Amazon Elastic Compute Cloud Developer Guide Install Public Key Credentials. #PermitRootLogin yes to PermitRootLogin without-password The location of this configuration file may differ for your distribution, or if you're not running OpenSSH. Consult the relevant documentation if this is the case. Randomizing the root password is also pretty simple. Add the following to your boot process. if [ -f "/root/firstrun" ] ; then dd if=/dev/urandom count=50|md5sum|passwd --stdin root rm -f /root/firstrun else echo "* Firstrun *" && touch /root/firstrun fi Once again, you may need to consult the relevant documentation if you're using a distro other than Fedora. Install Public Key Credentials. Now that we've done a pretty thorough job of ensuring that no one can log into instances of our AMI using a password, we need to make sure they can login using some other mechanism. EC2 allows users to specify a public-private keypair name when launching an instance. When a valid keypair name is provided to the RunInstances API call (or through the command line API tools) the following happens behind the scenes: The public key (the only portion of the keypair EC2 retains on the server after a call to CreateKeyPair) is made available to the instance through two methods 1. an HTTP query 2. a file on the instance's ephemeral store (/dev/sda2). This file is named openssh_id.pub and its format is compatible with the OpenSSH authorized_keys file. Note The HTTP request is the preferred method of retrieving the public key. The second method is deprecated and will be phased out in future versions of the service. This means at boot, all your AMI need do is retrieve the key value and append it to /root/.ssh/authorized_keys (or the equivalent for any other user account on the AMI) and users will be able to launch instances of your AMI with a keypair and log in without requiring a root password. if [ ! -d /root/.ssh ] ; then mkdir -p /root/.ssh chmod 700 /root/.ssh fi # Fetch public key using HTTP curl http://169.254.169.254/2007-03-01//meta-data/public-keys/0/openssh-key > /tmp/my-key if [ $? -eq 0 ] ; then cat /tmp/my-key >> /root/.ssh/authorized_keys API Version 2007-03-01 13
The new reader is still in beta!