×
Community Blog Alibaba Cloud DevOps Cookbook Part 2 – SSH and ECS Key Pairs

Alibaba Cloud DevOps Cookbook Part 2 – SSH and ECS Key Pairs

In this article, we will be building simple DevOps tools to explore and understand the DevOps features on Alibaba Cloud.

By John Hanley, Alibaba Cloud Tech Share Author. Tech Share is Alibaba Cloud’s incentive program to encourage the sharing of technical knowledge and best practices within the cloud community.

At least in the Linux world, SSH is the primary security mechanism for authentication. SSH enables system administration and file transfers securely over insecure networks. Two methods of authentication are typically used: username and password, and SSH keys. In the cloud world we call SSH keys Key Pairs.

In this section, I want to look at how Alibaba Cloud implements SSH and Key Pairs for managing and controlling access to Linux ECS instances. When you create a new ECS instance, in this example Ubuntu 16.04, you have the option to assign a Key Pair to the instance before creation. You then download the private part of the Key Pair to your local system for use in connecting to the ECS instance. By default, only one user is created. That is the user root.

I often see companies then making the mistake of only using root for each member of the DevOps team to access the ECS instance. This is a bad idea. In this article we will investigate creating additional users, creating a unique Key Pair for each user, and in general providing for auditable security.

While reviewing the ECS documentation, I noticed an interesting API - AttachKeyPair. This API is documented to have the following features:

  1. Attaches an SSH key pair to your Linux instance.
  2. Once the SSH key pair is used, the authentication method by using the user name and password is disabled.
  3. If the instance is in the stopped state, the SSH key pair takes effect immediately once the instance starts.
  4. If the instance is in the running state, restart the instance to make the operation take effect.
  5. If the instance already has an attached SSH key pair, the new SSH key pair replaces the former.

I cannot begin to mention how many customers have lost their SSH key pair for an instance and wanted to know how to recover. Maybe this ECS feature will solve this problem for Alibaba Cloud customers.

Part 1. Replacing an ECS Instance Key Pair

I cannot find documentation for the CLI that documents each command for Alibaba Cloud. So, I go through this process to learn how to use a CLI feature:

Run this command:

aliyuncli ecs

This displays a list of support commands for ECS. Look for a command that looks like the API that I want to use. In this case AttachKeyPair.

Next, run this command:

aliyuncli ecs AttachKeyPair help

This displays a list of command line options for AttachKeyPair:

[ecs.AttachKeyPair]: current operation can uses parameters as follow :

--AccessKeyId                                   | --AccessKeySecret
--InstanceIds                                   | --KeyPairName
--OwnerId                                       | --RegionId
--ResourceOwnerAccount                          | --ResourceOwnerId
--output                                        | --profile
--version

Next, review the API documentation for AttachKeyPair. The documentation indicates that RegionId, KeyPairName and InstanceIds are required. This corresponds to the AttachKeyPair parameters:

  1. --RegionId
  2. --KeyPairName
  3. --InstanceIds

Steps to prepare for development and testing

  1. Login to the Alibaba Cloud ECS Console
  2. Create two Key Pairs: Test1 and Test2 (or your preferred names)
  3. Download both Key Pairs to your local system
  4. Create a new ECS instance: OS Ubuntu 16.04 64-bit, Key Pair: Test1
  5. Note the Public IP address and ECS Instance ID
  6. Verify the Key Pair name in the console. We will see if this changes later
  7. Import both Key Pairs into Bitvise (or your preferred SSH client)
  8. Using SSH login to the ECS instance using Key Pair Test1 and user name root

I had to figure this out the hard way, but you need to escape the ECS Instance IDs values. Here is how to do it for Windows and Linux:

Windows:

aliyuncli ecs AttachKeyPair --InstanceIds "[\"i-abcdeftvgllm854abcde\"]" --KeyPairName Test2

Linux:

aliyuncli ecs AttachKeyPair --InstanceIds '[\"i-abcdeftvgllm854abcde\"]' --KeyPairName Test2

This command reported success.

{
    "FailCount": 0,
    "TotalCount": 1,
    "RequestId": "11CC0000-D577-4462-B410-ABCDEFCF2129",
    "Results": {
        "Result": [
            {
                "InstanceId": "i-abcdeftvgllm854abcde",
                "Message": "successful",
                "Code": "200",
                "Success": true
            }
        ]
    }
}

Let's go back into the console and verify that the console shows the changed Key Pair.

