For our production systems we are running Amazon EC2 Instances. The colleague responsible (say call him Joe) for that has left the company.

Now we want to have ssh access to our instance.

He left us both his private and his public key file.

id_dsa
id_dsa.pub

In the backend we can see, that the key "joe" is assigned to the runnning instance and that ssh access is done by the following command:

ssh -i "joe.pem" ec2-user@11.22.11.123

How can we generate a .pem file? Or more generally speaking, what needs to be done in order to get ssh access?

Do we need Certificates from Amazon? If so, how?

For creating New Pem key:

Go to EC2 Dashboard > Key Pair > Create Key Pair

This will download pem key file for you.

For SSH access:

1. You can add your id_rsa.pub to instance ~/.ssh/auth* file. After that, you can ssh to it by using ssh ubuntu@ip
2. You can use the pem key which is associated with that instance by using ssh -i "file.pem" ubuntu@ip

Accessing new instances

Key Pairs are used to grant access to a newly-launched Amazon EC2 instance when using a standard Amazon Machine Image (AMI) supplied by Amazon. (AMIs from other locations may have their own method of logging-in.)

When the instance is launched, a key pair is specified. The EC2 service will then copy the public half of the key pair to /home/ec2-user.ssh/authorized_keys (path may vary depending upon AMI chosen).

Then, to connect to the instance, use the private half of the key pair, exactly like you showed:

ssh -i joe.pem ec2-user@11.22.11.123

(The ec2-user login is used for Amazon Linux instances. Ubuntu uses ubuntu as the username.)

The name of the key pair to use is shown in the information section of the EC2 instance in the management console:

Once an instance has been accessed, it is recommended to change the key pair in use, create new users and generally take ownership of the security of the instance. Follow the standard security practices of your organization rather than relying on the key pair used when the instance was launched.

Accessing existing instances

For your particular situation, the instances have already been launched and the ssh key pair that grants access might (or might not!) be the one used when the instance was first launched.

You also mentioned that you can see that they key joe is associated with the instance. In that case, you should try to find joe.pem and login to the instance. If you can't find that file, try using the id_dsa file instead.

If none of this works, then the problem is one of two things:

• You don't have the key pair that was used when the instance was launched, or
• The key pair on the instance itself has been changed (as per security recommendations)

The bottom line is that, without the key pair, you cannot ssh into the instance.

Recovering access

Worst case, if you can't ssh to the instance, you can still fix things. The general steps are:

• Stop the instance (let's call it Instance A)
• Detach the boot volume (let's call it Volume A)
• Start a new instance, or select an existing instance (let's call it Instance B)
• Attach Volume A to Instance B
• Login to Instance B and copy a new public key pair to the .ssh/authorized_keys file on Volume A
• Unmount and detach Volume A from Instance B
• Attach Volume A to Instance A
• Start Instance A

You should now be able to ssh into the Instance.

Some references:

• Connecting to Your Linux Instance Using SSH
• How to Recover an Unreachable Linux Instance

You can also use a dedicated tool like Userify or SSH UKM to keep keys updated -- just paste your new public key after generating it, using Putty on Windows or tools that are already built into Linux or OSX. (Disclaimer: I work for Userify).