When I try to connect to an EC2 in a private network through a bastion server I get this message:
<username>#<ec2-server>: Permission denied (publickey)
However, I can ssh to bastion from my local machine, and I can ssh to the EC2 from the bastion server,
Here is the .ssh/config I'm using:
Host <ec2-servers>*
IdentityFile ~/.ssh/id_rsa
User <username>
Here is the command I use to ssh:
ssh -J <bastion-server> <ec2-server>
Note: Permissions are good (700 for ~/.ssh/ and 600 for ~/.ssh/*)
Thanks in advance for your help!
There is likely no user on the remote system called 'username'. Make sure both systems have the same username and public key.
can you try the following configuration as the username you mentioned as same for both jump host and actual instance you are trying to connect to?
Host 10.2.2.* #ec2 servers cidr range
ProxyJump jumpuser#proxy.example.com
I think specifying the IdentityFile ~/.ssh/id_rsa might not be needed as that seems like the default key on your system you are using.
Make sure jumpuser exists with appropriate permissions.
Just fo debugging purposes , run this manually with debug options
ssh -vvv -J username#host1:port username#host2:port
will give plenty of information and you might be able to see where the problem is.
If you are using ssh-agent it remove all the identities and trying might also help.
ssh-add -D
How to Access a Remote Server Using a Jump Host
How to Set Up an SSH Jump Server
Just note that RSA keys are being depreciated, and later versions of operating systems disable their use on the CLIENT. That is, where you ssh from. To re-enable it on the client, in your ~/.ssh/config file, enter the following line:
PubkeyAcceptedKeyTypes +ssh-rsa
Note: there are security implications of doing this, so read up on the security issues of rsa if you are concerned. For instance, the following article:
https://www.thesslstore.com/blog/is-it-still-safe-to-use-rsa-encryption/
says:
....RSA encryption provides less than 99.8% security.
That sounds negligible, it’s about two in every 1,000.
But does that mean RSA is cracked? Not quite, just vulnerable..
Fixed it by adding local ssh public key in the authorized_keys of the remote ec2 instance.
Related
I am attempting to install and access vscode in an instance of Compute Engine of GCP using the instructions on Coder.1
I have also been going through their instructions on exposing code-server using SSH2, however, when I try and run the command ssh -N -L 8080:127.0.0.1:8080 [user]#<instance-ip> swapping out [user] and ip address, I get the following:
The authenticity of host 'ip address (ip address)' can't be established.
ECDSA key fingerprint is SHA256:"hash".
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'ipaddress' (ECDSA) to the list of known hosts.
[user]#<instance-ip>: Permission denied (publickey).
Code server should be running as when trying to execute I get:
info code-server 4.9.1
info Using user-data-dir ~/.local/share/code-server
error listen EADDRINUSE: address already in use 127.0.0.1:8080
Attempting to login using http:\\127.0.0.1:80 on Firefox making sure Don’t enable HTTPS-Only Mode is on, page cannot be found.
Admittedly, I have little experience with Linux and SSH.
Any way I can troubleshoot this?
Permission denied: states that you are not authorized to use SSH to access the remote server. You should make sure that the private key for your SSH keychain has been added to your SSH keychain and that the SSH public key for your user account has been uploaded to the server in order to resolve this issue. When running the ssh command, you can also try specifying the path to your private key file by using the -i flag. For instance:
ssh -i /path/to/private_key [user]#<instance-ip>
ssh -i /path/to/private_key -N -L 8080:127.0.0.1:8080 [user]#instance-ip>
If the private key file is protected by a passphrase, you will also need to provide the correct passphrase and the -p flag.
Attaching a troubleshooting doc for reference.
Situation : So Basically I have Ec2 instance and to login to Ec2 instance, first I will login to jump server and then I login to my instance with private ip, and all my pem files are stored inside the jump server and in private instance(EC2 instance).
What I have Done : I have edited sshd-config file with "PasswordAuthentication No and change it to PasswordAuthentication Yes" and created password like "xyz123" now I able to login to my machine with,
ssh ubuntu#ipadrrs and psswd:xyz123
but this is not serving my open item.
what I am looking for : actually I used to share my .pem file to my team member to access instance, and if I enable password with ip they still can login with username and password and if they leave my org if they have my pem file handy still they can access my instance with pem file or password.
what is the best way to avoid this problem.
will Active directory will help here or LDAP will help here?if so how?
Please help me with quires.
The best solution now is to use AWS Systems Manager Session Manager. This requires no pem sharing. SSH access direct from the browser, I am using this and I did not find any issues. Also, entire sessions can be audited.
Otherwise, rotate your key pairs. But I am not sure if there is an AWS way to do it. Also, use the best practices by enabling security groups to open only to known ips instead of the entire whole.
