Recently I went to log in to an EC2 instance and I realized that I could no longer find the private key file that I needed to connect via SSH. I looked around the Internet for recovery instructions and found some complicated pointers regarding creating a snapshot and then an AMI then using that to create a new instance. This seemed like overkill, and I couldn’t get it to work when I tried it anyways (The new instance always stalled at 1of 2 Status Checks and I couldn’t connect).
On a whim, I decided that the key file had to be somewhere on the image and that I could probably find and replace it. I was successful so I thought I would outline the steps here for others.
Warning, the following comes with a “Worked on my machine” guarantee, which basically means that you shouldn’t try this unless you understand what’s going on.
For the sake of keeping things straight, I’ll refer to the instance with the lost key as Instance A.
- Create a new instance with the same Linux build as the instance you need to access. Create a new key pair. Remember to actually save and back up the private key this time. I’ll call this new instance “Instance B”.
- Shutdown Instance A.
- Detach the root volume from Instance A. Note where it was attached, usually /dev/sda1
- Attach this volume on Instance B, note the mount point. It will probably be something like /dev/sdf. Some Linux distros will actually use /dev/xvdf instead of sdf.
- Connect via ssh to Instance B.
- Run: sudo mount /dev/xvdf /mnt (using the device that was noted when you attached)
- cd to ‘/mnt/home/ec2-user/.ssh’ (this will be ‘/mnt/home/ubunto/.ssh’ on Ubuntu builds, may be different for other distros)
- Run: ‘sudo mv ./authorized_keys ./authorized_keys.old’
- Run: ‘sudo cp ~/.ssh/authorized_keys .’ (<- This is the magic. We’re copying the Public Key from the .ssh dir of the currently logged in user to the correct location on the mounted volume.)
- ‘cd’ back to home
- Run: ‘sudo umount /mnt’
- Detach the volume from Instance B and then attach back to Instance A as /dev/sda1 (or other original mount point as noted in step 3).
- Now restart Instance A and you should be able to connect with SSH.
- After you’ve successfully connected back to Instance A, you can Terminate Instance B.
Running through sudo and doing chown and chgrp may not be necessary if your UID’s and GID’s match between Instance A and Instance B.