EC2 Windows - 获取管理员密码

时间:2011-04-05 17:46:35

标签: java windows passwords amazon-ec2 admin

目前,我知道从新创建的EC2 Windows实例检索管理员密码的唯一方法是通过AWS管理控制台。这很好,但我需要知道如何通过Java API实现这一点 - 我似乎无法找到关于这个主题的任何内容。此外,一旦获得,我如何使用相同的API修改密码?

4 个答案:

答案 0 :(得分:4)

EC2 API有一个调用“GetPasswordData”,您可以使用它来检索包含管理员密码的加密数据块。要解密它,你需要两件事:

首先,私钥。这是您用于实例化实例的密钥对的私有一半。复杂的是,通常亚马逊使用PEM格式的密钥(“----- BEGIN”...),但Java Crypto API需要DER格式的密钥。您可以自己进行转换 - 剥离----- BEGIN和----- END行,在中间取出文本块并对其进行base64解码。

二,加密参数。数据使用RSA加密,使用PKCS1填充 - 因此,给予JCE的神奇调用是:Cipher.getInstance("RSA/NONE/PKCS1Padding")

这是一个完整的例子(依赖于BouncyCastle,但可以修改为使用不同的加密引擎)

package uk.co.frontiertown;

import com.amazonaws.auth.AWSCredentials;
import com.amazonaws.auth.BasicAWSCredentials;
import com.amazonaws.services.ec2.AmazonEC2Client;
import com.amazonaws.services.ec2.model.GetPasswordDataRequest;
import com.amazonaws.services.ec2.model.GetPasswordDataResult;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.bouncycastle.util.encoders.Base64;

import javax.crypto.Cipher;
import java.nio.charset.Charset;
import java.security.GeneralSecurityException;
import java.security.KeyFactory;
import java.security.PrivateKey;
import java.security.Security;
import java.security.spec.PKCS8EncodedKeySpec;

public class GetEc2WindowsAdministratorPassword {

    private static final String ACCESS_KEY = "xxxxxxxxxxxxxxxxxxxx";
    private static final String SECRET_KEY = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx";
    private static final String PRIVATE_KEY_MATERIAL = "-----BEGIN RSA PRIVATE KEY-----\n" +
        "MIIEowIBAAKCAQEAjdD54kJ88GxkeRc96EQPL4h8c/7V2Q2QY5VUiJ+EblEdcVnADRa12qkohT4I\n" +
        // several more lines of key data
        "srz+xXTvbjIJ6RL/FDqF8lvWEvb8uSC7GeCMHTznkicwUs0WiFax2AcK3xjgtgQXMgoP\n" +
        "-----END RSA PRIVATE KEY-----\n";

    public static void main(String[] args) throws GeneralSecurityException, InterruptedException {
        Security.addProvider(new BouncyCastleProvider());
        String password = getPassword(ACCESS_KEY, SECRET_KEY, "i-XXXXXXXX", PRIVATE_KEY_MATERIAL);
        System.out.println(password);
    }

    private static String getPassword(String accessKey, String secretKey, String instanceId, String privateKeyMaterial) throws GeneralSecurityException, InterruptedException {

        // Convert the private key in PEM format to DER format, which JCE can understand
        privateKeyMaterial = privateKeyMaterial.replace("-----BEGIN RSA PRIVATE KEY-----\n", "");
        privateKeyMaterial = privateKeyMaterial.replace("-----END RSA PRIVATE KEY-----", "");
        byte[] der = Base64.decode(privateKeyMaterial);
        PKCS8EncodedKeySpec keySpec = new PKCS8EncodedKeySpec(der);
        KeyFactory keyFactory = KeyFactory.getInstance("RSA");
        PrivateKey privateKey = keyFactory.generatePrivate(keySpec);

        // Get the encrypted password data from EC2
        AWSCredentials awsCredentials = new BasicAWSCredentials(accessKey, secretKey);
        AmazonEC2Client client = new AmazonEC2Client(awsCredentials);
        GetPasswordDataRequest getPasswordDataRequest = new GetPasswordDataRequest().withInstanceId(instanceId);
        GetPasswordDataResult getPasswordDataResult = client.getPasswordData(getPasswordDataRequest);
        String passwordData = getPasswordDataResult.getPasswordData();
        while (passwordData == null || passwordData.isEmpty()) {
            System.out.println("No password data - probably not generated yet - waiting and retrying");
            Thread.sleep(10000);
            getPasswordDataResult = client.getPasswordData(getPasswordDataRequest);
            passwordData = getPasswordDataResult.getPasswordData();
        }

        // Decrypt the password
        Cipher cipher = Cipher.getInstance("RSA/NONE/PKCS1Padding");
        cipher.init(Cipher.DECRYPT_MODE, privateKey);
        byte[] cipherText = Base64.decode(passwordData);
        byte[] plainText = cipher.doFinal(cipherText);
        String password = new String(plainText, Charset.forName("ASCII"));

        return password;
    }
}

ObDisclosure:我最初在http://www.frontiertown.co.uk/2012/03/java-administrator-password-windows-ec2-instance/

的博客上回答了这个问题

答案 1 :(得分:1)

您可以创建实例,设置密码,然后将其重新转换为图像。有效地为您创建的每个实例设置默认密码。这不会更简单吗?

答案 2 :(得分:1)

看起来您正在寻找API的以下部分:GetPasswordDataRequestGetPasswordDataResult

答案 3 :(得分:0)

您还可以在该Image上创建一个具有默认用户名和密码设置的图像。然后启动具有该图像id的所有实例。所以您不需要创建和检索密码evry time ..只需启动您的实例rdp在Image中使用definde credntials启动了实例。我正在做同样的事情。它完全适合我。