2012年5月5日土曜日

AWS(EC2) SSH公開鍵設定

AWSでセキュリティを高めるために踏み台(Gateway)サーバを設け、内部のサーバには踏み台経由でしかSSHアクセスさせない構成を取ることが考えられます。(ってかSecurity Groupでするんやけど。) その際、ローカルサブネット間でSSH通信を行うための設定をまとめました。そうです。何をいまさらです。踏み台サーバで秘密鍵と公開鍵を作成して公開鍵を内部サーバにぶち込んで終わりです。

■構成概要

GatewayサーバIP:10.0.8.250
Web01サーバIP:10.0.8.10


■Gatewayサーバにて秘密鍵(id_rsa)と公開鍵(id_rsa.pub)の生成
[ec2-user@ip-10-0-8-250 ~]$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/ec2-user/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/ec2-user/.ssh/id_rsa.
Your public key has been saved in /home/ec2-user/.ssh/id_rsa.pub.
The key fingerprint is:
b8:2f:b5:4b:6d:5f:e4:bd:9a:f4:e2:f2:85:17:76:d1 ec2-user@ip-10-0-8-250
The key's randomart image is:
+--[ RSA 2048]----+
|                 |
|                 |
|                 |
|         .   .   |
|      . o S  o E |
|       .  +  +   |
|    .   . O O .  |
|       . *.@ =   |
|        ..+=*    |
+-----------------+
[ec2-user@ip-10-0-8-250 ~]$ ll .ssh/
total 12
-rw------- 1 ec2-user ec2-user  400 May  2 03:18 authorized_keys
-rw------- 1 ec2-user ec2-user 1743 May  2 07:28 id_rsa
-rw-r--r-- 1 ec2-user ec2-user  406 May  2 07:28 id_rsa.pub
[ec2-user@ip-10-0-8-250 ~]$ cat .ssh/id_rsa.pub
ssh-rsa AAAAAAB3NzaC1yc2EAAA(中略)j3Nhm5RH9doQTZ/8Q== ec2-user@ip-10-0-8-250
[ec2-user@ip-10-0-8-250 ~]$
※公開鍵のパスワード忘れんように。


■公開鍵をWeb01サーバの.ssh/authorized_keysに追加
※初期のみSecurityGroupでSSH許可
※Gatewayサーバで作成したid_rsa.pubをFTP等で送るのめんどくさいんでクリップボード経由で作成。だからvi。
[ec2-user@ip-10-0-8-10 ~]$ vi id_rsa.pub
[ec2-user@ip-10-0-8-10 ~]$ cat id_rsa.pub >> .ssh/authorized_keys


■GatewayサーバからWeb01サーバに接続
[ec2-user@ip-10-0-8-250 ~]$ ssh 10.0.8.10
The authenticity of host '10.0.8.10 (10.0.8.10)' can't be established.
RSA key fingerprint is 25:23:55:1b:e7:34:8c:d8:c8:43:ef:31:0e:84:c8:6a.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.0.8.10' (RSA) to the list of known hosts.
Enter passphrase for key '/home/ec2-user/.ssh/id_rsa': ←公開鍵のパスワード
Last login: Sat May  2 07:26:04 2012 from pc1.slb-unet.ocn.ne.jp

       __|  __|_  )
       _|  (     /   Amazon Linux AMI
      ___|\___|___|

See /usr/share/doc/system-release/ for latest release notes.
There are 11 security update(s) out of 22 total update(s) available
Run "sudo yum update" to apply all updates.
[ec2-user@ip-10-0-8-10 ~]$

接続成功! --以上。--

2012年5月3日木曜日

AWS ec2_api_toolsインストール

ec2_api_toolsはEC2をコマンドラインで管理するためのツールです。
使用するためにはx509証明書等の準備が必要なためその辺りの手順をまとめてみました。

■環境情報
・Operating system: Amazon Linux等 
・ec2_api_tools: 1.5.4.0 2012-05-01


■秘密鍵作成
[root@tanyao-aws02 ~]# mkdir -p /opt/ec2-api-tools/X.509/user01
[root@tanyao-aws02 ~]# cd /opt/ec2-api-tools/X.509/user01
[root@tanyao-aws02 user01]# openssl genrsa -out iam.key 2048
Generating RSA private key, 2048 bit long modulus
......................................................................................+++
..........................................+++
e is 65537 (0x10001)
[root@tanyao-aws02 user01]#


■秘密鍵からCSR (Certificate Signing Request: 証明書署名要求)を作成
[root@tanyao-aws02 user01]# openssl req -new -key iam.key -out iam.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:
State or Province Name (full name) [Berkshire]:
Locality Name (eg, city) [Newbury]:
Organization Name (eg, company) [My Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@tanyao-aws02 user01]#
※何も入力せずすべてEnter


