Open chrislgarry opened 6 years ago
@qimingfang is already on this.
i'm starting with accounts for singapore only, then replicating that in seoul once it works for everyone.
I verified that the secret key I'm using produces the public key that's in the authorized_keys
file for garry, but ssh authentication is failing:
Chriss-MacBook-Pro-2:Downloads cgarry$ ssh -i sin-bastion-garry.pem garry@13.250.30.83
Received disconnect from 13.250.30.83 port 22:2: Too many authentication failures
Authentication failed.
The only other thing I can think of is that garry
doesnt have the proper permissions for .ssh
folder. After creating the user, you should:
sudo su - newuser
mkdir .ssh
chmod 700 .ssh
touch .ssh/authorized_keys
chmod 600 .ssh/authorized_keys
I figured out that you missed step three by checking the permissions:
[ec2-user@ip-10-0-1-229 ~]$ sudo su - garry
Last login: Thu Apr 26 05:44:11 UTC 2018 on pts/0
[garry@ip-10-0-1-229 ~]$ pwd
/home/garry
[garry@ip-10-0-1-229 ~]$ ls -lah
total 24K
drwx------ 3 garry garry 140 Apr 25 13:57 .
drwxr-xr-x 6 root root 63 Apr 24 18:49 ..
-rw------- 1 garry garry 491 Apr 26 05:44 .bash_history
-rw-r--r-- 1 garry garry 18 Oct 24 2017 .bash_logout
-rw-r--r-- 1 garry garry 193 Oct 24 2017 .bash_profile
-rw-r--r-- 1 garry garry 231 Oct 24 2017 .bashrc
-r-------- 1 root root 165 Apr 25 13:57 .google_authenticator
drwxrwxr-x 2 garry garry 43 Apr 25 12:52 .ssh
-rw------- 1 garry garry 1.2K Apr 25 12:41 .viminfo
[garry@ip-10-0-1-229 ~]$ chmod 700 .ssh/
[garry@ip-10-0-1-229 ~]$ ls -lah
total 24K
drwx------ 3 garry garry 140 Apr 25 13:57 .
drwxr-xr-x 6 root root 63 Apr 24 18:49 ..
-rw------- 1 garry garry 491 Apr 26 05:44 .bash_history
-rw-r--r-- 1 garry garry 18 Oct 24 2017 .bash_logout
-rw-r--r-- 1 garry garry 193 Oct 24 2017 .bash_profile
-rw-r--r-- 1 garry garry 231 Oct 24 2017 .bashrc
-r-------- 1 root root 165 Apr 25 13:57 .google_authenticator
drwx------ 2 garry garry 43 Apr 25 12:52 .ssh
-rw------- 1 garry garry 1.2K Apr 25 12:41 .viminfo
Also need to fix owner permissions on .ssh/config:
[garry@ip-10-0-1-229 ~]$ ssh fed1
Bad owner or permissions on /home/garry/.ssh/config
[garry@ip-10-0-1-229 ~]$ cd .ssh/
[garry@ip-10-0-1-229 .ssh]$ ls -lah
total 8.0K
drwx------ 2 garry garry 43 Apr 25 12:52 .
drwx------ 3 garry garry 140 Apr 26 06:06 ..
-rw------- 1 garry garry 381 Apr 24 18:41 authorized_keys
-rw-rw-r-- 1 garry garry 117 Apr 25 12:52 config
[garry@ip-10-0-1-229 .ssh]$ chmod 600 config
And not forget to add key forwarding for the bastion to .ssh/config
on your laptop:
Host sin-bastion
Hostname ec2-13-250-30-83.ap-southeast-1.compute.amazonaws.com
User garry
ForwardAgent yes
so that the SSH private key is forwarded to the bastion, which is required to access fed1
. Alternative is to store the ssh key on the server, but that is bad practice. Forwarding is better. Just want to explain here thoroughly for anyone reading, and for potential new comers.
Ah yes, you're right. we need the .ssh folder and the authorized_keys to have more permissions. Good catch
Setup user accounts on each instance for each of us, rather than just "fed-admin" like we have.
In the future future, this can be done using software like Kerberos.