Joel shows you how to
manage user accounts on
your EC2 instance running Linux

joel-new-user-accounts-linux-instance

How do I add new user accounts with SSH access to my Amazon EC2 Linux instance?

Every Amazon EC2 Linux instance is launched with a default system user account. If multiple users require access to the instance, you can create a separate account for each user rather than have each user connect to the instance with default system account credentials. Each new user account is provisioned with a separate workspace and folders to save files and store configuration information specific to their account.

These steps describe how to add a new user account with remote access rights to an EC2 Linux instance. The new user will be able to use SSH to connect to the instance from another computer or EC2 instance.

Prerequisites

Before you add new user accounts with remote access rights to an EC2 Linux instance, complete the steps to launch and connect to your EC2 Linux instance described at Getting Started with Amazon EC2 Linux Instances.

Add a new user from the EC2 Linux instance command shell

1.    Connect to the EC2 Linux instance that you plan to add user accounts to. For information about connecting to the instance, see Connect to Your Linux Instance.

2.    Run the following command from the instance command line to add a new user to the instance, where is a placeholder for the new account name:
Note:
If you are adding a new user to an Ubuntu instance, specify the --disabled-password option.

sudo adduser <new_user>

When you run the command to add a new user account to your Linux instance, the following are created:

  • A new group with the same name as the user
  • A home directory for the new user in /home/
  • An entry for the account in the /etc/passwd file

Create a key pair for each new user account that you add to your instance

Use the Amazon EC2 console to create a key pair, as described at Creating Your Key Pair Using Amazon EC2. When you create a key pair, the public key is imported to Amazon EC2, and the private key must be downloaded and accessible on the remote client to enable a user account to login to an Amazon EC2 Linux instance using SSH from the remote client.

Configure a new user account on the EC2 Linux instance to use the public key from the key pair

To enable remote access for a new user, you must create an .ssh directory in the new user's home directory and store the public key from the key pair in the file .ssh/authorized_keys.

1.    Run the following command from your EC2 Linux instance command line to switch context to the new user account:

sudo su - <new_user>

The name in the command line prompt should change to reflect the new user context of the shell session.

2.    Run the following commands from your EC2 Linux instance command line session:

Create a .ssh directory in the new user's home directory:

mkdir .ssh

Limit access to the .ssh directory so that only the new user can read, write, or open the directory.

Note: These permissions must be set before a user account can log in using SSH:

chmod 700 .ssh

Create the file "authorized_keys" in the .ssh directory:

touch .ssh/authorized_keys

Limit access to the authorized_keys file so that only the new user can read from or write to the file.

Note: These permissions must be set before a user account can log in using SSH:

chmod 600 .ssh/authorized_keys

Leave open the command line window with the active ssh connection to your EC2 Linux instance. Because you ran the sudo su - <new_user> command, you are currently connected to the EC2 Linux instance under the context of the new user account.

Update the authorized_keys file with the public key

To update the authorized_keys file, you must set appropriate permissions for the .PEM key-pair file that you created, retrieve the public key from the .PEM file, and then paste the public key into the authorized_keys file.

1.    From the command line of your local (client) Linux computer, run the following command to set the permission of the .PEM key-pair file that you have downloaded locally. This restricts read access specifically to the user account context of the command line session from which the command is run. In this example, <new_keypair> is a placeholder for the name of the keypair file that you have created:

chmod 400 <new_keypair>.pem

2.    Run the following command, which will prompt you for the location of the .PEM key-pair file that you created for the new user:

ssh-keygen -y

The ssh-keygen -y command reads the .pem file containing the public/private key pair and returns the public key. Copy the contents of the public key to the clipboard.

Note: For most Linux command line interfaces, the [Ctrl] + [Shift] + C key combination will copy the text selected in the terminal to the clipboard.

Note: On MacOS, run ssh-keygen -y -p with the .PEM key-pair file that you created for the new user.

3.    After you copy the public key to the clipboard, switch back to the command line window that has the active SSH connection to your EC2 Linux instance under the context of the new user account. Now you can run the cat command to update the authorized_keys file for the account. When you issue the cat command followed by two 'greater than' symbols (>>), you open the file in append mode. Now you can append the public key to the end of the file without overwriting any existing information. If the authorized_keys file is empty, the public key is appended&nbsp;to an empty file, which is the equivalent of running cat > .ssh/authorized_keys. By using append mode to open the file, you avoid inadvertently overwriting any existing information:

cat >> .ssh/authorized_keys

Paste the public key from the clipboard to the command window and press the [Enter] key, then press and hold the [Ctrl] and D keys simultaneously to exit cat and return to the normal command prompt.

Note: For most Linux command-line interfaces, the [Ctrl] + [Shift] + V key combination pastes the contents of the clipboard into the command line window.

Verify that you can use SSH to connect to your instance

You should now be able to connect to your EC2 Linux instance as via SSH from your local Linux or Mac computer. To verify that you can connect to your EC2 instance via SSH as <new_user>, run the following command from the command line on your local computer:

ssh -i /path/<new_keypair>.pem <new_user>@public_dns_name_of_EC2_Linux_instance

To connect to your EC2 Linux instance using SSH from Windows, follow the steps at Connecting to Your Linux Instance from Windows Using PuTTY.

After you have connected to your instance as via SSH, you can run the following command from the EC2 instance command line to view user and group information created for the account:

id

This command should return information similar to the following:

uid=501(<new_user>) gid=501(<new_user>) groups=501(<new_user>)

linux, chmod, ssh, puttygen, putty, touch, adduser, authorized_keys, pem, ssh-keygen


Did this page help you? Yes | No

Back to the AWS Support Knowledge Center

Need help? Visit the AWS Support Center

Published: 2017-02-21