DEV Community: Praveen Kumar K

Enable Password-Based SSH Authentication for Root User on EC2 Instances Using Userdata Script

Praveen Kumar K — Mon, 26 Jan 2026 06:24:13 +0000

📌 Userdata Script: Enable Password-Based SSH Authentication for Root User

🔐 Default Credentials:

Username: root
Password: password123

⚠️ Change PASSWORD="password123" in the script to set your own password.

🔄 This script runs on every instance start/stop, not just initial launch.

🆘 Recovery Method (Lost Access to EC2 Instance):

🛑 Stop your EC2 instance
⚙️ Actions → Instance Settings → Edit User Data
📋 Paste the script
▶️ Start your instance
🖥️ Actions → Monitor and troubleshoot → EC2 Serial Console
🔑 Login with root / password123

✅ Supported OS:

Linux

⚠️ Security Warning: This script executes every time your instance starts/stops. After troubleshooting, make sure to remove this userdata and revert the changes.

Content-Type: multipart/mixed; boundary="//"
MIME-Version: 1.0

--//
Content-Type: text/cloud-config; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
 filename="cloud-config.txt"

#cloud-config
cloud_final_modules:
- [scripts-user, always]
--//
Content-Type: text/x-shellscript; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="userdata.txt"

#!/bin/bash

#==============================================================================
# Script: Enable Password Authentication and Root Login for SSH
# Description: This script enables password-based authentication and root login
#              for SSH by modifying sshd_config and files in sshd_config.d folder
#              - Main file: Updates or adds keywords if not exist
#              - .d folder files: Only comments out if keyword exists with "no"
#              - Creates user and adds sudoers entry
#==============================================================================

# Define the main sshd_config file and the .d directory
SSHD_CONFIG="/etc/ssh/sshd_config"
SSHD_CONFIG_DIR="/etc/ssh/sshd_config.d"

#==============================================================================
# Function to update or add SSH configuration parameters (for main file only)
#==============================================================================
update_ssh_config() {
    local file="$1"
    local keyword="$2"
    local value="$3"

    if grep -qE "^#*${keyword}" "$file"; then
        # Keyword exists (commented or uncommented), so replace it
        echo "Updating existing ${keyword} in ${file}..."
        sed -i "s/^#*${keyword}.*/${keyword} ${value}/" "$file"
    else
        # Keyword does not exist, so add it to the file
        echo "Adding ${keyword} to ${file}..."
        echo "${keyword} ${value}" >> "$file"
    fi
}

#==============================================================================
# Function to comment out keyword if it exists with "no" (for .d folder files)
#==============================================================================
comment_if_no() {
    local file="$1"
    local keyword="$2"

    if grep -qE "^${keyword} no" "$file"; then
        # Keyword exists with "no" value, so comment it out
        echo "Commenting out ${keyword} no in ${file}..."
        sed -i "s/^${keyword} no/#${keyword} no/" "$file"
    elif grep -qE "^${keyword}" "$file"; then
        # Keyword exists with other value, leave it as is
        echo "${keyword} already exists with correct value in ${file}. Skipping..."
    else
        # Keyword does not exist, no action needed
        echo "${keyword} not found in ${file}. No action needed."
    fi
}

#==============================================================================
# Function to verify and add keyword if not verified (for main file only)
#==============================================================================
verify_and_fix() {
    local file="$1"
    local keyword="$2"
    local value="$3"

    if grep -qE "^${keyword} ${value}$" "$file"; then
        echo "✓ VERIFIED: ${keyword} ${value} is correctly set in ${file}"
        return 0
    else
        echo "✗ NOT VERIFIED: ${keyword} ${value} not found in ${file}"
        echo "  Attempting to fix by adding ${keyword} ${value} to ${file}..."

        # Remove any existing entries (commented or uncommented) to avoid duplicates
        sed -i "/^#*${keyword}/d" "$file"

        # Add the keyword with correct value
        echo "${keyword} ${value}" >> "$file"

        # Verify again after fix
        if grep -qE "^${keyword} ${value}$" "$file"; then
            echo "  ✓ FIXED: ${keyword} ${value} successfully added to ${file}"
            return 0
        else
            echo "  ✗ FAILED: Unable to add ${keyword} ${value} to ${file}"
            return 1
        fi
    fi
}

#==============================================================================
# Function to add sudoers entry for user
#==============================================================================
add_sudoers_entry() {
    local username="$1"
    local sudoers_file="/etc/sudoers"
    local sudoers_entry="${username}    ALL=(ALL)       ALL"