■証明書作成
[root@tanyao-aws02 user01]# openssl x509 -req -in iam.csr -signkey iam.key -out iam.pem
Signature ok
subject=/C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd
Getting Private key
[root@tanyao-aws02 user01]# ll
total 12
-rw-r--r-- 1 root root  968 May 02 16:09 iam.csr
-rw-r--r-- 1 root root 1675 May 02 16:08 iam.key
-rw-r--r-- 1 root root 1127 May 02 16:10 iam.pem
[root@tanyao-aws02 user01]# cat iam.pem
-----BEGIN CERTIFICATE-----
MIIDFDCCAfwCCQDhPLbzkt2PyDAN6kouoroshi0BAQUFADBMMQswCQYDVQQGEwJH
QjESMBAGA1UECBMJQmVya3NoaXJlMRAwDgYDVQQHEwdOZXdidXJ5MRcwFQYDVQQK
(中略)
MbxkzKVcxBtQf20dtHh/lEpdep5gO8PrZXTpGGb90q2fhg6wZYakDpvw0jyMxVjz
bcCVZLs6obbstrBIErhRn5qas443rjF52
-----END CERTIFICATE-----
[root@tanyao-aws02 user01]#


■証明書登録
IAM > Users > ユーザ選択 > Security Credentials > Signing Certificates
Certificate ID: NAGW***********ZTCOYEQD7GETW2VEC76


■秘密鍵と証明書のファイル名にCertificate IDを使用すれば管理しやすい
[root@tanyao-aws02 user01]# mv iam.csr csr-NAGW***********ZTCOYEQD7GETW2VEC76.pem
[root@tanyao-aws02 user01]# mv iam.key pk-NAGW***********ZTCOYEQD7GETW2VEC76.pem
[root@tanyao-aws02 user01]# mv iam.pem cert-NAGW***********ZTCOYEQD7GETW2VEC76.pem


■Amazon EC2 API Tools準備
⇒JDKインストール
[root@tanyao-aws02 ~]# yum install java-1.6.0-openjdk
[root@tanyao-aws02 ~]# java -version
java version "1.6.0_22"
OpenJDK Runtime Environment (IcedTea6 1.10.6) (rhel-1.25.1.10.6.el5_8-x86_64)
OpenJDK 64-Bit Server VM (build 20.0-b11, mixed mode)
[root@tanyao-aws02 ~]#

⇒Amazon EC2 API Tools取得
[root@tanyao-aws02 ~]# cd /opt/installer/
[root@tanyao-aws02 installer]# wget http://s3.amazonaws.com/ec2-downloads/ec2-api-tools.zip
(中略)
2012-05-02 19:50:38 (1.89 MB/s) - `ec2-api-tools.zip' saved [13926491/13926491]

[root@tanyao-aws02 installer]#

⇒解凍&配置
[root@tanyao-aws02 installer]# unzip ec2-api-tools.zip
[root@tanyao-aws02 installer]# cp -pr ec2-api-tools-1.5.4.0/* /opt/ec2-api-tools/
[root@tanyao-aws02 installer]# ll /opt/ec2-api-tools/
total 100
drwxr-xr-x 2 root root 32768 May 02 03:35 bin
drwxr-xr-x 2 root root  4096 May 02 03:35 lib
-rw-r--r-- 1 root root  4852 May 02 01:59 license.txt
-rw-r--r-- 1 root root   539 May 02 01:59 notice.txt
-rw-r--r-- 1 root root 46468 May 02 01:59 THIRDPARTYLICENSE.TXT
drwxr-xr-x 3 root root  4096 May 02 19:45 X.509
[root@tanyao-aws02 installer]#

⇒環境変数設定
[root@tanyao-aws02 ~]# export JAVA_HOME=/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre
[root@tanyao-aws02 ~]# export EC2_HOME=/opt/ec2-api-tools
[root@tanyao-aws02 ~]# export PATH=$PATH:$EC2_HOME/bin
[root@tanyao-aws02 ~]# export EC2_PRIVATE_KEY=$EC2_HOME/X.509/user01/pk-NAGW***********ZTCOYEQD7GETW2VEC76.pem
[root@tanyao-aws02 ~]# export EC2_CERT=$EC2_HOME/X.509/user01/cert-NAGW***********ZTCOYEQD7GETW2VEC76.pem
[root@tanyao-aws02 ~]# ec2ver
1.5.4.0 2012-05-01
[root@tanyao-aws02 ~]# ec2-describe-regions
REGION  eu-west-1       ec2.eu-west-1.amazonaws.com
REGION  sa-east-1       ec2.sa-east-1.amazonaws.com
REGION  us-east-1       ec2.us-east-1.amazonaws.com
REGION  ap-northeast-1  ec2.ap-northeast-1.amazonaws.com
REGION  us-west-2       ec2.us-west-2.amazonaws.com
REGION  us-west-1       ec2.us-west-1.amazonaws.com
REGION  ap-southeast-1  ec2.ap-southeast-1.amazonaws.com
[root@tanyao-aws02 ~]#