EC2 Windows - Get Administrator Password

Question

EC2 Windows - Get Administrator Password

Currently, the only way to find out the administrator password from a newly created instance of Windows EC2 is through the AWS Management Console. This is great, but I need to know how to do it using the Java API - I cannot find anything about this. Also, once you have received, how can I change the password using the same API?

Thanks,

Johnny

+4

java windows passwords amazon-ec2 admin

Johnny ray Apr 05 '11 at 17:46

source share

4 answers

Richard Downer · Answer 1 · 2012-03-14T12:59:04+0000

There is a “GetPasswordData” call in the EC2 API, which you can use to get an encrypted data block containing an administrator password. To decrypt it, you need 2 things:

The first is the private key. This is the private half of the key pair that you used to instantiate the instance. The complication is that Amazon typically uses keys in the PEM format ("----- BEGIN" ...), but the Java Crypto API requires keys in the DER format. You can do the conversion yourself - separate the lines ----- BEGIN and ----- END, take a block of text in the middle and decode it with base64.

Secondly, the encryption settings. Data is encrypted using RSA with PKCS1 extension - so the magic call to provide JCE is: Cipher.getInstance("RSA/NONE/PKCS1Padding")

Here is a complete example (which relies on BouncyCastle, but can be modified to use a different crypto engine)

 package uk.co.frontiertown; import com.amazonaws.auth.AWSCredentials; import com.amazonaws.auth.BasicAWSCredentials; import com.amazonaws.services.ec2.AmazonEC2Client; import com.amazonaws.services.ec2.model.GetPasswordDataRequest; import com.amazonaws.services.ec2.model.GetPasswordDataResult; import org.bouncycastle.jce.provider.BouncyCastleProvider; import org.bouncycastle.util.encoders.Base64; import javax.crypto.Cipher; import java.nio.charset.Charset; import java.security.GeneralSecurityException; import java.security.KeyFactory; import java.security.PrivateKey; import java.security.Security; import java.security.spec.PKCS8EncodedKeySpec; public class GetEc2WindowsAdministratorPassword { private static final String ACCESS_KEY = "xxxxxxxxxxxxxxxxxxxx"; private static final String SECRET_KEY = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"; private static final String PRIVATE_KEY_MATERIAL = "-----BEGIN RSA PRIVATE KEY-----\n" + "MIIEowIBAAKCAQEAjdD54kJ88GxkeRc96EQPL4h8c/7V2Q2QY5VUiJ+EblEdcVnADRa12qkohT4I\n" + // several more lines of key data "srz+xXTvbjIJ6RL/FDqF8lvWEvb8uSC7GeCMHTznkicwUs0WiFax2AcK3xjgtgQXMgoP\n" + "-----END RSA PRIVATE KEY-----\n"; public static void main(String[] args) throws GeneralSecurityException, InterruptedException { Security.addProvider(new BouncyCastleProvider()); String password = getPassword(ACCESS_KEY, SECRET_KEY, "i-XXXXXXXX", PRIVATE_KEY_MATERIAL); System.out.println(password); } private static String getPassword(String accessKey, String secretKey, String instanceId, String privateKeyMaterial) throws GeneralSecurityException, InterruptedException { // Convert the private key in PEM format to DER format, which JCE can understand privateKeyMaterial = privateKeyMaterial.replace("-----BEGIN RSA PRIVATE KEY-----\n", ""); privateKeyMaterial = privateKeyMaterial.replace("-----END RSA PRIVATE KEY-----", ""); byte[] der = Base64.decode(privateKeyMaterial); PKCS8EncodedKeySpec keySpec = new PKCS8EncodedKeySpec(der); KeyFactory keyFactory = KeyFactory.getInstance("RSA"); PrivateKey privateKey = keyFactory.generatePrivate(keySpec); // Get the encrypted password data from EC2 AWSCredentials awsCredentials = new BasicAWSCredentials(accessKey, secretKey); AmazonEC2Client client = new AmazonEC2Client(awsCredentials); GetPasswordDataRequest getPasswordDataRequest = new GetPasswordDataRequest().withInstanceId(instanceId); GetPasswordDataResult getPasswordDataResult = client.getPasswordData(getPasswordDataRequest); String passwordData = getPasswordDataResult.getPasswordData(); while (passwordData == null || passwordData.isEmpty()) { System.out.println("No password data - probably not generated yet - waiting and retrying"); Thread.sleep(10000); getPasswordDataResult = client.getPasswordData(getPasswordDataRequest); passwordData = getPasswordDataResult.getPasswordData(); } // Decrypt the password Cipher cipher = Cipher.getInstance("RSA/NONE/PKCS1Padding"); cipher.init(Cipher.DECRYPT_MODE, privateKey); byte[] cipherText = Base64.decode(passwordData); byte[] plainText = cipher.doFinal(cipherText); String password = new String(plainText, Charset.forName("ASCII")); return password; } }

ObDisclosure: I initially answered this on my blog at http://www.frontiertown.co.uk/2012/03/java-administrator-password-windows-ec2-instance/

Spencer ruport · Answer 2 · 2011-04-05T17:50:10+0000

You can create an instance, set a password, and then turn it back into an image. Effectively set a default password for each instance you create. Wouldn't that be easier?

Ameer deen · Answer 3 · 2011-08-29T02:22:07+0000

It looks like you are looking for the following parts of the API: GetPasswordDataRequest and GetPasswordDataResult

Kafaltiya1205 · Answer 4 · 2013-10-28T05:37:04+0000

You can also create an image with a default username and password setting on this image. Then run all instances with this image id, so you do not need to create and retrieve time evree time. Just run your rdp instance which launched the instance with definde credntials in Image. I'm doing the same thing. And it works great for me.

EC2 Windows - Get Administrator Password

More articles: