Using sudo, ssh, rsync on the Official Ubuntu Images for EC2

| 16 Comments

The official Ubuntu images for EC2 do not allow ssh directly to the root account, but instead provide access through a normal “ubuntu” user account. This practice fits the standard Ubuntu security model available in other environments and, admittedly, can take a bit of getting used to if you are not familiar with it.

This document describes how to work inside this environment using the “ubuntu” user and the sudo utility to execute commands as the root user when necessary.

SSH

First, to connect to an instance of an official Ubuntu image for EC2, you need to ssh to it as “ubuntu” instead of as “root”. For example:

ssh -i KEYPAIR.pem ubuntu@HOSTNAME

Note that existing EC2 documentation and tools like the EC2 Console and Elasticfox assume that all EC2 instances accept connections to root, so you’ll have to remember this change.

If you accidentally ssh to root on one of the official Ubuntu images, a short message will be output reminding you to use “ubuntu” instead.

SUDO

When logged in under the “ubuntu” user, you can run commands as root using the sudo command. For example:

sudo apt-get update && sudo apt-get upgrade -y

Note that sudo clears the environment variables before running the command. If you need to have them set, then use the sudo -E option.

SUDO PASSWORD

The official Ubuntu images for EC2 are configured so that no password is required for sudo from the “ubuntu” user. Yes, this sacrifices a bit of security from standard Ubuntu operation, but any published hardcoded password would be more insecure, and randomly assigned passwords quickly become unmanageable when running many instances, in addition to preventing some types of remote automation described below.

Note that this policy does not allow logging in to the “ubuntu” user without a password. The password is disabled for login and not required for sudo. Login is done through the usual EC2 ssh keypair management as described above.

If you wish to increase security in this area, set the ubuntu user password and adjust the /etc/sudoers file.

sudo passwd ubuntu
sudo perl -pi -e 's/^(ubuntu.*)NOPASSWD:(.*)/$1$2/' /etc/sudoers

Make sure you set the password successfully first and remember it. If you change the sudoers file first, you will be stuck with no root access on that instance.

ROOT SHELL

If you want to switch to a root shell once you are logged in to the “ubuntu” user, simply use the command:

sudo -i

This is generally not recommended as it loses the enhanced logging of commands used as root and you risk accidentally entering commands when you did not intend to use root.

SSH SUDO

To automate a remote command as root from an external system, connect to “ubuntu” and use sudo:

ssh -i KEYPAIR.pem ubuntu@HOSTNAME 'sudo apt-get install -y apache2'

RSYNC

Now for the trickiest one. Sometimes you want to rsync files from an external system to the EC2 instance and you want the receiving end to be run as root so that it can set file ownerships and permissions correctly.

sudo rsync -PazSHAX —rsh “ssh -i KEYPAIR.pem” —rsync-path “sudo rsync” LOCALFILES ubuntu@HOSTNAME:REMOTEDIR/

The --rsh option specifies how to connect to the EC2 instance using the correct keypair. The command in the --rsync-path option makes sure rsync is running as root on the receiving end.

The -PazSHAX options are just some of my favorites. They aren’t a key part of this rsync approach.

In order for this method to work, the “ubuntu” user must be able to sudo without a password (which is the default on the official Ubuntu images as described above).

ROOT SSH

Finally, if you wish to circumvent the Ubuntu security standard and revert to the old practice of allowing ssh and rsync as root, this command will open it up for a new instance of the official Ubuntu images:

ssh -i KEYPAIR.pem ubuntu@HOSTNAME   'sudo cp /home/ubuntu/.ssh/authorized_keys /root/.ssh/'

This is not recommended, but it may be a way to get existing EC2 automation code to continue working until you can upgrade to the sudo practices described above.

SEE ALSO

For more information on recommended sudo practices in Ubuntu, please refer to:

https://help.ubuntu.com/community/RootSudo

Comments? Questions?

[Updated 2009-04-30: Simplified rsync instructions.]

