Ideally, a good information security scheme has a series of factors that make it difficult for an unauthorized person to gain access to protected information or secrets. Unfortunately, if you have a default PEM file that you simply downloaded from your EC2 on AWS, you're only authenticating with something that you have. This means that if someone were to get a hold of your PEM file that person could use it to access your EC2 if they know its username and IP address (or hostname).
Now, as for prohibiting unauthorized access to a server, there are a few ways to take full advantage of a PEM key, from a defensive standpoint. In this somewhat brief article, I’m going to show you a very straightforward approach that won’t require too much effort. Though, it will certainly put a wall in front of any possible hacker or intruder that might be clever or skilled enough to procure any of your AWS EC2 PEM files.
For those of you that frequently review information about FIDO/U2F authentication tools and standards, you’re probably familiar with the name Yubico. This is an organization that produces information security products, and tools that comply with such standards. A Yubico Yubikey that is featured with One Time Passcode (OTP) capability is one of the key ingredients to enhancing the way you utilize your PEM key. However, first we’ll have a brief look at the nature of the PEM, and the manner in which many of us have become used to implementing it.
I’ve tried it before and perhaps many of you have done the same out of habit. I’ve used a PEM file for accessing several of my EC2 servers from my workstation, and then conveniently used other PEM files from my laptop.
One day I realized that just because I have the PEM file(s) to authenticate with when logging into those servers doesn’t mean that my servers are fully secured. At best there is a degree of separation between open (unauthorized) access, versus controlled (authorized) access. As I’ve alluded to before, there are ways to get a hold of files that sit on a person’s computer. Viruses are one example, and involving cyber -hacking is perhaps a more illustrious approach.
“A PEM file is a Base64-encoded certificate file used to authenticate a secure website. It may contain a private key, certificate authority (CA) server certificate, or other various certificates that make up the trust chain”.
(Sharpened Productions, 2024).
Usually, conversations about PEM (*.pem) files involve the term keypair.
AWS regards keypairs as the following:
“A key pair, consisting of a public key and a private key, is a set of security credentials that you use to prove your identity when connecting to an Amazon EC2 instance. Amazon EC2 stores the public key on your instance, and you store the private key. For Linux instances, the private key allows you to securely SSH into your instance.”
(Amazon Web Services, 2024).
Since a PEM file usually contains a private key, it’s possible to extract a public key from it. However, we can also do one very important thing to the PEM file; we can add a password to it. Doing so will provide you two security factors for authenticating with the file:
1. Something you have => PEM file
2. Something you know => PEM file password
The second factor makes a world of difference because now the level of difficulty is much harder for gaining unauthorized access to your AWS EC2 instance. You just have to make sure that you use a strong password, to heighten the effect of this security factor. Then you have to guard that password effectively.
We can add a password to a PEM file using ssh-keygen or PuTTy. Since I’m a Linux user I can access ssh-keygen in a common Linux terminal. I recommend trying the following steps on a fresh new EC2 instance first, just to make sure. Don’t try this process out on any of your mission critical EC2s until you’re certain of the outcomes.
The ssh-keygen command to add a password to a PEM file has the following structure:
ssh-keygen -p -f [pem file name]
The -p flag indicates that you’ll be adding a password to the PEM file without actually regenerating the private key. This means that when we execute the command, a prompt will appear for us to provide a password. Adding the -f flag means that you’ll be specifying the name of the file that will be updated.
user ~ % ssh-keygen -p -f mainserver.pem
If that command was executed successfully, you’ll receive the following prompt.
Enter new passphrase (empty for no passphrase):
Then you’ll be asked to confirm your password entry.
Enter the same passphrase again:
If the process was successful, you’ll receive this confirmation.
Your identification has been saved with the new passphrase.
Now, if you try to SSH into your EC2 you should get a password prompt to provide your password, and once you enter it the authentication process should allow you to log into the server. When I tried this several times I didn’t have to re-export the public key from the PEM file and add it to the EC2's authorized_keys file again. If you encounter issues when authenticating with the server then you might want to try that, just in case.
Ensuring a Strong Secret Password by Using a Yubikey
Remembering a strong password requires substantial time and effort – especially the retention part. Cellphone password vaults have become convenient for this cause. However, since keyloggers can be used to reveal passwords it’s important that we have an alternative when thinking of big stakes server security. Essentially, how does one best manage a password then? Well, let’s just say that it pays to NOT know the password at all, and it especially pays to not have to type it out on a keyboard. Above all else, the password must remain masked at all times to disallow any sleight of hand with any OS clipboards, and things of that nature.
Fortunately, there is a solution for all these requirements, and a Yubico Yubikey is integral to it. Yubikeys can be used for multi-factor authentication. Among their list of amazing features, one that provides a great advantage is the use of an auto-generated static password.
We can use the Yubico 5 NFC (among others), having the OTP (One-Timebased Passcode) feature for this example:
This model has two slots that we can assign passwords to. When we press the Yubikey button (the gold disc with the Y on it in the picture above) it emits a password if the Yubikey is plugged into a USB port. Slot 1 access requires a quick press (less than a second). Slot 2 access requires a longer press of about 2 seconds or more. Slot 1 is populated as a factory setting, and if you tap the Yubikey button when your cursor is in a text field or text pad, you’ll see a string of letters appear. Multiple subsequent taps will reveal how the value contains random characters (38 characters in length). However, we can get a static value assigned to either slot 1 or 2.
Open up the Yubikey Manager and select OTP:
I have both slots 1 and two configured. You can delete the configuration on either slot if needed. If you press the configure button on any slot, you’ll arrive at this screen:
Select the Static Password option, which will take you to this screen:
After generating the password:
If you press the generate button in the UI, you’ll see a value appear the text field. You can use the Allow any character option, but it might violate some password rules. So, choose based on your password strength requirements. When you hit 'finish' the static password will be saved. Then when you press the Yubikey for the length of time which corresponds with the slot you saved the static password on, you’ll see that value get emitted in an unmasked text field.
There is a command line tool (ykman) that makes the password value completely unknown to you, and that might be more in accordance with your security preferences. The great thing is that now when you are prompted to enter the password for the PEM file in the terminal, you can use your Yubikey to emit the value without it being revealed.
Then for future uses you can repeat the same process, without having to remember the password on any of your workstations that have USB ports.
References:
Amazon Web Services. (2024). Amazon EC2 key pairs and Linux instances. AWS. https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html
Sharpened Productions. (2024) .PEM File Extension. FileInfo.com https://fileinfo.com/extension/pem
Top comments (2)
Great stuff. I was wondering what to do with my old key, now I know :)
If all goes well with adding the password to your .pem then you can keep using it as previous, but with an added password prompt. That process I described simply updates your existing .pem file. But try it out on a copy of your original .pem file, just in case. And don't forget to follow the steps I outlined on an expendable EC2 before trying it out on production.