1

Reboot the ECS instance and verify that we can login with the Test2 Key Pair, but not the Test1 Key Pair:

aliyuncli ecs RebootInstance --InstanceId i-abcdeftvgllm854abcde

Part 1 is now completed. In the next part we will learn how to create a Key Pair from our local system, import this Key Pair to the Alibaba Console and then assign this Key Pair to our test instance.

Part 2. Creating an ECS Instance Key Pair

The API to use is CreateKeyPair. Let's look at this API. This API is documented to have the following features:

  1. Creates a 2048-bit RSA key pair
  2. Alibaba keeps the public key
  3. Alibaba returns the unencrypted PEM encoded PKCS#8 private key
  4. You can create up to 500 key pairs per region

Next, run this command:

aliyuncli ecs CreateKeyPair help

This displays a list of command line options for CreateKeyPair:

[ecs.CreateKeyPair]: current operation can uses parameters as follow :

--AccessKeyId                                   | --AccessKeySecret
--KeyPairName                                   | --OwnerId
--RegionId                                      | --ResourceOwnerAccount
--ResourceOwnerId                               | --output
--profile                                       | --version

Execute this command to create a new Key Pair:

aliyuncli ecs CreateKeyPair --RegionId us-west-1 --KeyPairName Test3

This command reported success.

{
    "KeyPairFingerPrint": "7d6849d03953aa5584240de7c9d4b8c8",
    "PrivateKeyBody": "-----BEGIN RSA PRIVATE KEY-----\nMIIEpAIBAAKCAQEAh1y3ot74ipDU+mHUZEBWDDT22VTkP0NVG4mOL1NQQYhGhccT\nKLqBKtiVeWG1PeHhHFJqrRYVW5qwgC4P/dYA+B+ztdHD1HYdRGwMSW0JxNL/rEy4\n4W9IxKh6jt9/XLUSIacNjtcHocPLF0Nw8/zsfcuSsvBB9EKhyep+c8qTKozWHb7O\nsbFlYXcKLo8rOpHTJIYOyR0Jrd2sR1zP8laB71+mvYtpuf90Rc23IxABn+Z+hefb\n7zSO/sQ2ve5aOaYMlWez8RoAPme2cGBszWFUvyT6GXWMGIucPuUOl9ATRN4DWmqw\n8LltgtLUDQk0Ji3svAYbC4+0dkhkrcfp4VzVlwIDAQABAoIBADSQK3sijG76aMnF\nvX0kgoWA965TScLLObxUwRLdjle0PHZsZKM3MTtbGUgmSgP6t7iQxH3sCmUk/472\n1BzkwkGXxeg/yYSyTREpx+enYNi+eqwEqvJXjXFYXycl4MY2RhEtVpV2KK+HYVDq\nTm1gdNEwgQndRC8+xKas2WfLbTRjJFapqW2zv3p1V83gVassrTLCCYSbV36jJO1z\nNpaU3feQPQL86+5ToNSoNepqYGInY6EYlKhkZHgVGRHsrqgPoyHGjBsyP4I3F1fO\njKcwPuGAerTn6MHtpW6m2kKnjz8qjClAPHY61ZmN9HIZHPTu1S7y9rHId5vy706X\nzwpQwpkCgYEA1H6/l6u2y1Rn2OSteIqTsxhZcJ3ICG8tSQp77fcFSi+LUDPAeBB9\nhvhiYpkzqj0sI5GIlXG+Wg7R8DwUxw6T+vQtFnFMdzqImqsU8+Qva/BqfRkFHsKO\n+FXGwLoWPVYJV25GD2gcDZpJ5KfNGv/hqrh0TEMtikVMKq30UaW58PMCgYEAoxNK\n+x3JnvzyMup/ZIgIlUjj2xy/V1AQq3+Ck3sQ9AaLZFuFPmHW1hKSXV/XBaDL3FfJ\nVVkWMRwmxgd4dMqosgWQYd69Qx5C3H0KKZh//9NpmV17WEiIknHSZbYxzeX14lsD\nWPiSeNdtrzTQRY0Q79JB2YTDUvABrRfJZe9eUc0CgYEAvg0q4MVktRCl3LgSaqhO\nl7TkcbO8r8Z300b8NoZjhclmKXJP51KgYrIOlK7/JXiW3K0SYs8bd8Kfg+TIlIx2\nT9JJ7TOiN1TzzpnLIKNqwniBVaemC6/pXTSikccdkvg7XKY1JRxxUr0277og2NAZ\nDq7w3TCML4nxKI7y4H+AAX8CgYA/T+o4fGQe2c2efvRer4HFk7sDArI2z9ro+mRT\npd/7Hd9YYz/j7FBgZG122xK8GKWNMnf0LtYy0t8q2xOlJFlCZG6d0MBiIomK2PDt\nHUv0orvI00ZkDCUZ1h79ZjMH4VQJQZSXIkqbp+fpsfN6TT5aHaN7M9QxiwTbkvSa\nIsjXsQKBgQCgMvR+jKE9OsCtM70eRBy0LDVEOjky7rce29I+cg3OZkAmKQ8qiE/S\no86+gQeQCMm9y9KiPHLVg9XIuZwkh+eVI4drRrEyM3InrHYLRtBuDfztCH9di+Ru\nF2w6y8t4/Kc5mSg0GBK725uTzfNdkyZE1TZAH6gx1KeSfMGGLP0mqw==\n-----END RSA PRIVATE KEY-----\n",
    "RequestId": "01234562-5F4C-4DD9-BC42-ABCDEF26FF96",
    "KeyPairName": "Test3"
}

