We currently have several Amazon EC2 instances running and we were using the same Keypair to ssh into these instances. I checked the doc and it says there's no way to replace a keypair on a running instance and AWS uses the private key as the only way to authenticate our access to the instance.
我们目前有几个Amazon EC2实例在运行,我们使用相同的Keypair来ssh到这些实例中。我检查了文档,它说没有办法替换正在运行的实例上的密钥对,AWS使用私钥作为验证我们对实例的访问权限的唯一方法。
The problem is that one of our team members (previously responsible for maintenance of these AWS instances) is leaving the company, but he has a copy of the private key on his personal computer!
问题是我们的一个团队成员(之前负责维护这些AWS实例)正在离开公司,但他的个人计算机上有一个私钥副本!
Though he may delete the private key file on his own or is not going to take advantage of it, as a serious security concern, is there any way to replace that keypair file without stopping our instances? Or is there somewhere a password or certificate that we can change to prevent ssh?
虽然他可能会自己删除私钥文件或者不会利用它,但作为一个严重的安全问题,有没有办法在不停止我们的实例的情况下替换该密钥对文件?或者是否存在我们可以更改以防止ssh的密码或证书?
Thanks!!!
1 个解决方案
#1
0
If you have a redundancy in your instances, you could just restart them one by one with a new key. But if it is not an option, I'd manually create new ssh key and install it on those instances. Then you should be able to manually disable old key and use this setup until restart.
如果您的实例中有冗余,则可以使用新密钥逐个重新启动它们。但如果它不是一个选项,我会手动创建新的ssh密钥并将其安装在这些实例上。然后您应该能够手动禁用旧密钥并使用此设置直到重新启动。
Long term you could just use hand created ssh keys for employees and have tighter control over master key.
从长远来看,您可以为员工使用手工创建的ssh密钥,并对主密钥进行更严格的控制。
#1
0
If you have a redundancy in your instances, you could just restart them one by one with a new key. But if it is not an option, I'd manually create new ssh key and install it on those instances. Then you should be able to manually disable old key and use this setup until restart.
如果您的实例中有冗余,则可以使用新密钥逐个重新启动它们。但如果它不是一个选项,我会手动创建新的ssh密钥并将其安装在这些实例上。然后您应该能够手动禁用旧密钥并使用此设置直到重新启动。
Long term you could just use hand created ssh keys for employees and have tighter control over master key.
从长远来看,您可以为员工使用手工创建的ssh密钥,并对主密钥进行更严格的控制。