无法在同一子网中SSH EC2实例 [英] Unable to ssh EC2 instances in same subnet

问题描述

我在同一子网中有两个EC2实例，但是当我尝试从一个实例切换到另一个实例时，却收到了公开密钥被拒绝的消息，它不提示输入密码

I have two EC2 instances in same subnet but I when I am trying to ssh from one instance to another I am getting publickey denied message, it does not prompt password

[root @ ip-10-0-21-156〜]#ssh testuser@10.0.21.170 权限被拒绝(公钥).

[root@ip-10-0-21-156 ~]# ssh testuser@10.0.21.170 Permission denied (publickey).

推荐答案

默认情况下，EC2实例配置为通过公钥/私钥提供SSH身份验证.因此，就像您需要在本地计算机上安装一个私钥(创建IAM密钥对时可能下载了.pem文件)以便通过SSH进入实例一样，您也需要在实例上安装一个私钥以从该实例到另一个实例的SSH.

By default, EC2 instances are configured to provide SSH authentication via public/private keys. So, just like you needed a private key (you likely downloaded the .pem file when you created the IAM keypair) installed on your local computer in order to SSH into the instance, you also need a private key installed on the instance in order to SSH from that instance into another instance.

您没有在幕后看到的是，当启动实例并指定密钥对名称时，EC2允许您下载私钥(.pem文件)，并自动在实例上创建用户(例如，在(Ubuntu AMI)，用户名是"ubuntu"，在Amazon Linux AMI上，用户名是"ec2-user")，并将与私钥匹配的公钥放入〜/.ssh/authorized_keys文件中.所有这些需要先发生，然后才能通过SSH进入实例.

What you didn't see behind the scenes was that when you launched the instance and specified the key-pair name, EC2 let you download the private key (.pem file), automatically created the user on the instance (e.g. on the Ubuntu AMI, the username is 'ubuntu' and on the Amazon Linux AMI, the username is 'ec2-user') AND it put the public key that matches the private key into the ~/.ssh/authorized_keys file. All of that needs to happen before you can SSH into an instance.

因此，假设您使用相同的密钥对启动了两个实例，为了从实例A到实例B进行SSH，除了将私钥(.pem文件)放入〜/之外，已经为您完成了所有工作. ssh目录. AWS认为在实例上保留私钥会带来安全风险，因此不会自动这样做.因此，只需将私钥放在实例A的.ssh目录中，然后将其添加到您的密钥环中，或者您可以像下面这样在ssh命令中指定密钥:

So, assuming you launched the two instances with the same keypair, in order to SSH from instance A to instance B, everything has been done for you EXCEPT for putting the private key (the .pem file) into the ~/.ssh directory. AWS considers keeping the private key on the instance a security risk and therefore does not do it automatically. So, simply put the private key into the .ssh directory on instance A and then add it to your keyring or you can specify the key in the ssh command like so:

ssh -i ~/.ssh/PRIVATE_KEY.pem USERNAME@INSTANCE_B_LOCAL_IP

总而言之，在EC2实例上为其他实例保留私钥通常不是一个好主意，如果您发现自己需要这样做，则可能应该重新考虑自己的体系结构(即可能正在做的事情)更好的方法).

All that said, it's generally a bad idea to keep private keys for other instances on an EC2 instance and if you find yourself needing to do that, you should likely rethink your architecture for whatever it is your doing (i.e. there are probably better ways of doing it).

此外，您真的不应该将EC2创建的用户帐户(即ubuntu @或ec2-user @)用于日常日常工作，甚至不执行维护或其他系统管理员工作.您实际上应该创建自己的帐户，因为EC2创建的帐户本质上是一个根帐户.

Additionally, you really shouldn't be using the EC2 created user account (i.e. ubuntu@ or ec2-user@) for normal day to day stuff or even to perform maintenance or other sysadmin work. You should really create your own account, because the EC2 created account is essentially a root account.

AWS建议继续对所有帐户使用公用/专用密钥身份验证，但是您可以切换为使用基于密码的身份验证，然后不必担心密钥.与使用基于密钥的身份验证相比，此方法本质上不安全，但是，鉴于严格的密码要求，您可以提高安全性.

AWS recommends continuing to use public/private key authentication for all accounts, however you could switch to use password-based authentication and then not need to worry about the keys. This is inherently less secure than using key-based authentication, however given strict password requirements, you could increase security.

创建其他帐户(基于密码或基于密钥)时，您唯一需要做的就是确保您的个性化帐户具有sudo访问权限，以便您可以sudo进行需要root访问权限的操作.在Ubuntu中，您可以通过在/etc/sudoers.d/90-cloud-init-users文件中添加以下行来完成此操作:

The only thing you will need to do when creating additional accounts (either password-based or key-based), is to make sure your personalized account has sudo access so you can sudo to do things that require root access. In Ubuntu, you can do this by adding the following line to the /etc/sudoers.d/90-cloud-init-users file:

USERNAME ALL=(ALL) NOPASSWD:ALL

在这里时，请考虑对EC2创建的用户名禁用sudo访问.即使没有其他人拥有该密钥，每个人都会知道有一个具有sudo访问权限的ubuntu帐户.就像使用密码一样，知道用户名是黑客工作的重要组成部分.

While you're there, consider disabling the sudo access for the EC2 created username. Even though no one else will have the key, everyone will know that there is an ubuntu account that has sudo access. Just like with passwords, knowing the username is a substantial part of a hackers job.

希望这会有所帮助.

这篇关于无法在同一子网中SSH EC2实例的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！