🔐 AWS 122: Passwordless SSH Automation with EC2 User Data

🔑 The Landing Host Pattern: Secure Passwordless SSH Access

Hey Cloud Builders 👋

Welcome to Day 22 of the #100DaysOfCloud Challenge!
Today, we’re solving a real-world DevOps security problem for the Nautilus team enabling secure, passwordless SSH access from a landing host (aws-client) to a newly launched EC2 instance (devops-ec2).

By combining SSH key-based authentication with EC2 User Data, we can fully automate access from the very first boot 🚀

---

🎯 Objective

• Launch a t2.micro EC2 instance
• Generate an RSA key pair on the landing host
• Automatically configure root SSH access using User Data
• Enable passwordless authentication

---

💡 Why SSH Keys & User Data Matter

Using passwords for SSH is risky and outdated. SSH keys provide stronger security and are essential for automation.

🔹 Key Concepts

• Landing (Bastion) Host
  
  Acts as a controlled entry point to your infrastructure for better auditing and security.

• EC2 User Data
  
  A script that runs once at first boot, perfect for:

  • Installing packages
  • Creating users
  • Configuring SSH keys

• Automation Benefit
  
  No manual key copying. No human error. Scales effortlessly.

---

🛠️ Step-by-Step: Secure SSH Setup

We’ll move logically from the client → AWS → EC2.

---

🔹 Phase A: Generate SSH Key Pair (Landing Host)

On the aws-client, navigate to the SSH directory:

cd /root/.ssh
ssh-keygen -t rsa

Display and copy the public key:

cat /root/.ssh/id_rsa.pub

---

🔹 Phase B: Import Key Pair into AWS

Log in to the AWS Console and do the following:

• Open the AWS Management Console
• Navigate to EC2 → Network & Security → Key Pairs
• Click Import key pair

• Paste the public key generated on the landing host
• Click Import

---

🔹 Phase C: Launch EC2 with User Data Automation

EC2 Configuration

• Name: devops-ec2
• Instance Type: t2.micro
• AMI: Ubuntu or Amazon Linux

User Data Script

Paste this under Advanced Details → User Data:

#!/bin/bash
mkdir -p /root/.ssh
chmod 700 /root/.ssh
echo "ssh-rsa YOUR_PUBLIC_KEY_HERE" >> /root/.ssh/authorized_keys
chmod 600 /root/.ssh/authorized_keys
sed -i 's/^#PermitRootLogin.*/PermitRootLogin yes/' /etc/ssh/sshd_config
systemctl restart sshd

---

🔹 Phase D: Final SSH Hardening (Optional)

Some AMIs restrict root login by default.

• Log in as ubuntu or ec2-user
• Switch to root:

sudo su -

• Ensure SSH config contains:

PermitRootLogin yes

• Restart SSH:

systemctl restart sshd

---

✅ Verify Passwordless Access

From the aws-client:

ssh root@<EC2_PUBLIC_IP>

🎉 If you land directly in the root shell mission accomplished!

---

📝 Key Takeaways

• 🚀 User Data = Automation Superpower
• 🔐 SSH permissions must be exact (700 & 600)
• ⚠️ Root login is okay for labs avoid in production

---

🚫 Common Mistakes

• Adding keys to the wrong user directory
• Breaking SSH with bad sed syntax
• Uploading private keys instead of public ones

---

🌟 Final Thoughts

You didn’t just launch an EC2
you automated secure access like a real Cloud Engineer 💪

This pattern is foundational for:

• CI/CD pipelines
• Auto Scaling
• Zero-touch infrastructure

---

🔗 Let’s Connect

• 💬 LinkedIn: Hritik Raj
• ⭐ GitHub: 100 Days of Cloud