Amazon recently launched the ability to upload your own ssh public key to EC2 so that it can be passed to new instances when they are launched. Prior to this you always had to use an ssh keypair that was generated by Amazon.
The benefits of using your own ssh key include:
Amazon never sees the private part of the ssh key (though they promise they do not save a copy after you downloaded it and we all trust them with this)
The private part of the ssh key is never transmitted over the network (though it always goes over an encrypted connection and we mostly trust this)
You can now upload the same public ssh key to all EC2 regions, so you no longer have to keep track of a separate ssh key for each region.
You can use your default personal ssh key with brand new EC2 instances, so you no longer have to remember to specify options like
-i EC2KEYPAIRin everyssh,scp,rsynccommand.
If you haven’t yet created an ssh key for your local system, it can be done with the command:
ssh-keygen
You can accept the default file locations, and I recommend using a secure passphrase to keep the key safe.
Here are some sample commands that will upload to all existing regions your personal ssh public key from the default file location on Ubuntu, giving it an EC2 keypair name of your current username. Adjust to suit your preferences:
keypair=$USER # or some name that is meaningful to you
publickeyfile=$HOME/.ssh/id_rsa.pub
regions=$(ec2-describe-regions | cut -f2)
for region in $regions; do
echo $region
ec2-import-keypair --region $region --public-key-file $publickeyfile $keypair
done
When you start new instances, you can now specify this new keypair name and EC2 will provide the previously uploaded public ssh key to the instance, allowing you to ssh in. For example:
ec2-run-instances --key $USER ami-508c7839
[...]
ec2-describe-instances i-88eb15e5
[...]
ssh ubuntu@ec2-184-73-107-172.compute-1.amazonaws.com
Don’t forget to terminate the instance if you started one to test this.
[Update]
Based on a Twitter question, I tested uploading a DSA public ssh key (instead of RSA) and got this error from Amazon:
Client.InvalidKeyPair.Format: Invalid DER encoded key material
I don’t see why DSA would not work since it’s just a blurb of text being stored by EC2 and passed to the instance to add to $HOME/.ssh/authorized_keys but there you have it.
Would be great if the key could just be an authorized_keys file, with multiple keys, and possibly restrictions on some of them. I haven't tried it yet, but sounds like Amazon checks the format to match a single rya key only.
mfairchi: Yep, it might have been nice if Amazon let us pass in an arbitrary number of labeled data blobs to new instances. Having different blobs would let AMIs combine features from multiple systems where each system looked for its data in a uniquely named blob. Right now, it's just the strictly formatted public key and the single user-data blob and everybody has to share the single user-data with no enforceable global standard.
This is very interesting in terms of the security benefits.
As far as the fourth benefit is concerned, one can add IdentityFile to the appropriate host section of the ~/.ssh/config file and wouldn't have to specify the keypair on the command line.
Regarding keys for different regions, the ssh_config man page states "It is possible to have multiple identity files specified in configuration files; all the identities will be tried in sequence." If I understand that correctly, one could just create a host=* section and put the keypairs for all regions there. I haven't tried this myself yet.
altaurog:
Yep, it looks like there are some tricks you can use if you really need to keep using ssh keys generated by Amazon, but I think it's still simpler to upload your own key in most cases.
If Amazon had provided the ability to upload our own ssh keys from the beginning with EC2, I doubt anybody would have converted to using ones generated by Amazon unless they really didn't know how to use tools like ssh-keygen.