in Amazon EC2, Cloud Computing

idiot’s guide to linux on amazon ec2 – part 1

Recently I’ve had the opportunity of setting up a Linux instance on Amazon EC2 for use with Ruby on Rails, MySQL, Nginx and Rabbit MQ. I suspect much of what I will document is obvious to many but hopefully some of you may find it useful, especially, if like me, you are totally inexperienced with setting up a Linux server.

As it turns out I’ll probably document this over a couple of posts as it took up a bit more time and space than I first anticipated. In this first part I will cover, logging in as the root user, adding a new user, generating their ssh key, adding the user to the list of sudoers, and finally disabling root login via ssh. I’ll update this article with links to the other parts as I create them (Part 2).

Right, first things first, some background info. Rightly or wrongly we required the server to do more than one thing, hence the list of items to install. So to reduce this number I picked an image with RabbitMQ pre-installed – as setup of this was uncharted territory for me. A consequence of this choice was that it pushed us down the path of Ubuntu and the latest version which is currently 9.10. So let’s get to it.

The goal here is to disable remote root login, and in doing so we need to create a new user, and give him the ability to sudo commands. To do that we first need to login to our new EC2 image – which took me a little time to figure out! This can be done from Windows using putty. However, we must first use puttygen to generate a putty ssh auth key (putty doesn’t understand the key generated by Amazon) from your Amazon keypair which can be found in the AWS Management Console under Key Pairs. Check out this link for further information.

Now on to the real work.

Adding a user and generating their ssh key
Follow the process below to add a new user and generate an ssh key for this user.

  1. Login as root using method described above
  2. Run adduser webuser – where webuser is the name of the user we are adding. Fill in the details including the password of this user.
  3. Type su webuser – to run a shell as this user without logging out
  4. Execute ssh-keygen -t dsa from this users home directory
  5. Rename the file ~/.ssh/id_dsa.pub to ~/.ssh/authorized_keys
  6. Take a copy of the generated private key (should be in ~/.ssh/id_dsa) and copy it to your local machine
  7. Now use puttygen to generate the ssh key from id_dsa
  8. Finally login using putty and the new key – you should only have to specify your username when logging in.

Adding your new user to the list of sudoers
This is a very basic sudoers setup as we are only adding a single sudo user to the /etc/sudoers file. I know you can do way more complicated things with this but what is documented here was sufficient for our needs. So let’s get on with it.

  1. Login as root
  2. Run visudo – this is an editor for the sudoers file to stop multiple people editing the file at the same time
  3. Locate the lines below in the editor

    # User privilege specification
    root ALL=(ALL) ALL

    and change this to

    # User privilege specification
    root ALL=(ALL) ALL
    webuser ALL=(ALL) ALL

  4. If you would like to allow the user to sudo without having to supply a password then you need to add the following line as well:

    webuser ALL=NOPASSWD: ALL

  5. Now save the file and exit – ensure that the changes are saved to /etc/sudoers

Disabling root login

  1. Login as webuser
  2. Run sudo vi /etc/ssh/sshd_config – you can replace vi with another editor if you please, I’ve heard nano might be a little more friendly to windows users!
  3. Find the line PermitRootLogin and change it to:

    PermitRootLogin no

    If I remember correctly in the instance I was using there was more than one line with PermitRootLogin so it may be worth check for this yourself.

  4. As a side note, should you wish to allow login using passwords rather than using a ssh key (this maybe what users familiar with shared hosting are used to) you can enable this by changing the relevant line in sshd_config to:

    PasswordAuthentication yes

  5. Finally, restart sshd by running sudo /etc/init.d/ssh restart

You should now be able to login in using webuser, and sudo commands as webuser that require to be run as root. Additionally, root login from a remote server has also been disabled.

There may be better ways to do the above, but what I’ve documented works. I may also be missing stuff, if so, let me know and I will update this. Well, that’s it for now. Check back soon for Part 2 which will be on it’s way shortly.

Update: idiot’s guide to linux on amazon ec2 – part 2

Write a Comment

Comment

 

  1. Thanks for this post. I’m trying to make the most of it, but I don’t think it’s “dummy” enough. I could not follow steps E and F for adding a new user. I’m not sure what you mean by “Rename the file ~/.ssh/id_dsa.pub to ~/.ssh/authorized_keys”; also, I can’t figure out how to download the generated key file to my machine. I tried several commands, but nothing worked.

  2. A much more unix proper way to handle adding sudoers is to run visudoers and uncomment the line which grants access to users in the wheel group. Then edit /etc/group and add the users who need sudo access to wheel.

Webmentions

  • idiot’s guide to linux on amazon ec2 – part 2 | Equivalence December 7, 2016

    […] Part 1 I covered how to remove the root login, create a new user, and add this user to the list of sudoers […]

  • idiot’s guide to linux on amazon ec2 › ec2base December 7, 2016

    […] http://www.equivalence.co.uk/archives/1521 […]