Now, what do we do with the output? I tried just copying the screen output to a file and then importing into my key manager, but it rejected the input. Then I realized that the output is JSON data. So, I wrote a quick little program to take the output from the CLI and write the PrivateKeyBody from the JSON as a PEM file.

write_pem.py

############################################################
# Version 1.00
# Date Created: 2018-05-17
# Last Update:  2018-05-17
# https://www.neoprime.io
# Copyright (c) 2018, NeoPrime, LLC
############################################################

"""
This program reads standard input and writes to standard output
The input is expected to be the output from the Alibaba Cloud CLI command:
aliyuncli ecs CreateKeyPair --RegionId us-west-1 --KeyPairName Test3
"""

import sys
import json

data = json.loads(sys.stdin.read())

print(data['PrivateKeyBody'])

Go back to the Alibaba Console and delete the Test3 Key Pair. Now let's try again but this time sending the output to write_pem.py.

aliyuncli ecs CreateKeyPair --RegionId us-west-1 --KeyPairName Test3 | python write_pem.py > Test3.pem

Now let's look at the contents of Test3.pem.

type Test3.pem

Excellent, this looks like a normal PEM file.

-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAmPJORshGZmC+vV58zMAGRBKJs0Bs/bSHvwQtu+ICSNDyUj9+
3l0yCXm3rbYHV0OT4sqMAhZf7dowryRpQRwU2f1YS6Jga/PnuOQ8rhHTgO8jImdj
OWKB02G6SCIB5M/ddrHiEeih/5dIPA4ztZjm3A2ps22KSDFOg0TOybK0HbnWbFKh
FIiS2QqoF4p0+Pe14jKkHEvFDKSIBs7WIAYIjCloQ7DfIy4StjPxUYD9xBbvN4vj
o47yMi9qyoXqyzrTZ1rcqiWeQuv8343sHJ6Rj+yO+yT+dZWCZiY7zMU5pKa3sDds
LD3XwqZYJ1X+ddMpmxngU5zBIi/uPzx7PFf05wIDAQABAoIBABPthktsrteKBXAx
DnuzDV3zOGPVoh3QVtuJlNflE70fFGOpCEO6ytk3Nbp5fC1fjbZAA8wF1EvuYOeB
DAHCwejBPK7mIkAOkIOjoVBg3Djxb5d89w20CwxasGXToIGKn+VmOflxYSInOO8y
PoSLvpCvawwI2rqbSgqKfZMEKLmyl9zQ6gAa4lLC3AMAxv9mFgfnTZtzXwNWmFXW
74MX5LGG8IEK4I18UBaKmYzBZOQ+gNVtKPnhYGe0MC51r6NvBVbA1FHnXSqiHZXq
Ra7g543BFmDa96cIT/hfRhOfY0RxvwE+/84e8/TQ6UqQt3ZPb7eaddIO15YluObC
7vOkDAkCgYEA5bww+BUdIEmZ2EwAScX7lHq1d/tMSGsosEp55IDyMDOAvdexVBVZ
xwVf8RRhWv7d2Y2PMqGQSp2I/4CTpdvfnA/E0usGtKfcgeRZBuSTmfiriUO3+8zm
G2J2Eg0mUqR2QoXlOzHJ62j70jP8JxC/yAyu5+qa6TiInfJftrwh9wMCgYEAqm6x
D3gX0fe0uTG3278jqU3n6ooy44f7gfrFsDvkJzYaUb3FwPKFfaRV9j6nfHd5B6Ks
EBp6WAqDle5cdLCO6J8GCp+9tweFHZ9SaGhDYHECmYzQUbdoDLlM2wYetfVWCgvz
e5CwuHYuX1oXrKwhrkYwxCtZJ/W57gp9zJuz400CgYEAi6uSigEsKAkXQ21Rb4iy
n17LHRrnEdA0eJmO6eGLXMqzJrgP03L3lgwqfENLvSrebfmmab3YH8UPGWduXJQE
qrjbjO/er86uPTo69fnZ0u5gO5+0J54298cwyWC9P9lFHMSSzR5ECJ9XGkEIuCdy
sYkkfVMgw1HfnUdR8aMHc0kCgYASLt0VGWrxK8xMNdG30Byt43Hqw/PJ8qgSpf6R
XtJonI0SS3zdqQI09WN2chjMXrK67dANp8WFvxlq1ZNnn66fgtfSKljDPjolfun7
2aPWljgAydUv4rFnKh3ZAD4mi5YyXDQN6tHv3Cv2YFZGRdcSEMsDItzQNpcvnk7t
lW8LwQKBgEP1uYJMV4HU3MJLqsyPZDTkkCA/a6g3Lkd7+XUlDfxMmm2Q7rjUI6su
l7yIU/T+zRW7+naytm7tPDiL3NoAFQG9bEJo+9nnobM6fsyVyX/jcVFQ+AnjTgE+
6h+ANs/jyLDnxUecSx2ITYA57lsapv+OatcPFnjUvi/+9Ut/vooI
-----END RSA PRIVATE KEY-----

