0

How to Fix A Ubuntu EC2 with Lost Password

Posted in Linux

When you create an Amazon EC2 instance, you’re given a .PEM private key allowing for passwordless entry to your server. Losing this key can be pretty costly but below I’ll show how to get you back in again.

The Problem

We’ve lost our PEM key or the one we have isn’t working:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23

$  ssh -vvv -i /path/to/my.pem ubuntu@host.com
OpenSSH_6.2p2, OSSLShim 0.9.8r 8 Dec 2011
...
debug2: key: /path/to/my.pem (0x0), explicit
debug1: Authentications that can continue: publickey
debug3: start over, passed a different list publickey
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /Users/me/.ssh/id_rsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey
debug1: Trying private key: /path/to/my.pem
debug1: read PEM private key done: type RSA
debug3: sign_and_send_pubkey: RSA 99:99:aa:9a:aa:99:99:a9:aa:99:99:99:99:9a:99:aa
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
Permission denied (publickey).

 

The Plan

We need to set a new authorized_key on our server. To do this we’ll:

  • Create a temporary new EC2 instance (E2) with a new keypair
  • Mount our servers EBS volume to E2
  • Set the authorized_key in our EBS volume to use our new key
  • Reattach the EBS to our original EC2 and log in.

 

The Implementation

I don’t like big wordy tutorials so here’s a tl;dr of all steps involved:

  • Create a snapshot of your EC2’s (E) EBS volume (V)
  • Create a new volume (V2) from the snapshot
  • Start new t2.micro EC2 Ubuntu instance (E2), using a new key pair
  • Attach V2 to E2, as /dev/xvdf (or /dev/sdf)
  • SSH in to E2
  • 1
2
3

    sudo mount /dev/xvdf1 /mnt/tmp -t ext4
cp ~/.ssh/authorized_keys /mnt/tmp/home/ubuntu/.ssh/authorized_keys
sudo umount /mnt/tmp
  • Detach V2 from E2
  • Stop E
  • Detach V from E
  • Attach V2 to E as /dev/sda1
  • Start E
  • Login as before, using your new .pem file
  • If all is well and you’re in, delete E2 and V

In my personal case, the above didn’t help and I was still getting the error Permission denied (publickey). I had to also copy E2‘s sshd_config because I’d borked E‘s and it was the actual reason I couldn’t SSH in.

So before the umount line above, also do:

1
2
3

sudo cp /etc/ssh/sshd_config /mnt/tmp/etc/ssh/sshd_config
mkdir /mnt/tmp/home/ubuntu/.ssh/bak
mv /mnt/tmp/home/ubuntu/.ssh/id_rsa /mnt/tmp/home/ubuntu/.ssh/id_rsa.pub /mnt/tmp/home/ubuntu/.ssh/known_hosts /mnt/tmp/home/ubuntu/.ssh/bak

Hope this helps.

Thanks to yegor256 for his helpful post on Stack Overflow.