    # Check if entry already exists in sudoers file
    if grep -qE "^${username}\s+ALL=\(ALL\)\s+ALL" "$sudoers_file"; then
        echo "✓ Sudoers entry for ${username} already exists. Skipping..."
    else
        echo "Adding sudoers entry for ${username}..."
        echo "$sudoers_entry" >> "$sudoers_file"

        # Verify entry was added
        if grep -qE "^${username}\s+ALL=\(ALL\)\s+ALL" "$sudoers_file"; then
            echo "✓ Sudoers entry for ${username} added successfully."
        else
            echo "✗ Failed to add sudoers entry for ${username}."
        fi
    fi
}

#==============================================================================
# Update main sshd_config file
#==============================================================================
echo "=========================================="
echo "Updating main sshd_config file..."
echo "=========================================="

# Check and update PasswordAuthentication
update_ssh_config "$SSHD_CONFIG" "PasswordAuthentication" "yes"

# Check and update PermitRootLogin
update_ssh_config "$SSHD_CONFIG" "PermitRootLogin" "yes"

#==============================================================================
# Loop through all files in sshd_config.d directory
# Only comment out if keyword exists with "no" value
# Do not add new keywords to these files
#==============================================================================
echo ""
echo "=========================================="
echo "Processing files in sshd_config.d directory..."
echo "(Only commenting out if keyword exists with 'no' value)"
echo "=========================================="

if [ -d "$SSHD_CONFIG_DIR" ]; then
    for file in "$SSHD_CONFIG_DIR"/*.conf; do
        if [ -f "$file" ]; then
            echo ""
            echo "Processing file: $file"
            echo "------------------------------------------"

            # Comment out PasswordAuthentication if it exists with "no"
            comment_if_no "$file" "PasswordAuthentication"

            # Comment out PermitRootLogin if it exists with "no"
            comment_if_no "$file" "PermitRootLogin"
        fi
    done
else
    echo "Directory $SSHD_CONFIG_DIR does not exist. Skipping..."
fi

#==============================================================================
# Verify Configuration Changes and Fix if Not Verified (Main file only)
#==============================================================================
echo ""
echo "=========================================="
echo "Verifying configuration changes (Main file only)..."
echo "=========================================="

echo ""
echo "Verifying main sshd_config file:"
echo "------------------------------------------"
verify_and_fix "$SSHD_CONFIG" "PasswordAuthentication" "yes"
verify_and_fix "$SSHD_CONFIG" "PermitRootLogin" "yes"

#==============================================================================
# Final Verification - Display Current Configuration
#==============================================================================
echo ""
echo "=========================================="
echo "Final Configuration Status:"
echo "=========================================="

echo ""
echo "Main sshd_config file ($SSHD_CONFIG):"
echo "------------------------------------------"
grep -E "^PasswordAuthentication|^PermitRootLogin" "$SSHD_CONFIG" || echo "No matching keywords found"

if [ -d "$SSHD_CONFIG_DIR" ]; then
    echo ""
    echo "Files in sshd_config.d directory:"
    echo "------------------------------------------"
    for file in "$SSHD_CONFIG_DIR"/*.conf; do
        if [ -f "$file" ]; then
            echo ""
            echo "File: $file"
            grep -E "PasswordAuthentication|PermitRootLogin" "$file" || echo "No matching keywords found"
        fi
    done
fi

#==============================================================================
# Restart SSH service
#==============================================================================
echo ""
echo "=========================================="
echo "Restarting SSH service..."
echo "=========================================="

systemctl restart sshd || service sshd restart

# Verify SSH service status
echo ""
echo "Verifying SSH service status..."
systemctl status sshd --no-pager

#==============================================================================
# User Creation Section
# TODO: Replace 'root' with your desired username
# TODO: Replace 'password123' with your desired password
#==============================================================================
echo ""
echo "=========================================="
echo "User Creation Section"
echo "=========================================="

# Define username and password (modify as needed)
USERNAME="root"
PASSWORD="password123"

# Create user
echo "Creating user: $USERNAME"
useradd "$USERNAME" 2>/dev/null || echo "User $USERNAME may already exist"

# Set password for the user
echo "$PASSWORD" | passwd --stdin "$USERNAME"

# Verify user creation
echo ""
echo "Verifying user creation..."
id "$USERNAME"

#==============================================================================
# Add Sudoers Entry for User (Not using wheel group)
#==============================================================================
echo ""
echo "=========================================="
echo "Adding Sudoers Entry for User"
echo "=========================================="

# Add sudoers entry for the user
add_sudoers_entry "$USERNAME"

# Verify sudoers entry
echo ""
echo "Verifying sudoers entry:"
echo "------------------------------------------"
grep -E "^${USERNAME}" /etc/sudoers && echo "✓ Sudoers entry verified successfully." || echo "✗ Sudoers entry not found."

echo ""
echo "=========================================="
echo "Script execution completed successfully!"
echo "=========================================="
--//--

After launch a new SUSE Linux Enterprise Server 15 SP6 in AWS EC2 software channels not working.

Praveen Kumar K — Wed, 24 Jul 2024 20:50:03 +0000

i. Confirm your operating system (OS) is registered. If not, please try registering using the following commands:

Checking Registration Status:

    $ sudo SUSEConnect -s

Registering the Instance:

    $ sudo registercloudguest --clean
    $ sudo registercloudguest --force-new

ii. After registration, please run the following commands to add the "sle-module-public-cloud" repositories and check the status:

    $ sudo SUSEConnect -p sle-module-public-cloud/15.6/x86_64
    $ sudo SUSEConnect --status-text

iii. After registering the operating system on instance, Execute the following commands to check the installed and available modules and repositories:

    $ sudo SUSEConnect --list-extensions

    $ sudo zypper repos

---[ end Kernel panic - not syncing: VFS: Unable to mount root fs on unknown-block(0,0) ]---

Praveen Kumar K — Wed, 24 Jul 2024 20:15:41 +0000

`/initramfs-4.18.a-bbb.c.d.el8_10.x86_64.img' not found.
No filesystem could mount root, tried: 
Kernel panic - not syncing: VFS: Unable to mount root fs on unknown-block(0,0)
CPU: 5 PID: 1 Comm: swapper/0 Not tainted 4.18.a-bbb.c.d.el8_10.x86_64 #1
---[ end Kernel panic - not syncing: VFS: Unable to mount root fs on unknown-block(0,0) ]---

To recover the affected instance, you can follow the below methods which are suitable for you:

=========

Method 1:

i. You can try restoring the instance from a recent working backup snapshot or AMI prior to the patch update.

=-=-=-=-=-=-=-=-=-==-=-=-=-=-=-=-=-=-==-=-=-=-=-=-=-=-=-==-=-=-=-=-=-

=========

Method 2:

You can follow the steps below and rebuild the kernel image using a rescue instance.

i. Take a backup of your instance [i-affectedInstanceID] by creating an EBS snapshot of the volume(s) attached to the instance.

ebs-creating-snapshot

Once you have ensured that you have a backup in place, kindly continue the remaining steps.

ii. Stop the current instance 'i-affectedInstanceID'.
Once you have ensured that you have a backup in place, kindly try the remaining steps.

iii. Launch a temporary recovery instance in the same availability zone as the instance 'i-affectedInstanceID' and using the same AMI [ami-affectedInstanceAMIID] or any other AMI with a similar operating system.

iv. Detach the root volume 'vol-affectedInstanceRootVolumeID' and attach it to the temporary recovery instance launched recently as a secondary EBS volume.

v. Connect to the recovery instance with your SSH key pair.

vi. Run the following command to see the name of the secondary volume, e.g., /dev/xvdf1, /dev/nvme0n1p1.

$ lsblk

vii. Switch to root and mount the volume.

$ sudo su

# mount /dev/nvme0n1p1 /mnt

NOTE:Replace nvme0n1p1 with the correct volume name.

viii. Mount the necessary filesystems from the secondary volume to the /mnt directory.

# for i in proc sys dev run; do mount --bind /$i /mnt/$i ; done

ix. Change root to the mounted volume.

# chroot /mnt

x. To create a backup of the initramfs in the / directory, run the following command:

# for file in /boot/initramfs-*.img; do cp "${file}" "/$(basename "$file")_$(date +%Y%m%d)"; done

xi. To list the default kernel, run the following command:

# grubby --default-kernel

xii. List the kernels and initramfs in the boot directory as shown in the following command:

# ls -lh /boot/vmlinuz* && ls -lh /boot/initr*

xiii. To rebuild the initramfs, run the following command. Update the kernel version field with the latest kernel version or the kernel version you want that you found in 'step xi':

# cd /boot

# dracut --force --verbose initramfs-<kernelVersion>.img <kernelVersion>

eg.,

# dracut --force initramfs-4.18.a-bbb.c.d.el8_10.x86_64.img 4.18.a-bbb.c.d.el8_10.x86_64

xiv. To determine if the instance is booting on UEFI or BIOS, run the following command:

# boot_mode=$(ls /sys/firmware/efi/efivars >/dev/null 2>&1 && echo "EFI" || echo "BIOS"); echo "Boot mode detected: $boot_mode"

xv. To update the grub configuration, choose one of the following commands based on the previous step output.

