I'm trying to copy file from my local to Aws EC1 or EC2.
my detailed setup.
Created two EC2 instances.
Got .pem file (Private key) from AWS consle.
Generated private key from .pem file (step2).
Able to connect EC1 and EC2 using private key generated in step 3.
Copied .pem file in EC1 and EC2 servers, by doing that am able to copy files in between EC1 and 2 aws servers.
Now I want to copy the file from my local machine to AWS EC1 and EC2 serves.
But when am trying to do below command (using public DNS):
ssh ubuntu#ec2-18-222-170-204.us-east-2.compute.amazonaws.com
getting below error
Permission denied (publickey)
And when I do it using Private DNS:
ssh ubuntu#ip-172-31-43-162.us-east-2.compute.internal
getting below error:
ssh: Could not resolve hostname ip-172-31-43-162.us-east-2.compute.internal: Name or service not known
what should I do to fix this or make it work?
Output
OpenSSH_7.2p2 Ubuntu-4ubuntu2.8, OpenSSL 1.0.2g 1 Mar 2016
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug2: resolving "ip-172-31-43-162.us-east-2.compute.internal" port 22
ssh: Could not resolve hostname ip-172-31-43-162.us-east-2.compute.internal: Name or service not known
First thing, ssh ubuntu#ip-172-31-43-162.us-east-2.compute.internal this will only work within VPC, as its private IP and your local system will never able to resolve this DNS until you connect with some VPN from that VPC.
It's not a security group issue, your instance is reachable.
You should post debugs log for ssh ubuntu#ec2-18-222-170-204.us-east-2.compute.amazonaws.com, you can get debug log using ssh -v ubuntu#ec2-18-222-170-204.us-east-2.compute.amazonaws.com
But I am sure it's not picking the pem file from right location. Two possible reason
set chmod 400 your.pem and then try to connect
specify the key in your ssh command
ssh -i path_to_key/private.pem ubuntu#ec2-18-222-170-204.us-east-2.compute.amazonaws.com
Might be possible user ubuntu not exist in that case you can try with root and AWS will return the user which can ssh to that server.
You can also get ssh command for AWS ec2 console. -> Select Instance and click connect, copy the command and try to connect.
Related
I'm trying to create the SSH connection to EC2 instance but getting the error message that the keypair file does not exist.
AWS Management Console confirms that the keypair file exists:
Making connection to EC2 instance is fine but its seems that there aren't any files:
AWS Management Console confirms that the right command to set permissions is:
chmod 400 tauno537_aws_keypair.pem
When trying to execute this, it gives the following error message:
chmod: cannot access ‘tauno537_aws_keypair.pem’: No such file or directory
When trying to create the SSH connection to EC2 instance, it gives the following error message:
ssh ec2-user#x.xxx.xxx.xxx -i tauno537_aws_keypair.pem
Warning: Identity file tauno537_aws_keypair.pem not accessible: No such file or directory.
Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
What I have done wrong? Is it correct that when...
Making connection to EC2 instance (PuTTY login), the private key needs to be used?
Creating SSH connection, the public key needs to be used?
What's the diference between PuTTY login and SSH connection at all? Doesn't they both mean that making the connection to the EC2 instance?
Both your errors point to the fact that the private key file is not found in the directory where you're running from/pointing the private key to
Putty is just a SSH/Telnet client, so ultimately you are using a SSH connection. When a keypair is created, the private key remains clientside and the public key is uploaded to the server
I reformatted my macbook and completely forgot to copy my ~/.ssh directory.
I tried ssh'ing into my EC2 instance
$ ssh ec2-user#xx.xxx.xxx.xx -i xxx.pem -v
OpenSSH_8.1p1, LibreSSL 2.7.3
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 47: Applying options for *
debug1: Connecting to xx.xxx.xxx.xx [xx.xxx.xxx.xx] port 22.
debug1: connect to address xx.xxx.xxx.xx port 22: Operation timed out
ssh: connect to host xx.xxx.xxx.xx port 22: Operation timed out
But I presume it's not working because my PEM file is linked to the id_rsa file on my old laptop?
I had the PEM file in my google drive.
I've tried
sudo chmod 400 xxx.pem
Update my security group to allow SSH access
to my new laptop
Any ideas how I can regain access to my EC2 insance?
I would generate a new key pair as explain here, but it requires me to have access to the instance
Update: check #jordanm comment. You have no connection to the instance, maybe there is no need to create a new one.
As far as I know there is only way to create a new one. You can keep data if you make an image of your existing instance. You may have changed external IP if your instance has no elastic IP attached.