Let's verify that this works by assigning this key pair to our ECS instance, rebooting and verifying that we can now connect via SSH using key pair Test3.pem.

aliyuncli ecs AttachKeyPair --InstanceIds "[\"i-abcdeftvgllm854abcde\"]" --KeyPairName Test3 `
aliyuncli ecs RebootInstance --InstanceId i-abcdeftvgllm854abcde

Part 3. Importing an ECS Instance Key Pair

The previous part created a key pair using Alibaba Cloud. This means that at some point Alibaba Cloud has our private key. Let's now investigate creating our own key pair locally using OpenSSL and then importing just the public key to Alibaba Cloud.

Generate a key pair using OpenSSL.

openssl genrsa -out Test4.pem 2048

Save the public key to a local file

#openssl rsa -in Test4.pem -pubout -out Test4.pub 
ssh-keygen -y -f test5.pem > Test4.pub

Now that we have a new key pair (Test4.pem) and the public key (Test4.pub), let's import this into the cloud and verify that we can use this key pair with our test instance.

The API to use is ImportKeyPair. Let's look at this API. This API is documented to have the following features:

  1. Imports the public key of an SSH key pair that you create with other key pair generates.
  2. You can create up to 500 key pairs per region
  3. Supported encryption methods:
    1. rsa
    2. dsa
    3. ssh-rsa
    4. ssh-dss
    5. ecdsa
    6. ssh-rsa-cert-v00@openssh.com
    7. ssh-dss-cert-v00@openssh.com
    8. ssh-rsa-cert-v00@openssh.com
    9. ssh-rsa-cert-v01@openssh.com
    10. ssh-dss-cert-v01@openssh.com
    11. ecdsa-sha2-nistp256-cert-v01@openssh.com
    12. ecdsa-sha2-nistp384-cert-v01@openssh.com
    13. ecdsa-sha2-nistp521-cert-v01@openssh.com

Next, review the API documentation for ImportKeyPair. The documentation indicates that RegionId, KeyPairName, and PublicKeyBody are required. This corresponds to the ImportKeyPair parameters:

  1. --RegionId
  2. --KeyPairName
  3. --PublicKeyBody

Note: I could not find anywhere what the format of PublicKeyBody is.

Contents of Test4.pub

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCrk3VshObZ8zz6DLQb6yUhC8+gOrm/tu8psXASVPh4FqTkfiMu/DuTNfUV+j3KYTBnHdfEZoydtNNt1JrXi3rngvZsfgBzGw8Yqoyu+CdsR3wrI2LCqgpAOa06MS6iydu+xRo8c/JTZHpscE/igxqF4bNIYHVCHoBV6wKSo4VQSN0m8UB3Je1u9ga0V4jXpPPJZnBa3n9aafNzikTFeycBwbauJjsrY2IpL3xybkwPE14hdkbUxMEFu9cO+FNSTPFGq5UxXsS1vQkPySm5WHgF/N4zC/HMfiNjwwiwKxW+GZnOsCKSbqBBFwRJj+7N3OlIZ2sgEBSQGHYAWAEHU7Od