For BIOS, run the following command:

# grub2-mkconfig -o /boot/grub2/grub.cfg

For UEFI, run one of the following commands.

# grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg

xvi. To exit and detach the volume, run the following command:

# exit;

# umount /mnt/{proc,sys,dev,run,}

# umount -fl /mnt

xvii. Detach the secondary volume from the recovery instance. Attach it to the original instance as the root device with the same device name from 'step v'. When the volume is attached, boot the instance.

xviii. Start the EC2 instance and then verify that the instance is responsive.

=-=-=-=-=-=-=-=-=-==-=-=-=-=-=-=-=-=-==-=-=-=-=-=-=-=-=-==-=-=-=-=-=-=-=-=-==-=-=-=-=-=-=-=-=-==-=-=-=-=-=-=-=-=-=

=========

Method 3: Revert back to previous any one of kernel.

You can follow the same steps outlined in Method 2, from 'step i' to 'step x', to launch a recovery instance and attach the primary volume of the affected instance as a secondary volume to the recovery instance.

xi. Execute the following command to see all available kernels:

# grubby --info=ALL

xii. Execute the following command to change the default kernel of the instance:

# grubby --set-default=/boot/vmlinuz-<kernelVersion>

xiii. Execute the following command to verify that the previous command successfully updated the default kernel or not:

# grubby --default-kernel

xiv. 15. To exit and detach the volume, run the following command:

# exit;

# umount /mnt/{proc,sys,dev,run,}

# umount -fl /mnt

xv. Detach the secondary volume from the recovery instance. Attach it to the original instance as the root device with the same device name from 'step v'. When the volume is attached, boot the instance.

xvi. Start the EC2 instance and then verify that the instance is responsive.

Fixing Yum Update Errors on New CentOS Instances on AWS EC2

Praveen Kumar K — Wed, 24 Jul 2024 19:56:09 +0000

After you have launched a minimalist CentOS 8 or CentOS 7 Amazon Machine Image (AMI) on an Amazon Elastic Compute Cloud (EC2) instance, the entire process of launching the instance goes smoothly and is successful.

But, while updating the system, using the yum update, you’re likely to get the error message:

Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
Could not retrieve mirrorlist http://mirrorlist.centos.org/?release=7&arch=x86_64&repo=os&infra=genclo error was
14: curl#6 - "Could not resolve host: mirrorlist.centos.org; Unknown error"
Could not retrieve mirrorlist http://mirrorlist.centos.org/?release=7&arch=x86_64&repo=extras&infra=genclo error was
14: curl#6 - "Could not resolve host: mirrorlist.centos.org; Unknown error"


 One of the configured repositories failed (Unknown),
 and yum doesn't have enough cached data to continue. At this point the only
 safe thing yum can do is fail. There are a few ways to work "fix" this:

     1. Contact the upstream for the repository and get them to fix the problem.

     2. Reconfigure the baseurl/etc. for the repository, to point to a working
        upstream. This is most often useful if you are using a newer
        distribution release than is supported by the repository (and the
        packages for the previous distribution release still work).

     3. Run the command with the repository temporarily disabled
            yum --disablerepo=<repoid> ...

     4. Disable the repository permanently, so yum won't use it by default. Yum
        will then just ignore the repository until you permanently enable it
        again or use --enablerepo for temporary usage:

            yum-config-manager --disable <repoid>
        or
            subscription-manager repos --disable=<repoid>

     5. Configure the failing repository to be skipped, if it is unavailable.
        Note that yum will try to contact the repo. when it runs most commands,
        so will have to try and fail each time (and thus. yum will be be much
        slower). If it is a very temporary problem though, this is often a nice
        compromise:

            yum-config-manager --save --setopt=<repoid>.skip_if_unavailable=true

To fix this issue, Please try the following steps:

Step 1: First, go to the directory:

sudo cd /etc/yum.repos.d/

Step 2: Now, run the commands given below:

sudo sed -i 's/mirrorlist/#mirrorlist/g' /etc/yum.repos.d/CentOS-*

sudo sed -i 's|#baseurl=http://mirror.centos.org|baseurl=http://vault.centos.org|g' /etc/yum.repos.d/CentOS-*

