5

I have an ec2-ubuntu instance. And now I forgot the password for the user. Unfortunately i've also lost the .pem file and .ppk file i used to use with putty. And finding it difficult to get in. I want to upgrade some code of mine in that.

I've gone through following links giving suggestions as to what can be done.

  1. aws-gaining-ssh-access-to-an-ec2-instance-you-lost-access-to

  2. add-keypair-to-existing-ec2-instance

  3. locked-myself-out-root-account-ec2-ubuntu-instance

  4. ec2-fix-ebs-root

I've additional constraint that the private i/p address of system should not change.One of the software I'm using uses system private i/p address for license. And currently my instance has only one volume and is root volume.

Based on the links mentioned above, I need to detach my volume and attach to other instance. Make required changes for access. And the reattach to original instance. However since the volume in my case is root volume, I need to stop the instance and then detach it. If my understanding is correct, this can cause change in private i/p address of instance.

Would like to know if there is some thing that can be done? Or following the steps mentioned in links is the only way and then update s/w license on instance restart?

thanks

Community
  • 1
  • 1
user1050134
  • 572
  • 1
  • 7
  • 20
  • Are you using a static IP? – Undo Jun 08 '13 at 14:29
  • While I'm using elastic-ip, i've not done any thing wrt static i/p for the instance in question. I've not explored possibility of that as I feel that is possible only with in VPC set-up. – user1050134 Jun 08 '13 at 14:54
  • VPC sounds like a good idea for the next time you get a license as you can keep the same private IP address. – Eric Hammond Jun 08 '13 at 18:46
  • I'm facing a problem here.I launched new instance with new key pair. In new instance I mounted the volume of original instance to dir /vol-old. I rename the authorized_keys file in /vol-old/home/ubuntu/.ssh/authorized_keys_bkup. Then I copied the authorized_keys file from /home/ubuntu/.ssh/authorized_keys to /vol-old/home/ubuntu/.ssh/authorized_keys . Then i detached the volume and re-attached to original instance. However when I try to access original instance with new key details, i get "Network error: connection refused". Any suggestions or hint to check further? – user1050134 Jun 09 '13 at 12:59
  • Thanks to all for suggestion. Finally what we did to solve was: As our major problem was with license by i/p, we requested for patch for our scenario( as we could not relaunch same instance on VPC). And then creating VPC and launching new instances in VPC. The old problematic instance with patch is still running outside the VPC. – user1050134 Aug 27 '13 at 05:54

4 Answers4

7

Note: Stop/Start of EC2 instance will change the IP address (just read that the OP needed the IP to remain unchanged).

This works for me for AWS EC2 Ubuntu 18.04.

  • generate new keypair (use putty key generator or - if in a hurry - an online generator).
  • insert the generated ssh-rsa ... public key into the script below
  • Stop instance
  • set the instance user data to this cloud init script
#cloud-config
bootcmd:
 - echo 'ssh-rsa AAAAB3Nz...' > /root/.ssh/authorized_keys
  • Start instance
  • test connection
  • stop instance again and delete the user data (you will probably forget to do this)

Notes and warnings

  • AWS cloud init docs
  • cloud init docs & examples
  • Spaces seem to be important in cloud init scripts, resist the urge to format, like for example inserting a space after the hash in #cloud-config
  • I fiddled with cloud-init-per once, but never got it working, just wasted a lot of time
  • You could use >> instead of > to append the key instead of overwriting the authorized_keys file. But if you botched the contents during previous attempts, you will never know why it doesn't work.
  • You can change the script to push the key of any user, e.g. for the default EC2 ubuntu user: echo 'ssh-rsa ...' > /home/ubuntu/.ssh/authorized_keys
  • Beware of installed key rotation agents like e.g. JumpCloud, which will potentially overwrite the authorized_keys file. For JumpCloud, you could change the script to write to echo 'ssh-rsa ...' > /home/ubuntu/.ssh/authorized_keys.jcorig (JumpCloud includes the contents of that file)
  • Ubuntu has to be configured to allow SSH connections (should be the default)
  • The SSH port needs to be open (Ubuntu firewall)
  • The security group (AWS firewall) of the instance needs to allow the SSH port and your IP
  • The whole process can be automated (stop, set user data, start, connect and fix, stop, clear userdata, start). The interesting AWS command is (Java client):
m_ec2.modifyInstanceAttribute(new ModifyInstanceAttributeRequest().withInstanceId("<instance-id>").withUserData(userdataBase64));

ec2 user data

Reto Höhener
  • 5,419
  • 4
  • 39
  • 79
6

My suggestion is:

  1. Take an snapshot of the instance (create an AMI).
  2. Launch a new instance with that AMI and use a new key/pair.
  3. Use Elastic IP Address, that way it wont change next time. Or use VPC as user1050134 suggested.
PachinSV
  • 3,680
  • 2
  • 29
  • 41
2

I think you have two options:

  1. Create an AMI of the instance, launch it with a new key/pair and attach an elastic IP (recommended).
  2. Or, detach the root volume, attach and mount it to another instance, then create a ssh key/pair and copy the contents of the public key to the /home/ubuntu/.ssh/authorized_keys file. Finally, try to login with the new generated private key and ubuntu user.
Pablo SL
  • 165
  • 1
  • 6
0

Ref : Resetting passwords on managed nodes

In case you are having an instance with a preinstalled SSM agent(SSM Agent preinstalled AMI) you can follow the below steps

Prerequisites

  1. SSM Agent version 2.3.668.0 or later must be installed on the managed node.
  2. Session Manage configuration : https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-getting-started.html Encryption : Turn on AWS Key Management Service (AWS KMS) complete
  3. encryption for Session Manager data to use the password reset option for managed nodes.

To change the password on a managed node (console)

  1. Open the AWS Systems Manager console at https://console.aws.amazon.com/systems-manager/.

In the navigation pane, choose Fleet Manager.

-or-

2.If the AWS Systems Manager home page opens first, choose the menu icon ( ) to open the navigation pane, and then choose Fleet Manager in the navigation pane.

3.Choose the button next to the node that needs a new password.

4.In the Instance actions menu, choose Reset password.

5.For User name, enter the name of the user for which you're changing the password. This can be any user name that has an account on the node.

6.Choose Submit.

Follow the prompts in the Enter new password command window to specify the new password.

mahendra rathod
  • 1,438
  • 2
  • 15
  • 23