The final command looks like this:

aliyuncli ecs ImportKeyPair --RegionId us-west-1 --KeyPairName Test4 --PublicKeyBody "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCrk3VshObZ8zz6DLQb6yUhC8+gOrm/tu8psXASVPh4FqTkfiMu/DuTNfUV+j3KYTBnHdfEZoydtNNt1JrXi3rngvZsfgBzGw8Yqoyu+CdsR3wrI2LCqgpAOa06MS6iydu+xRo8c/JTZHpscE/igxqF4bNIYHVCHoBV6wKSo4VQSN0m8UB3Je1u9ga0V4jXpPPJZnBa3n9aafNzikTFeycBwbauJjsrY2IpL3xybkwPE14hdkbUxMEFu9cO+FNSTPFGq5UxXsS1vQkPySm5WHgF/N4zC/HMfiNjwwiwKxW+GZnOsCKSbqBBFwRJj+7N3OlIZ2sgEBSQGHYAWAEHU7Od"

This is complicated enough that a Python program is a better choice.

Let's verify that this works by assigning this key pair to our ECS instance, rebooting and verifying that we can now connect via SSH using key pair Test4.pem.

aliyuncli ecs AttachKeyPair --InstanceIds "[\"i-abcdeftvgllm854abcde\"]" --KeyPairName Test4

The command returns the following:

{
    "KeyPairFingerPrint": "883aff9af03f3ee5dd0e186099a2e173",
    "RequestId": "11CC0000-4675-4F9A-887F-ABCDEFEF7D5B",
    "KeyPairName": "Test4"
}

The ECS instance must be rebooted for the new key pair to take effect.

aliyuncli ecs RebootInstance --InstanceId i-abcdeftvgllm854abcde

Part 4. Create user and assign SSH Public Key

Note: This section covers Ubuntu 16.04. Most Linux versions have similar procedures.

In this section we will create a new group "developers", a new user "john" as part of the developer group, assign sudo privileges and finally assign an SSH key to login with.

Steps 1 to 4 are performed on the ECS instance.

Step 1. Create a new group named developers. The groupadd command requires a unique number for the Group ID. Display the contents of the file /etc/group. Find the highest number. In my system it is 118. For the new Group ID, I will use 1000.

# cat /etc/group

Execute the following commmand to create a group with the Group ID 1000 named developers:

# groupadd -g 1000 developers

Step 2. Create a new user named john. This command will prompt you for a password for the user, user information, etc.

# adduser john

Review the command output. One of the items will be the home directory for the new user. We will need this path later. In my case the home directory is /home/john.

Add user john to the group developers.

# adduser john developers

Step 3. Add the user to the "sudo" group so that the user has root privileges when required to administer the system. Once this user is logged in, all that is required is using the sudo command in front of each command to obtain administrator privileges.

# usermod -aG sudo john

Step 4. Create a directory for the SSH keys. When a user logs in remotely using SSH, the SSH server will look in the file /home/username/.ssh/authorized_keys for a matching public key. If a match is found the user is granted access. This file can contain more than one public key stored one after another, one per line.

# cd /home/john 
# mkdir .ssh

Create an empty authorized_keys file.

# touch /home/john/.ssh/authorized_keys

SSH enforces file and directory permissions to prevent SSH key leakage. It is important that you do not skip these steps.

# chmod 700 /home/john/.ssh 
# chown john /home/john/.ssh 
# chmod 600 /home/john/.ssh/authorized_keys 
# chown john /home/john/.ssh/authorized_keys

Step 5. Create a new key pair. We will use the same steps as above. Once the public key is created, we will add the contents of the public key to the file authorized_keys.

The following commands are performed on your Windows system.

Generate a key pair using OpenSSL.

openssl genrsa -out john.pem 2048

Save the public key to a local file

ssh-keygen -y -f john.pem > john.pub

Add the contents of john.pub to /home/john/.ssh/authorized_keys on the Linux system.

Import the private key john.pem into Bitvise (or your favorite SSH key manager).

Developer Documents

Command Line Interface (CLI):

  1. Alibaba Cloud CLI

Server Load Balancer (SLB):

  1. Server Load Balancer Document Page
  2. Server Load Balancer Developer Guide

Elastic Compute Service (ECS):

  1. Elastic Compute Service Document Page
  2. Elastic Compute Service Developer Guide
0 1 0
Share on

Alibaba Clouder

2,599 posts | 763 followers

You may also like

Comments