AWS EC2 forgot password and not able to use SSH


I have an ec2-ubuntu instance. And now I forgot the password for the user. Unfortunately i’ve also lost the .pem file and .ppk file i used to use with putty. And finding it difficult to get in. I want to upgrade some code of mine in that.

I’ve gone through following links giving suggestions as to what can be done.

  1. aws-gaining-ssh-access-to-an-ec2-instance-you-lost-access-to
  2. add-keypair-to-existing-ec2-instance
  3. locked-myself-out-root-account-ec2-ubuntu-instance
  4. ec2-fix-ebs-root

I’ve additional constraint that the private i/p address of system should not change.One of the software I’m using uses system private i/p address for license. And currently my instance has only one volume and is root volume.

Based on the links mentioned above, I need to detach my volume and attach to other instance. Make required changes for access. And the reattach to original instance.
However since the volume in my case is root volume, I need to stop the instance and then detach it. If my understanding is correct, this can cause change in private i/p address of instance.

Would like to know if there is some thing that can be done? Or following the steps mentioned in links is the only way and then update s/w license on instance restart?



Note: Stop/Start of EC2 instance will change the IP address (just read that the OP needed the IP to remain unchanged).

This works for me for AWS EC2 Ubuntu 18.04.

  • generate new keypair (use putty key generator or – if in a hurry – an online generator).
  • insert the generated ssh-rsa ... public key into the script below
  • Stop instance
  • set the instance user data to this cloud init script

  • Start instance
  • test connection
  • stop instance again and delete the user data (you will probably forget to do this)

Notes and warnings

  • AWS cloud init docs
  • cloud init docs & examples
  • Spaces seem to be important in cloud init scripts, resist the urge to format, like for example inserting a space after the hash in #cloud-config
  • I fiddled with cloud-init-per once, but never got it working, just wasted a lot of time
  • You could use >> instead of > to append the key instead of overwriting the authorized_keys file. But if you botched the contents during previous attempts, you will never know why it doesn’t work.
  • You can change the script to push the key of any user, e.g. for the default EC2 ubuntu user: echo 'ssh-rsa ...' > /home/ubuntu/.ssh/authorized_keys
  • Beware of installed key rotation agents like e.g. JumpCloud, which will potentially overwrite the authorized_keys file. For JumpCloud, you could change the script to write to echo 'ssh-rsa ...' > /home/ubuntu/.ssh/authorized_keys.jcorig (JumpCloud includes the contents of that file)
  • Ubuntu has to be configured to allow SSH connections (should be the default)
  • The SSH port needs to be open (Ubuntu firewall)
  • The security group (AWS firewall) of the instance needs to allow the SSH port and your IP
  • The whole process can be automated (stop, set user data, start, connect and fix, stop, clear userdata, start). The interesting AWS command is (Java client):

ec2 user data

Leave a Reply