I have a bastion server on AWS which I connect to through the following configuration:
host bastion
Hostname <bastion_public_ip>
IdentityFile ~/.ssh/id_rsa
User ubuntu
Now, I have setup an instance where this bastion is used as a jump server. However, the instance is created with a separate key mykey.pem and not the SSH key used to connect to the bastion. Earlier, when I was using the same key, I could connect with the following config:
host test-ec2
hostname <ec2_private_ip>
IdentityFile .ssh/id_rsa
User ec2-user
ProxyCommand ssh -W %h:%p bastion
However, now when I change the identity file to ~/mykey.pem, this does not work anymore. I wonder how I can set this up to use different keys and pass that through this SSH proxy command.
Generate a public key for the key you want to use. You can do this by using tools like PuTTYgen.
Copy the public key and ssh into your jump host (using mykey.pem (new key) )
run the following command vi .ssh/authorized_keys hit "i" to edit file and paste the public key you have copied (don't delete the existing public key in that file if you still need to access the jump host using new pem file) now hit escape and :wq and hit enter to save the file.
Now exit the jump host and try to ssh again with your old key which you have created public key.
Related
current my .ssg/config has
Host git-codecommit.*.amazonaws.com
User APKAS2GIPODK72AAAAAA
IdentityFile ~/.ssh/codecommit_rsa
Host github.com
User durrantm
IdentityFile ~/.ssh/id_rsa
I believe I can add an entry for a specific EC2 machine that I want to ssh into.
Is there a way to make the pem file by a default for all my EC2 ssh connections (while I am using the awscli, configured for my account-user) so that I don't have to -i "abc.pem" for each ec2 connection?
Yes, you can if you connect to the instances via their public DNS.
Add this to your SSH config:
Host ec2-*.compute.amazonaws.com
IdentityFile abc.pem
This is identical to what you have with Host git-codecommit.*.amazonaws.com
Yes, you can start an ssh-agent on your EC2 instance and have it load your private key. Then whenever you try and SSH to any instance that offers public key authentication, the ssh-agent will attempt to authenticate you using the loaded private key. This article describes it nicely.
eval $(ssh-agent) && ssh-add ~/.ssh/*.pem
I have my NAT and Bastion set up to login with SSH forwarding:
ssh-add -K keyfile.pem
ssh -A ec2-user#bastionhost
ssh ec2-user#privateSubnetServer
What's the best method for handling ssh and users at this point between hosts in the private subnet?
I get:
Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
When trying to do it the traditional linux way. I can get to them if I use the AWS created key pairs.
I can't set up or connect to a directory service at this point.
There can be two reasons, either the key is invalid or the proxy command not working as you expecting.
Before that, you set you proxy command like this
host bastion
HostName bastion_Adress
User centos|whatever
identityFile /mykeys/ec2.pem
Now try to ssh to bastion
ssh bastion
If the above then bastion working fine, we can set proxy command now.
host private_server
Hostname 10.0.5.45
user centos
IgnoreUnknown UseKeychain
AddKeysToAgent yes
ProxyCommand ssh bastion -W %h:%p
Now you can ssh to private server
ssh private_server
Normally these are necessary but just in case of mac happen sometime
IgnoreUnknown UseKeychain
AddKeysToAgent yes
.ssh/config: "Bad configuration option: UseKeychain" on Mac OS Sierra 10.12.6
You can debug the issue using this flow
ssh to bastion
copy your private server ssh key to the bastion
ssh to private instance
If the above worked it mean bastion ssh config is not valid
If the above does not work then the key is not valid.
Host bastion.ip.address
User ec2-user
IdentityFile ~/.ssh/bastionkey.pem
CheckHostIP no
Host private.subnet.ip
User ec2-user
IdentityFile ~/.ssh/bastionkey.pem
ProxyCommand ssh ec2-user#bastion.host.ip -W %h:%p
I have three ec2 instances (ec2-01, ec2-02 and ec2-03) with ubuntu installed. I have pem-key-1 associated with ec2-01 and ec2-02 and pem-key-2 associated with ec2-03.
