Replacing SSH keys on running instances

As part of your regular security practices or in the event an employee leaves your company you should be switching out the SSH keys on your servers.

This is an easy process but if not done correctly you can unintentionally lock your self out of your servers.

You should start by generating a new SSH key pair which on Ubuntu is as simple as running the ssh-keygen tool and following the prompts.

Once you have your newly created private and public keys you should SSH to the server you wish to change with your old key.

Copy the contents of the new public key you created with ssh-keygen – it will be the .pub file –  and put them on a new line in the ~/.ssh/authorized_keys file.

You should now have at least two entry’s in this file one will be the public key for your old SSH key and one will be for your new SSH key, save this file and disconnect from the server.

Now its time to test your new SSH key, connect to the server with your new key like so:

If you have added the public key correctly you should be able to logon to the server, you can now edit the authorized_keys file once more and remove the entry for the old public key you are discarding. Save the file once more and disconnect and reconnect to ensure things are working as expected.

As a final step you should try connecting to the server with your old SSH key, this should now no longer work, resulting in the following message:

Creating your own SSH key pair for use with AWS

Creating key pairs with AWS is rather easy but for convenience and security reasons generating your own SSH keys and importing them into AWS can be a good option.

From a security stand point generating your own key pair means that you can know 100% that the private key has never seen the light of day… or any other computer other than the one you generate it on.

If you are using multiple regions in AWS then generating your own key pair and importing it gives you another benefit – you can use the same key globally rather than having to create one per region.

On Ubuntu the process of generating a key pair is as simple as running the following command.

This will prompt you to enter a name for the key and then a pass-phrase – this can be left blank if you wish… I usually leave this blank because I don’t want to enter a password every time I use the key.

Once you have entered the required details you will have two files which have been generated for you: <keyname> and <keyname>.pub where <keyname> is the name you chose.

You can now import the .pub file into the Key Pairs section of the EC2 console, usually located here.

You can import this same public key into as many different regions as you wish which enables you to connect to all of your servers with the same private key – much simpler than keeping track of a key for each region.

Now you are good to go, you will be able to launch new instances with your created key pair safe in the knowledge that your private key is as secure as can possibly be.

If you want to use this newly created key on your existing instances then check out my post on replacing SSH keys on running instances.