AWS EC2

Add a new ssh login user to ec2 instance

Short description

Every Amazon EC2 Linux instance launches with a default system user account with administrative access to the instance. If multiple users require access to the instance, it's a security best practice to use separate accounts for each user.

You can expedite these steps by using cloud-init and user data. For more information, see How do I add new user accounts with SSH access to my EC2 instance using cloud-init and user data?

手順

1. Create a key pair for the new user account

Add a new user to the EC2 Linux instance

  1. Connect to your Linux instance using SSH.

  2. Use the adduser command to add a new user account to an EC2 instance (replace new_user with the new account name). The following example creates an associated group, home directory, and an entry in the /etc/passwd file of the instance:

    $ sudo adduser new_user
    

Note: If you add the new_user to an Ubuntu instance, include the –disabled-password option to avoid adding a password to the new account:

$ sudo adduser new_user --disabled-password
  1. Change the security context to the new_user account so that folders and files you create have the correct permissions:
$ sudo su - new_user

Note: When you run the sudo su - new_user command, the name at the top of the command shell prompt changes to reflect the new user account context of your shell session.

  1. Create a .ssh directory in the new_user home directory:
    $ mkdir .ssh
    
  2. Use the chmod command to change the .ssh directory's permissions to 700. Changing the permissions restricts access so that only the new_user can read, write, or open the .ssh directory.
    $ chmod 700 .ssh
    
  3. Use the touch command to create the authorized_keys file in the .ssh directory:
    $ touch .ssh/authorized_keys
    
  4. Use the chmod command to change the .ssh/authorized_keys file permissions to 600. Changing the file permissions restricts read or write access to the new_user.
    $ chmod 600 .ssh/authorized_keys
    

2. Retrieve the public key for your key pair

Retrieve the public key for your key pair using the method that applies to your configuration:

  • Importing your own public key to Amazon EC2
    aws ec2 create-key-pair --key-name jdai_dev003  --query "KeyMaterial" --output text > jdai_dev003.pem
    
  • Retrieving the public key for your key pair on Linux
    ssh-keygen -y -f jdai_dev003.pem 
    
  • Retrieving the public key for your key pair through instance metadata

3. Verify your key pair's fingerprint

After you import your own public key or retrieve the public key for your key pair, follow the steps at Verifying your key pair's fingerprint.

Update and verify the new user account credentials After you retrieve the public key, confirm that you have permission to add the public key to the .ssh/authorized_keys file for this account:

  1. Run the Linux cat command in append mode:
    $ cat >> .ssh/authorized_keys
    
  2. Paste the public key into the .ssh/authorized_keys file and then press Enter.

(Optional) Allow the new user to use sudo Note: If you don't want to allow the new user to use sudo, proceed to Verify that the new user can use SSH to connect to the EC2 instance.

  1. Use the passwd command to create a password for the new user:

$ sudo passwd new_user Note: You're prompted to reenter the password. Enter the password a second time to confirm it.

  1. Add the new user to the correct group.

For Amazon Linux, Amazon Linux 2, RHEL, and CentOS:

Use the usermod command to add the user to the wheel group.

$ sudo usermod -aG wheel new_user For Ubuntu:

Use the usermod command to add the user to the sudo group.

$ sudo usermod -aG sudo new_user Verify that the new user can use SSH to connect to the EC2 instance

  1. Run the following command from a command line prompt on your local computer:

$ ssh -i /path/new_key_pair.pem new_user@public_dns_name_of_EC2_Linux_instance To connect to your EC2 Linux instance using SSH from Windows, follow the steps at Connecting to your Linux instance from Windows using PuTTY.

Note: If you receive errors when trying to connect, refer to Troubleshooting connecting to your instance.

  1. Run the id command from the instance's command line to view the user and group information created for the new_user account:

$ id The id command returns information similar to the following:

uid=1004(new_user) gid=1004(new_user) groups=1004(new_user)

  1. Distribute the private key file to your new user.