Technology How To

Managing Users on Amazon EC2

Tuesday, September 28, 2010 4:01 pm

This tutorial instructs on how to create user accounts, how to create public and private keys, and why you should use a password and where the use of a password can be optional (as long as you are relying on PKI authentication).
Note: the ubuntu user is default user in ec2-images and it does not use a password to gain root access.

Sudoers

  • Sudo is an “abbreviation of “substitute user do”, which allows users in a sudoer group to run commands as root. Instead of relying on the amin sudoer group that comes with ubuntu, we dicided to create a new group called sysadmin where all our system administrators are members of. We did this to keep things simple and modify this group when needed.
  • Sudoers file: In ubuntu, the file /etc/sudoers is where users’ specification are defined. A look a this file give information on “who can run”
  • Edit sudoers file: This file must be edited correctly as root and the command to use is: sudo visudo. The command to assign root privileges to sysadmin is: %sysadmin All=(All) All. As written, the sysadmin group members will be prompted for a password to gain root access. More information on the sudoers could be found here.

Public and private keys

  • SSH: We rely on Secure Shell (ssh) keys for user authentication. To be able to generate ssh keys, open ssh should be installed on you server and the client on the machines connecting to the server on EC2.
  • SSH Install: at least the following commands must be run:
    • To install open ssh on the server run: sudo apt-get install openssh-server
    • To install open ssh client on the machines connecting to the server run: sudo apt-get install openssh-client
  • Generate your ssh keys:
    • Logon to your server using the ubuntu user account
    • Create your user account by running: sudo adduser bessouke sysadmin (bessouke is your username and sysadmin is your group). Run the following commands to create your keys:
    • su bessouke
    • cd /home/bessouke
    • ssh-keygen -t rsa
    • accept default for file in which to save the key to be /home/bessouke/.ssh/id_rsa
    • chmod 700 .ssh
    • cd .ssh
    • mv id_rsa id_bessouke_rsa
    • mv id_rsa id_bessouke_rsa
    • mv id_rsa.pub id_bessouke_rsa.pub
    • cat id*.pub > authorized_keys
    • # chmod 600 *
    • cp id* /tmp
    • exit ec2 to go back to your computer
    • scp -i zsrlibrary.pem bessouke@cloud.lib.wfu.edu:/tmp/id_bessouke_rsa /path/to/folder/on/your/computer/ (zsrlibrary.pem is the file that holds your Amazon Secret Access Key. This command needs to be run from the folder containing this file)
    • chmod 600 id_bessouke_rsa
    • chmod 700 id_bessouke_rsa.pub
    • ssh -i id_bessouke_rsa bessouke@cloud.lib.wfu.edu
    • You should now be logged on to ec2 with your bessouke account without having to use your password

    Password Authentication

    • As system administrators we do a lot of ssh connections during the course of a day and having the option of relying on public and private keys for authencation without using a password can be convenient. This could be considered less secure as the additional level of security that a password provides is no longer required. To add a little bit more security to our PKI authentication, we configured our firewalls to require communication from within our campus network. This means that to access our resources on Amazon EC2 from outside our campus, VPN must be used.
    • PKI authentication is also convenient when relying on a user account to move data from other servers (like our Voyager server that is outsourced by ExLibris) to our Amazon cloud servers and vice-versa.
    • Although it is convenient not to use a password to gain access to our cloud servers, we decided not to disable password authentication as we love our ability to logon to our cloud servers using our mobile devices.
        • Setting password expiration date

      • The following commands show how to manage passwords using the linux command chage that stands for “change age”
      • It is sometimes convenient to set our passwords to never expire even though, as system administrators, it is good practice to keep changing passwords at a regular interval.
      • Logon to your server using username (here, bessouke)
      • To set password to expire in 90 days, run: chage -M 90 bessouke
      • To set password expiration date to 2011-01-02, run: chage -E “2011-01-02″ bessouke
      • To set password to never expire, run: chage -m 0 -M 99999 -I -1 -E -1 bessouke
        • -m 0 will set the minimum number of days between password change to 0
        • -M 99999 will set the maximum number of days between password change to 99999
        • -I -1 (number minus one) will set the “Password inactive” to never
        • -E -1 (number minus one) will set “Account expires” to never.

This entry was posted on Tuesday, September 28, 2010 at 4:01 pm by Jean-Paul and is filed under Cloud Computing.

Archives
March 2012
November 2011
October 2011
June 2011
February 2011
November 2010
October 2010
September 2010
August 2010
June 2010
April 2010
February 2010
January 2010
November 2009
October 2009
September 2009
April 2009
March 2009
November 2008
August 2008
July 2008
June 2008
May 2008
April 2008
March 2008
Categories
Ad-Aware
Adobe
Adobe Acrobat
Bloglines
Blogs@ZSR
Cloud Computing
Dreamweaver
EndNote
Google
Google Sites
iphone
Macintosh
Mailmerge
Microsoft Excel
Microsoft Office
Microsoft Outlook
Microsoft PowerPoint
Microsoft Word
MovieMaker
Outreach Grant
podcasting
RSS Feed
Server Management
Spybot
Survey Tools
Uncategorized
web development
Wikis@ZSR
Zotero
Tags

Powered by WordPress.org, protected by Akismet. Blog with WordPress.com.