Here you can convert your jump server to a SSH Bastion server. The same can be done using setting up iptables rules on this server. Below mentioned is the example of a rule which you can setup:
iptables -t nat -A PREROUTING -d xx.xx.xx.xx -p tcp --dport yyyy -j DNAT --to zz.zz.zz.zz:22
Here xx.xx.xx.xx is the private IP of the SSH bastion server. yyyy is the port which will be used for inbound access. zz.zz.zz.zz will be the private IP of the destination server. This rule simply means that you ssh into a machine using port yyyy, which will port forward the traffic to port 22 on zz.zz.zz.zz machine.
In this case you will only have to configure SSH public on the destination machine(zz.zz.zz.zz) only and the client machine will have the private key. Command to connect from the client machine will be ssh -i <path-to-private-key> username#BastionPublicIP -p yyyy
Below mentioned are the ports to be opened at security groups:
Bastion - Inbound - yyyy(from your IP)
Bastion - Inbound - 22(from your IP)
Destionation - Inbound - 22(from bastion machine)
I suggest, you use an Amazon Linux AMI for SSH Bastion server.
I am trying to connect to an EC2 instance which I recently spun up via the following SSH command from my Mac OS:
ssh -v -i ~/.ssh/mykey.pem ec2-***.us-east-2.compute.amazonaws.com
I have removed the exact DNS name as it is probably not relevant here. Before I attempted to connect, I took the following steps:
Added a rule for inbound SSH traffic (using my IP)
Created an SSH key in AWS before spinning up the instance
Placed the private key mykey.pem file in my user .ssh folder
I have read many SO questions and other documentation, which is why I was even able to put the above steps together. I am at a loss as to why I can't connect to my EC2 instance, but I am hoping someone will see a flaw in what I am doing here.
You are missing the user name:
ssh -i ~/.ssh/key.pem ec2-user#host-or-ip
Depending on the type of instance, that user name may be ec2-user (amazon linux) or ubuntu (ubuntu). Other versions may have different requirements (some older redhat instances still use root, for example), but that should cover most cases.
The following instructions are given for the ec2 instance that I'm trying to connect to:
To access your instance: Open an SSH client. (find out how to connect
using PuTTY)
CHECK!
Locate your private key file (keypair.pem). The wizard automatically
detects the key you used to launch the instance.
I launched Putty with a .ppk and I also still have the .pem sitting on my local machine. However, how does this help once I am in the aws Linux terminal?
It sounds to me that the .pem should now be located on the remote machine, not my local one.
Your key must not be publicly viewable for SSH to work. Use this
command if needed: chmod 400 keypair.pem
This is fine once the previous step is clearer.
Connect to your instance using its Public DNS:
ec2-xxxxxxxxxxxxx.eu-west-1.compute.amazonaws.com
Example: ssh -i "keypair.pem"
root#ec2-xxxxxxxxxxxxx.eu-west-1.compute.amazonaws.com
I am currently typing this in (also trying ec2-user instead of root) but I get the following:
Warning: Identity file keypair.pem not accessible: No such file or directory.
Permission denied (publickey).
Please note that in most cases the username above will be correct,
however please ensure that you read your AMI usage instructions to
ensure that the AMI owner has not changed the default AMI username.
In case this is important, what user name are they referring to here?
I have also made sure the I can SSH into the security group from all locations.
Christopher, I am not sure if you have access to the AWS console, but If you do, then it will be easy to find out the correct user name of your EC2 machine. click on the check mark box to pick your instance, then click Connect, and it will show you the correct user name. If it is an amazon AMI image, it will most likely be ec2-user, other images can have root, ubuntu, bitnami, or any other user configured by the AMI creator.
Your error message: " Warning: Identity file keypair.pem not accessible" indicates an issue with your private key not being accessible.
You said you converted the .pem to ppk for putty, which will enable you to SSH via putty. If you need to SSH from an EC2 machine to another EC2 machine, you will need that private key with the "pem" extension.
Think of your private key as your password, except that it's stored in a file.
ssh -i "keypair.pem" root#ec2-xxxxxxxxxxxxx.eu-west-1.compute.amazonaws.com
This command says: Log me in via SSH protocol to server xxxx.eu... using password file (Private key) "keypair.pem" that resides in the current directory.
if you do an "ls" and you don't see "keypair.pem" then that is your issue.
I hope that helps!
I recently lost the ability to connect my master via ssh to my slaves and secondary namenode.
I have 4 EC2 instances on which I have a hadoop cluster (one NameNode, one secondary nameNode, and 2 slaves).
I'm still able to make ssh connection with putty, but then I can't realise the ssh connection as follow : ssh ubuntu#instanceDns.
I have the following error :
Permission denied (publickey).
I'm sure i didn't change anything toward the ssh connection so I'm little bit surprised.
Here is a screen of a verbose tentative of a ssh connection.
I noticed that I don't have id_rsa, id_rsa-cert and the other anymore in my .ssh file. I guess they were here before but I don't know they could disapear like this.
WHy is this happening ?
Is there a solution to get the ssh connection between my machine available again ?
You don't have any private key (ssh would know about) to authenticate to these servers.
Locate where is the private authentication key
configure OpenSSH to use it in ~/.ssh/config
or
Convert the existing PuTTY key to OpenSSH format
configure OpenSSH to use it in ~/.ssh/config