Recently I wanted to have the ability to use SSH to log in to my Amazon Lightsail instances from my work laptop. For privacy reasons, I didn’t want to put my SSH private key permanently on the laptop and I didn’t want to put the public key for my laptop on the Lightsail instances.
Since I’m very comfortable with the unix command line, I decided to put a new (password protected) private key on a flash drive so I could use that key to log in to the Linux instances.
The problem is permissions.
SSH won’t let you use a private key file with open permissions. If the key file is world readable, it will display an error and refuse to use it. There isn’t a workaround that I’ve been able to find (other than recompiling SSH from source with modifications).
This mean that the most common flash drive file systems (FAT, FAT32, & exFAT) can’t be used. None of those file system formats support permissions.
I could have formatted the flash drive using the MacOS HFS format, and installed the necessary packages on my Ubuntu Laptop to support that, but I wanted to go for something more generic.
After some research, I decided to give the User Defined File system (udf) a try.
I did have to install UDF support on the Ubuntu system, but that wasn’t a big deal.
sudo apt-get install udftools
To format the flash drive on my Mac, I used this command:
sudo newfs_udf -m blk -v <label> /dev/disk<n>
Important to note, the device file (/dev/disk<n>) must be the device itself, not a partition of the device (on Mac systems a partition will be denoted with ‘s9’ after the device name where 9 is the partition number, for example /dev/disk4s1).
After the UDF file system is created on the flash drive, you must … eject the drive, physically remove the device, and re-insert it. The device will now show up on the system as “/Volumes/<label>”.
Interestingly, the owner of the mounted device is the currently logged in user.
macbook-pro:newkey david$ ls -l /Volumes/FLASHDRIVE/ total 3 -rw-------@ 1 david staff 1073 Jul 11 10:11 aws-key
I copied the new SSH private key file to the flash drive, made sure the permissions were correct, and ejected the drive.
I then inserted the drive into my Ubuntu system. It mounted correctly right away.
I was then able to log in to my Lightsail instances using the command
slogin -i /media/<my linux user id>/<flash drive label>/<private key file> ec2-user@<aws hostname>
Interestingly, when the UDF formatted flash drive is mounted, the owner is the logged in user, but had the correct permissions.
user@linux:~#: ls -l /media/user/FLASHDRIVE/ total 2 -rw-------- 1 user user 1073 Jul 11 10:11 aws-key
So far it’s been working well. I’m pleased with this little project.