Step 3: After this, run the yum update:

sudo yum update -y

Step 4: Install any other packages that are available from the CentOS repo.

sudo yum install java -y

How to setup IPv6 Only EC2 Instance in AWS

Praveen Kumar K — Wed, 24 Jul 2024 19:35:29 +0000

i. Create a VPC with an IPv4 CIDR block and an Amazon-provided IPv6 CIDR block:

VPC_ID=$(aws ec2 create-vpc \
    --cidr-block 10.0.0.0/24 \
    --amazon-provided-ipv6-cidr-block \
    --query 'Vpc.VpcId' \
    --output text)

ii. Retrieve the IPv6 CIDR block and IPv4 CIDR block for the VPC:

Ipv6CidrBlock=$(aws ec2 describe-vpcs --vpc-ids $VPC_ID --query 'Vpcs[*].Ipv6CidrBlockAssociationSet[*].Ipv6CidrBlock' --output text)

Ipv6CidrBlockforDualStackSubnet="${Ipv6CidrBlock%/*}/64"

Ipv4CidrBlock=$(aws ec2 describe-vpcs --vpc-ids $VPC_ID --query 'Vpcs[*].CidrBlockAssociationSet[*].CidrBlock' --output text)

iii. Create a dual-stack subnet:

dualStackSubnetID=$(aws ec2 create-subnet \
    --vpc-id $VPC_ID \
    --cidr-block $Ipv4CidrBlock \
    --ipv6-cidr-block $Ipv6CidrBlockforDualStackSubnet)
dualStackSubnetID=$(echo $dualStackSubnetID | jq -r '.Subnet.SubnetId')

vi. Create an internet gateway and attach it to the VPC:

internet_gateway_id=$(aws ec2 create-internet-gateway --query 'InternetGateway.InternetGatewayId' --output text)

aws ec2 attach-internet-gateway \
    --internet-gateway-id $internet_gateway_id \
    --vpc-id $VPC_ID

v. Retrieve the default route table of the newly created VPC and add routes for IPv4 and IPv6 traffic:

route_table_id=$(aws ec2 describe-route-tables --filters "Name=vpc-id,Values=$VPC_ID" "Name=association.main,Values=true" --query "RouteTables[*].RouteTableId" --output text)

aws ec2 create-route --route-table-id $route_table_id --destination-cidr-block 0.0.0.0/0 --gateway-id $internet_gateway_id

aws ec2 create-route --route-table-id $route_table_id --destination-ipv6-cidr-block ::/0 --gateway-id $internet_gateway_id

vi. Launch an EC2 instance in the dual-stack subnet with both IPv4 and IPv6 addresses:
NOTE: Change the image ID ami-xxxxxx, replace <your_Key> with your desired key pair name, and replace <IPv6-only-subnet-id> with the subnet ID of the IPv6-only subnet you created in the last step.

aws ec2 run-instances --image-id ami-xxxxxx --count 1 --instance-type t3.micro --key-name <your_Key> --subnet-id $dualStackSubnetID --associate-public-ip-address --ipv6-address-count 1 --private-dns-name-options HostnameType=ip-name,EnableResourceNameDnsARecord=true,EnableResourceNameDnsAAAARecord=true

vii. Create an IPv6-only subnet in the same VPC using the AWS Management Console or AWS CLI.

viii. Once the IPv6-only subnet is created, use the subnet ID of the newly created IPv6-only subnet in the following command to launch an EC2 instance with only an IPv6 address:
NOTE: Change the image ID ami-xxxxxx , and replace <IPv6-only-subnet-id> with the subnet ID of the IPv6-only subnet you created in last setp.

aws ec2 run-instances --image-id ami-xxxxxx --count 1 --instance-type t3.micro --key-name <your_Key> --subnet-id <IPv6onlySubentIdHere> --ipv6-address-count 1 --private-dns-name-options HostnameType=resource-name,EnableResourceNameDnsARecord=false,EnableResourceNameDnsAAAARecord=true

After this entire process, allow the security group SSH from the dual-stack instance to the IPv6-only instance. Then, connect from your local instance to the dual-stack instance using IPv4, and from the dual-stack instance, connect to the IPv6-only instance using its IPv6 address. I assume you have uploaded the required key into the dual-stack instance to connect to the IPv6 instance.

NOTE: Here, we are using the dual-stack instance as a bastion host if your local network does not have proper IPv6 routing. If you have proper IPv6 routing, the dual-stack instance and subnet are not required; you can directly connect to the IPv6-only instance.