ssh aws key management

[Karl Auer]

On Sun, 2017-11-12 at 04:25 +0000, thufir wrote:
> For ssh, what's a good strategy to keep logins organized?  I'm doing:
> 
> ssh -i "suse.pem" ec2-user at ec2...
> 
> and could add that to aliases.  What might be some other approaches
> to handling keys and logins?  I'm not ssh'ing to dozens of instances
> -- less than five.

Read "man ssh_config" and check out the CertificateFile and
IdentityFile directives. You can either just set up a big list of
identities and they will all be tried in turn, or you can use the Host
directive (I think, I have not tried this myself) to limit each
identity to a particular host.

I suggest you put these things into ~/.ssh/config rather than into the
global ssh configuration file /etc/ssh/ssh_config, though the
permissions on the certificate file should prevent misuse.

All this said, you do not require the AWS-supplied identity unless you
like using multiple identity files. Just add your own ssh public key to
~/.ssh/authorized_keys on the AWS system for the user you want to log
in as - ec2-user or whatever - or make a new user and use that one. If
you delete the AWS-supplied key out of the authorized_keys file, it
will no longer work for logins, which might be useful in some
scenarios.

BTW AWS gives the primary user (e.g ubuntu at host) password-less sudo
access, which is IMHO dangerous (but let's please not have THAT
discussion again). Anyway, if you don't like it you can and IMHO should
fix /etc/sudoers to turn it off. 

Also, for better ssh security you should at a minimum change the ssh
port and turn off password-only logins (i.e., require publickey
access).

Regards, K.

-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Karl Auer (kauer at biplane.com.au)
http://www.biplane.com.au/kauer
http://twitter.com/kauer389

GPG fingerprint: A52E F6B9 708B 51C4 85E6 1634 0571 ADF9 3C1C 6A3A
Old fingerprint: E00D 64ED 9C6A 8605 21E0 0ED0 EE64 2BEE CBCB C38B