1. Thorn Technologies Avatar Thorn Technologies
  2. Products
  3. sftpgateway-public

Wiki

Clone wiki

sftpgateway-public / Locked out of EC2 instance

View History

How to log into EC2 if ec2-user is no longer working

There are a couple of ways you can lock yourself out of your EC2 instance.

  • You lose your SSH private key
  • The ec2-user gets corrupted somehow

Fortunately, there are ways to get back into your EC2 instance. The least invasive approach is to modify the UserData. There's a really good AWS article that describes how to do this. Below, I'll go over the steps you need to do this.

Create a back-door user via User Data

First, you need to stop your EC2 instance. Go to EC2 > Actions > Instance State > Stop

Screen Shot 2018-03-07 at 1.13.27 PM.png

Second, edit the UserData. Go to EC2 > Actions > Instance Settings > View/Change User Data.

Screen Shot 2018-03-07 at 1.09.25 PM.png

Third, paste in the following code snippet (replacing everything that's already there)

Content-Type: multipart/mixed; boundary="//"
MIME-Version: 1.0

--//
Content-Type: text/cloud-config; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="cloud-config.txt"

#cloud-config
cloud_final_modules:
- [scripts-user, always]

--//
Content-Type: text/x-shellscript; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="userdata.txt"

#!/bin/bash
USER=robtest #1
adduser $USER #2
echo "$USER ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers.d/cloud-init #3
mkdir /home/$USER/.ssh #4
echo "ssh-rsa AAAAB3NzaC1yc2EAAA....A38MHe0KAzY9Ob private.key" >> /home/$USER/.ssh/authorized_keys #5
--//

UserData gets called once on first launch. The first 20 lines of code forces the EC2 instance to run the bash script at the bottom for every launch.

This is what the bash script is doing:

  1. You're creating a user named robtest. Be sure to replace this with a username of your choice.
  2. You create a regular Linux user (this is not an SFTP user)
  3. You grant this user sudo access, just like how ec2-user has sudo access
  4. Create a .ssh directory. This needs to exist before you can create the authorized_keys file
  5. You append a public key to /home/robtest/.ssh/authorized_keys. Make sure you replace the contents of the public key.

To generate a public key, run the following command on your local Mac:

ssh-keygen -t rsa -C private.key -f private.key -q -N ""

This generates two files:

  • private.key: You'll use this to ssh -i into the instance momentarily. (Be sure to chmod 600 it)
  • private.key.pub: This is the public key, whose contents you paste into the bash script above.

Finally, hit Save.

Start your EC2 instance again: Go to EC2 > Actions > Instance State > Start

Screen Shot 2018-03-07 at 1.08.29 PM.png

If all goes well, you should be able to SSH using your new username.

Cleanup

If everything is working, make sure you delete your UserData so that it doesn't keep running on subsequent launches. Like before, you'll have to stop your instance in order to make the change.

Updated