem
ssh-keygen -t rsa
Enter file in which to save the key ( /home/<user>/.ssh/id_rsa): /home/<user>/.ec2/ec2-keypair.pem
Enter file in which to save the key ( /home/<user>/.ssh/id_rsa): /home/<user>/.ec2/ec2-keypair.pem
Skip the passphrase
Now copy the public key to Amazon
ec2-import-keypair ec2-keypair --public-key-file ~/.ec2/ec2-keypair.pub
Set private key permissions
Set the permissions so that you have read, write and execute permissions on the directory where the private key is kept.
chmod 700 ~/.ec2
Set the permissions so that you have read and write permissions on the private key
Set environment variables
Export the name of the keypair, not the filename. So ec2-keypair, not ec2-keypair.pem
export EC2_KEYPAIR_NAME=~/.ec2/ec2-keypair
Create the EC2 instance
ec2-run-instances ami-xxxxx -g default -k $EC2_KEYPAIR_NAME -t m1.small;
SSH to the instance
We can now SSH to the instance by providing our private key (identity file)
ssh -i ~/.ec2/ec2-keypair.pem ubuntu@ec2-xxx-xx-xx-xx.compute-1.amazonaws.com
An alternative to providing the identity file each time is to add the identity file in your ~/.ssh/config file
Host ec2-*.amazonaws.com IdentityFile ~/.ec2/ec2-keypair.pem
So now when you SSH to any Amazon EC2 server simply enter the following and the identity file is automatically provided.
ssh ubuntu@ec2-xxx-xx-xx-xx.compute-1.amazonaws.com
Prevent SSH timeouts
To stop the SSH connection from timing out see this previous post
Terminate the instance
You are billed while the instance is running so don't forget to terminate it
ec2-terminate-instances <instance_id>
The above was tested using:
Server
- Ubuntu 10.04 Lucid Lynx
Client
- Ubuntu 11.04 Natty Narwhal
References:
- https://help.ubuntu.com/community/SSH/OpenSSH/Keys
- https://help.ubuntu.com/community/EC2StartersGuide
- http://www.symantec.com/connect/articles/ssh-user-identities