root locked out of EC2

I was in the process of disabling root logins on an AWS EC2 instance. Right after setting PermitRootLogin no and restarting sshd, I closed the terminal on accident -- before setting up users with sudo privileges. The result is that my key to get into the instance as root does not work (sshd forbids it) and when I log into the instance using my regular user I can't gain root privileges (the root password was never set). The instance is running ubuntu 8.10. Anyone have any idea how can I fix this?


No, don't terminate the instance, all is not lost!!

  1. boot another instance and shut down the bad instance.
  2. detach the EBS volume from the bad instance and attach it to the new instance.
  3. Mount it in the new instance (i.e., something like sudo mount /dev/xvdf1 /mnt/ )
  4. chroot into it (sudo chroot /mnt) and type passwd.
  5. reset the password or make any other changes you like (vi /etc/ssh/sshd_config, for example!)
  6. Press control-D or type exit to exit the chroot.
  7. umount /mnt
  8. detach the EBS volume from your temporary instance
  9. re-attach or take a snap and create a new AMI based on that snapshot
  10. Boot the fixed box back up!

P.S. next time try Userify to manage your users' keys :)


Without finding a vulnerability, the only way to gain root access on a Linux machine is to boot into single user mode and reset the password. However, you don't have KVM-level access on an EC2 instance, so this is not possible.

You'll need to terminate that EC2 instance and launch another one. But disabling root logins is against the general paradigm at EC2. Amazon suggests that you provide a public-key at instance launch time and have an init script install that into /root/.ssh/authorized_keys, with sshd configured to 'PermitRootLogin without-password' to force keypair logins only. This way you can never accidentally lock yourself out of your root account (provided you don't lose your private key).

In the future, I suggest that you create a user with sudo access and then start a 'screen' session as soon as you log in so that a disconnect won't stop/break your work. After you configure and install your app, bundle, upload, and bundle your AMI so that you can launch new instances when required.


Do you have an AMI saved with whatever changes you made to your instance before you disabled root logins ? If not, you will have to go back to the base AMI that you started with and create a new EC2 instance.