<div dir="ltr">Can we assume the default security group used will have a rule to allow ssh from any host? <div>By default, the 'default' aws security groups do not have this rule, preventing the instance from being ssh'ed into, so it would be up to the user to have changed the default security group to allow this... </div><div>Or should our program create a new security group with that rule set (or modify the default security group to set the rule)?<div><br></div><div>-Justin</div></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, Feb 12, 2019 at 9:53 AM Jan Schaumann <<a href="mailto:jschauma@stevens.edu">jschauma@stevens.edu</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Thomas L Pyle <<a href="mailto:tpyle@stevens.edu" target="_blank">tpyle@stevens.edu</a>> wrote:<br>
<br>
> For homework 2, when we create the instance, how do we know what<br>
> keypair to use? Should we generate a new one?<br>
<br>
We don't want to generate a new keypair per the earlier promise that our<br>
tool will not make any changes to the user's setup or environment (a<br>
generally useful consideration, based on the Principle Of Least<br>
Astonishment).<br>
<br>
That would mean we'd have to assume that a default key has been<br>
configured correctly, but AWS configurations may differ in the use, and<br>
the user may in fact already have a default key that they may not wish<br>
to use for this purpose (separation of privileges is a Good Thing(tm)).<br>
<br>
So let's stipulate that our tool requires the presence of a dedicated<br>
SSH keypair. That is, the user running the tool must have set up a<br>
keypair called 'ec2-backup' in AWS and must have set up their<br>
~/.ssh/config to use that key. That would look like this:<br>
<br>
$ ssh-keygen -t rsa -C "ec2-backup only" -f ~/.ssh/ec2-backup -b 4096<br>
[...]<br>
$ aws ec2 import-key-pair --key-name ec2-backup \<br>
--public-key-material file://~/.ssh/ec2-backup.pub<br>
[...]<br>
$ aws ec2 describe-key-pairs --key-name ec2-backup<br>
KEYPAIRS b6:6f:b5:90:0f:14:85:a6:82:d0:61:b8:78:3c:c8:b1 ec2-backup<br>
$ grep -A6 amazonaws ~/.ssh/config<br>
Host *<a href="http://amazonaws.com" rel="noreferrer" target="_blank">amazonaws.com</a><br>
User root<br>
IdentityFile ~/.ssh/ec2<br>
IdentityFile ~/.ssh/ec2-backup<br>
IdentitiesOnly yes<br>
UserKnownHostsFile /dev/null<br>
StrictHostKeyChecking no<br>
<br>
<br>
At this point, everything is set up and your tool can use the<br>
'ec2-backup' key name to create and access instances:<br>
<br>
$ aws ec2 run-instances --key-name ec2-backup --image-id ami-569ed93c \<br>
--instance-type t1.micro<br>
[...]<br>
$ ssh <a href="http://ec2-3-84-173-113.compute-1.amazonaws.com" rel="noreferrer" target="_blank">ec2-3-84-173-113.compute-1.amazonaws.com</a> hostname<br>
ip-10-159-231-196.ec2.internal<br>
$ <br>
<br>
I have updated the manual page of the tool in the homework assignment to<br>
reflect the above assumptions you can safely make. At a future<br>
iteration of the tool, we may add a way for the user to specify<br>
alternative keys or other options, but for this assignment, let's keep<br>
it simple by relying on the 'ec2-backup' key.<br>
<br>
-Jan<br>
_______________________________________________<br>
cs615asa mailing list<br>
<a href="mailto:cs615asa@lists.stevens.edu" target="_blank">cs615asa@lists.stevens.edu</a><br>
<a href="https://lists.stevens.edu/mailman/listinfo/cs615asa" rel="noreferrer" target="_blank">https://lists.stevens.edu/mailman/listinfo/cs615asa</a><br>
</blockquote></div>