I have setup passwordless ssh between ec2-01 and ec2-02 using below commands and it's working.
ssh-keygen (generates key)
ssh-copy-id user#ec2-02 (copies ssh key to remote ec2)
ssh user#ec2-02 (login to remote ec2)
Next, I want to setup passwordless ssh from ec2-01/ec2-02 to ec2-03. I think I have to use ssh-keygen with pem_key_2 but don't know the correct way to do this. FYI, I am able to login to ec2-03 using below command from ec2-01:
ssh -i pem-key-2 user#ec2-03
ssh-copy-id copies the public side of the keypair that ssh-keygen generates and drops it on ec2-02 so that the private side of the keypair (pem-key-2 based on your ssh command) is sufficient to authorize your connection ( this is done by adding the public key to ~/.ssh/authorized_keys on the remote end, but ssh-copy-id took care of that detail for you).
to be able to login to ec2-03 from ec2-02 you'd have to either copy the private key from ec2-01 to ec2-03 or else just repeat the steps to generate a key pair on ec2-02 and distribute to ec2-03 the same way you did between ec2-01 and ec2-02. All else being equal I'd recommend the later option; ideally, private keys of any kind are not transmitted over the network if it can be avoided, even a secure connection, and it's a best practice the industry still struggles with today.
Assuming Machine A is target machine which I want to SSH into finally while Machine B is a bridge machine (bastion host). These two machines are accessible using the same PEM file.
The security group of Machine A allows SSH connections only from Machine B. So If I want to connect to Machine A, I need to connect through Machine B.
How can this be accomplished without placing the PEM file on the bastion host?
You can use ProxyCommand. I prefer defining the following in your ~/.ssh/config file.
host MachineB
HostName <MachineB-IP>
IdentityFile <Full Path of .pem file>
User username
host MachineA
HostName <MachineA-IP>
ProxyCommand ssh MachineB nc -w 120 %h %p
IdentityFile <Full Path of .pem file>
User username
Then access MachineA like:
$ ssh MachineA
To reach an EC2 instance in a private subnet via a bastion host in a public subnet, without placing your SSH private key on the bastion, you need to use SSH agent forwarding.
Specific instructions are provided here.
The following instructions are given for the ec2 instance that I'm trying to connect to:
To access your instance: Open an SSH client. (find out how to connect
using PuTTY)
CHECK!
Locate your private key file (keypair.pem). The wizard automatically
detects the key you used to launch the instance.
I launched Putty with a .ppk and I also still have the .pem sitting on my local machine. However, how does this help once I am in the aws Linux terminal?
It sounds to me that the .pem should now be located on the remote machine, not my local one.
Your key must not be publicly viewable for SSH to work. Use this
command if needed: chmod 400 keypair.pem
This is fine once the previous step is clearer.
Connect to your instance using its Public DNS:
ec2-xxxxxxxxxxxxx.eu-west-1.compute.amazonaws.com
Example: ssh -i "keypair.pem"
root#ec2-xxxxxxxxxxxxx.eu-west-1.compute.amazonaws.com
I am currently typing this in (also trying ec2-user instead of root) but I get the following:
Warning: Identity file keypair.pem not accessible: No such file or directory.
Permission denied (publickey).
Please note that in most cases the username above will be correct,
however please ensure that you read your AMI usage instructions to
ensure that the AMI owner has not changed the default AMI username.
In case this is important, what user name are they referring to here?
I have also made sure the I can SSH into the security group from all locations.
Christopher, I am not sure if you have access to the AWS console, but If you do, then it will be easy to find out the correct user name of your EC2 machine. click on the check mark box to pick your instance, then click Connect, and it will show you the correct user name. If it is an amazon AMI image, it will most likely be ec2-user, other images can have root, ubuntu, bitnami, or any other user configured by the AMI creator.
Your error message: " Warning: Identity file keypair.pem not accessible" indicates an issue with your private key not being accessible.
You said you converted the .pem to ppk for putty, which will enable you to SSH via putty. If you need to SSH from an EC2 machine to another EC2 machine, you will need that private key with the "pem" extension.
Think of your private key as your password, except that it's stored in a file.
ssh -i "keypair.pem" root#ec2-xxxxxxxxxxxxx.eu-west-1.compute.amazonaws.com
This command says: Log me in via SSH protocol to server xxxx.eu... using password file (Private key) "keypair.pem" that resides in the current directory.
if you do an "ls" and you don't see "keypair.pem" then that is your issue.
I hope that helps!