How do I change the SSH Key on a running EC2 instance?


Background Information

Is it possible to change the SSH Key on a running EC2 instance? If so, how?

 


Answer

If you need to switch to a new SSH Key, RightScale recommends that you terminate the instance, change the associated SSH Key and launch the instance again.  Before terminating the instance or taking any corrective action, make sure you’ve saved any critical data that needs to be preserved.  So, if the instance has any attached EBS volumes, be sure to take snapshots of the volumes so that you can use them to restore your volume data on future instances.  However, any data saved on the instance’s local ephemeral drive will be lost once the instance is terminated.

If terminating and relaunching the instance is not feasible then the following instructions will allow you to change the authorized keys on the instance and update the Dashboard with the new key information.

  1. Generate a new Key Pair. When you do this, copy the SSH key information to your text editor; you will need this to update the old key in the Dashboard and the Authorized Keys file on the instance(s).
  2. Use the command-line to generate your public key.
  3. Create a new Credential named, “your key name here” Public Key. For the value, use ONLY the key information (not the begin/end rsa tags)
  4. Create a script that alters the Authorized Keys file to only allow the new SSH Key Pair. In the following example, the value of $PUBLIC_SSH_KEY is set to the Credential just created, and the value of $KEY_NAME is the name of the newly created key pair:
    • #!/bin/bash -e 
      echo "ssh-rsa $PUBLIC_SSH_KEY $KEY_NAME" > ~root/.ssh/authorized_keys
      exit 0 # Leave with a smile...
  5. Now that the Public Key has been replaced, the Private Key information for the old SSH Key Pair associated with the old instances must be updated so that you can still SSH into the machines. Find the old key under Clouds > AWS (US/EU) > SSH Keys, open it and click Edit. Overwrite the old private key information by copying and pasting the newly created key’s private key information, and click Save.
  6. If any of your instances use the “MISC ssh priv key install” script, you will need to rerun this script with the new key.
  7. This will work indefinitely, but we recommend that you relaunch with the new SSH Key as soon as it’s possible. This will prevent confusion and allow you to fully deprecate the old SSH key name from active instances.

Copy from http://support.rightscale.com/06-FAQs/FAQ_0111_-_How_do_I_change_the_SSH_Key_on_a_running_EC2_instance%3F

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s