16 Comments

I think this is worth mentioning: If specifying the identity file and username on the command line gets boring, create a ~/.ssh/config with

Host HOSTNAME
User ubuntu
IdentityFile /path/to/KEYPAIR.pem

and then you'll be able to use 'ssh HOSTNAME'.

Nice tip! You can also use wildcards in the config file to match all standard EC2 external hostnames as in:

  Host *.amazonaws.com
If you run an ssh-agent, you can also add your EC2 keypair key using something like:
  ssh-add /path/to/KEYPAIR.pem 
Then it doesn't matter what hostnames you use.

Just FYI, for anyone who thinks this increases security, you're still using a shared account with full privileges. This is no different than using a shared root account.

But it does make it easier to start using named accounts because you can simply remove the ubuntu user and not worry about any other configuration (such as changing PermitRootLogin in ssh_config).

Paul: I assume by "this" you mean the way that the official Ubuntu images are configured with an ubuntu user who can sudo without a password.

The only change that you need to apply to get to the full default Ubuntu security mode is to set a password for the "ubuntu" user as described in the "SUDO PASSWORD" section above.

Even if you don't require a password to sudo, using a normal user prevents some accidental disasters that can happen if you sit with a root shell in front of you.

The ubuntu user is there to give you secure access to the EC2 instance after initially running it. It is completely up to the owner how to configure the system from that point.

If you plan to have multiple human users, I agree that it's a good idea to create multiple user accounts.

As a side note, the official Ubuntu images currently have "PermitRootLogin yes" in sshd_config. This allows them to give a message to the user who tries to connect as root, redirecting them to "ubuntu@" (something I think is going to be fairly common with new users of these AMIs).

Thank you for the great tips!

Any idea how to get ssh with passwords enabled? (no identity-file)

ie: ssh ubuntu@host

Hi Eric

The perl to rewrite /etc/sudoers flies in the face of visudo.

I don't mind, but others might :-)

Terry

I'm getting
ssh_exchange_identification: Connection closed by remote host

when trying to connect to an canonical AMI through a ssh tunnel (I'm on a Mac behind a firewall). Everything works fine without the tunnel. I guess i have to make some changes to the ssh config. But whicht?

Thanks in advance

Gerd

Björn: Yes, it is possible to enable ssh with passwords through appropriate sshd configuration changes, though it does reduce security a bit depending on the passwords chosen. In cases where this is required, I recommend "sudo apt-get install denyhosts" to improve protection against dictionary attacks.

Terry: Yeah, I guess the Perl command does make some assumptions about the state of the /etc/sudoers file and if those assumptions are not accurate, you could be prevented from doing a sudo to fix it.

It might be more appropriate to send the output to a temporary file and run a check before moving it back into place, say:
visudo -c -f /tmp/sudoers && mv /tmp/sudoers /etc/sudoers

Gerd: It's difficult to debug somebody else's ssh problems as there are so many potential factors involved. You might try listing all of the information you think might be relevant in as much detail as possible on the EC2 Ubuntu support group and see if anybody has the time to help debug it: http://ec2ubuntu-group.notlong.com

Hi Eric

If disabling root and using ubuntu is a recommended sudo practice, is there a reason the alestic images are root-enabled?

I'm sure there is a discussion on this somewhere with all the pros, cons and flames. But I'd like to hear your rationale and can't seem to find it anywhere.

Thanks,
Anoop

Anoop: When I first started building public images for Ubuntu on EC2 back in 2007 I had wanted to follow the Ubuntu standard of using a normal user with sudo to root. However, my primary audience at the time was EC2 users and not Ubuntu users. I figured the images would get faster adoption if they followed the EC2 standard of ssh to root with keypairs, especially since many of the users would never read any documentation and would simply think that the image was broken if it didn't allow ssh as root.

When Canonical started work on building images, I pushed for the Ubuntu standard of non-root login, thinking that their audience would contain more existing Ubuntu users and the rest of the population would be swayed to accept the change by the official nature of the Canonical name.

If I continue publishing images into the distant future, I may switch to the Ubuntu standard, but it would only be for new AMIs (obviously) and there would be advance notice and opportunity for discussion on the ec2ubuntu group.

On my long running personal and company EC2 instances, I always add normal user(s) and use them for further access.

A quick note on Elasticfox:

On recent versions (I'm using 1.7.000112), it's easy to change the user that's used for SSH connections. Click the "Tools" button in the upper right corner of the window, and set "SSH User" to "ubuntu" (or whatever).

You can set it back to "root" to connect to other instances as needed (although it's a pain if you have to do that a lot).

Thank you Eric. I am a beginner and the information on your website has helped me tremendously in learning and understanding a lot of important concepts around EC2 and Ubuntu.

Thanks again

Ramesh

Wow. So in trying to add a new user to the sudoers file I inadvertantly created another entry for the 'ubuntu' user without the NOPASSWD directive. This means I have lost access to root privileges on this instance.

Can anyone think of a way for me to get back root access? I would love not to have lost hours of work because of a typo.

brandon:

Sure. "stop" the original EBS boot instance, detach the root EBS volume from the original instance, attach it to a different instance, edit the sudoers file, move the volume back, and restart the instance.

If you're running instance-store instead of EBS boot, then you might be out of luck. Yet another reason to run EBS boot instances.

Leave a comment

Ubuntu AMIs

Ubuntu AMIs for EC2:


AWS Jobs

AWS Jobs

More Entries

Throw Away The Password To Your AWS Account
reduce the risk of losing control of your AWS account by not knowing the root account password As Amazon states, one of the best practices for using AWS is Don’t…
AWS Community Heroes Program
Amazon Web Services recently announced an AWS Community Heroes Program where they are starting to recognize publicly some of the many individuals around the world who contribute in so many…
EBS-SSD Boot AMIs For Ubuntu On Amazon EC2
With Amazon’s announcement that SSD is now available for EBS volumes, they have also declared this the recommended EBS volume type. The good folks at Canonical are now building Ubuntu…
EC2 create-image Does Not Fully "Stop" The Instance
The EC2 create-image API/command/console action is a convenient trigger to create an AMI from a running (or stopped) EBS boot instance. It takes a snapshot of the instance’s EBS volume(s)…
Finding the Region for an AWS Resource ID
use concurrent AWS command line requests to search the world for your instance, image, volume, snapshot, … Background Amazon EC2 and many other AWS services are divided up into various…
Changing The Default "ubuntu" Username On New EC2 Instances
configure your own ssh username in user-data The official Ubuntu AMIs create a default user with the username ubuntu which is used for the initial ssh access, i.e.: ssh ubuntu@<HOST>…
Default ssh Usernames For Connecting To EC2 Instances
Each AMI publisher on EC2 decides what user (or users) should have ssh access enabled by default and what ssh credentials should allow you to gain access as that user.…
New c3.* Instance Types on Amazon EC2 - Nice!
Worth switching. Amazon shared that the new c3.* instance types have been in high demand on EC2 since they were released. I finally had a minute to take a look…
Query EC2 Account Limits with AWS API
Here’s a useful tip mentioned in one of the sessions at AWS re:Invent this year. There is a little known API call that lets you query some of the EC2…
Using aws-cli --query Option To Simplify Output
My favorite session at AWS re:Invent was James Saryerwinnie’s clear, concise, and informative tour of the aws-cli (command line interface), which according to GitHub logs he is enhancing like crazy.…
Reset S3 Object Timestamp for Bucket Lifecycle Expiration
use aws-cli to extend expiration and restart the delete or archive countdown on objects in an S3 bucket Background S3 buckets allow you to specify lifecycle rules that tell AWS…
Installing aws-cli, the New AWS Command Line Tool
consistent control over more AWS services with aws-cli, a single, powerful command line tool from Amazon Readers of this tech blog know that I am a fan of the power…
Using An AWS CloudFormation Stack To Allow "-" Instead Of "+" In Gmail Email Addresses
Launch a CloudFormation template to set up a stack of AWS resources to fill a simple need: Supporting Gmail addresses with “-” instead of “+” separating the user name from…
New Options In ec2-expire-snapshots v0.11
The ec2-expire-snapshots program can be used to expire EBS snapshots in Amazon EC2 on a regular schedule that you define. It can be used as a companion to ec2-consistent-snapshot or…
Replacing a CloudFront Distribution to "Invalidate" All Objects
I was chatting with Kevin Boyd (aka Beryllium) on the ##aws Freenode IRC channel about the challenge of invalidating a large number of CloudFront objects (35,000) due to a problem…
Email Alerts for AWS Billing Alarms
using CloudWatch and SNS to send yourself email messages when AWS costs accrue past limits you define The Amazon documentation describes how to use the AWS console to monitor your…
Cost of Transitioning S3 Objects to Glacier
how I was surprised by a large AWS charge and how to calculate the break-even point Glacier Archival of S3 Objects Amazon recently introduced a fantastic new feature where S3…
Running Ubuntu on Amazon EC2 in Sydney, Australia
Amazon has announced a new AWS region in Sydney, Australia with the name ap-southeast-2. The official Ubuntu AMI lookup pages (1, 2) don’t seem to be showing the new location…
Save Money by Giving Away Unused Heavy Utilization Reserved Instances
You may be able to save on future EC2 expenses by selling an unused Reserved Instance for less than its true value or even $0.01, provided it is in the…
Installing AWS Command Line Tools from Amazon Downloads
This article describes how to install the old generation of AWS command line tools. For the most part, these have been replaced with the new AWS cli that is…
Convert Running EC2 Instance to EBS-Optimized Instance with Provisioned IOPS EBS Volumes
Amazon just announced two related features for getting super-fast, consistent performance with EBS volumes: (1) Provisioned IOPS EBS volumes, and (2) EBS-Optimized Instances. Starting new instances and EBS volumes with…
Which EC2 Availability Zone is Affected by an Outage?
Did you know that Amazon includes status messages about the health of availability zones in the output of the ec2-describe-availability-zones command, the associated API call, and the AWS console? Right…
Installing AWS Command Line Tools Using Ubuntu Packages
See also: Installing AWS Command Line Tools from Amazon Downloads Here are the steps for installing the AWS command line tools that are currently available as Ubuntu packages. These include:…
Ubuntu Developer Summit, May 2012 (Oakland)
I will be attending the Ubuntu Developer Summit (UDS) next week in Oakland, CA.  This event brings people from around the world together in one place every six months to…
Uploading Known ssh Host Key in EC2 user-data Script
The ssh protocol uses two different keys to keep you secure: The user ssh key is the one we normally think of. This authenticates us to the remote host, proving…
Seeding Torrents with Amazon S3 and s3cmd on Ubuntu
Amazon Web Services is such a huge, complex service with so many products and features that sometimes very simple but powerful features fall through the cracks when you’re reading the…
CloudCamp
There are a number of CloudCamp events coming up in cities around the world. These are free events, organized around the various concepts, technologies, and services that fall under the…
Use the Same Architecture (64-bit) on All EC2 Instance Types
A few hours ago, Amazon AWS announced that all EC2 instance types can now run 64-bit AMIs. Though t1.micro, m1.small, and c1.medium will continue to also support 32-bit AMIs, it…
ec2-consistent-snapshot on GitHub and v0.43 Released
The source for ec2-conssitent-snapshot has historically been available here: ec2-consistent-snapshot on Launchpad.net using Bazaar For your convenience, it is now also available here: ec2-consistent-snapshot on GitHub using Git You are…
You Should Use EBS Boot Instances on Amazon EC2
EBS boot vs. instance-store If you are just getting started with Amazon EC2, then use EBS boot instances and stop reading this article. Forget that you ever heard about instance-store…