Login to AWS Console
Create a new key pair.
Select your EC2 instance in the list, in the top-left corner select Actions -> Image and templates -> Create image. Fill the form to create an image.
Launch a new instance using the image you've created and your new key.
(optional) If everything is in place consider terminating the original instance using console.
I had created an Amazon EC2 instance and was able to SSH into it previously. Now if I try to SSH into it, I get the error as below:
ssh: connect to host [ip address] port 22: Connection timed out
I've not changed anything in the security group and NACL to which the instance and the subnet are attached respectively.
Creating another instance from the AMI of this instance doesn't seem to work either.
I tried fixing the problem by detaching the EBS volume from this instance and mounting it to a fresh instance for checking /etc/ssh/sshd_config, but there wasn't any problem there.
I've also tried commenting out stuff from the fstab as per the solution https://stackoverflow.com/a/14050894
I'm facing the same issue in around 3 instances, kindly help.
Below is the output of ssh -v
OpenSSH_7.6p1 Ubuntu-4ubuntu0.3, OpenSSL 1.0.2n 7 Dec 2017
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to ip [ip] port 22.
debug1: connect to address ip port 22: Connection timed out
ssh: connect to host ip port 22: Connection timed out
After much struggle, I've resolved this issue by mounting the volume of the instance I was unable to SSH into with another EC2 instance created using the same key, and thereafter replacing the .ssh/authorized_keys file in the attached volume with .ssh/authorized_keys in the newly created instance. Finally, reattaching this volume to the original instance.
There wasn't any difference between the two authorized_keys files, so I can't say why did replacing the file work.
Creating a new instance with the AMI of the problematic instance using a new key should've worked which didn't for some reason unidentified as of yet.
I supposed to add the ssh key and then ssh to the AWS instance using a jumphost in 2 operations
So, first adding the key
ssh-add ~/.ssh/<key-file>.pem
Then ssh to jumphost
ssh -A ec2-user#jumphost
And then from jumphost to instance
ssh ec2-user#<private IP>
This works for one instance but does not work for another instance - cannot ssh to this instance from a jumphost.
What instance setting can prevent me to do ssh?
The output of ssh -v ec2-user#
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 58: Applying options for *
debug1: Connecting to <private ip>[<private ip>] port 22
There are different causes of this issue.
Check the security group of the ec2 instance you are connecting from the jump host / bastion if port 22 is open. If it's not open, add the rule. You can verify this if you telnet the destination server on port 22 form the jump host / bastion. command: telnet destinationip 22
if the above doesn't work, check if the ec2 instance you are connecting is in a running state with 2/2 checks passed. This will make sure that both network and operating system are functional.
if the above doesn't work, check if your Network Access List (NACLs) are allowing the inbound and outbound traffic. The default setting allows the traffic.
Make sure the the firewall is setup correctly! That is mandatory in AWS console when you setup your new instance. My guess is a wrong default was selected.
The reason was pointed by the user LogicIO. Somehow, one instance was moved to the different VPC and therefore the jumphost (bastion) and the instance appeared on the different VPC's, so connection stopped working. I needed a different jumphost.
I understand that it is not recommended to ask multiple question in a single post but they are all tightly coupled hence asking them under one post.
I was trying to SSH to a private EC2 instance in a VPC from the internet using Bastion host. I came across 2 approaches.
NOTE When I launched my private EC2 instance and Bastion host I chose different Keys.(In both the approaches I saw the authors used same Keys for EC2 and the Bastion)
Approach 1: Configuring SSH ProxyCommand as illustrated in https://www.youtube.com/watch?v=EpFAHis4O4g
Approach 2: ssh-agent command with ssh -A option https://aws.amazon.com/blogs/security/securely-connect-to-linux-instances-running-in-a-private-amazon-vpc/
Question 1: In approach 2, I did
ssh-add ~/Downloads/Ec2.pem
ssh-add ~/Downloads/BastionKey.pem
Is my approach of adding both the keys to the ssh-agent correct? This way I was able ssh into Bastion as a first step and then as a second step I had to explicitly ssh into private EC2.
Question 2: Approach 1 is against the idea of (Approach 2) 2 step ssh process but proposes ProxyCommand so that end user should be able to directly ssh into the private EC2 in a single step. This way a system admin of Bastion host will not have control of ssh-ing to individual EC2 instances.In fact the author demonstrates that if you ssh into Bastion host (it will succeed) and then ssh to EC2 it fails. Is my understanding correct here?
Question 3: Approach 1 is not working for me. I used the same structure for ~/.ssh/config but with different Key file paths. I am unable to ssh to my private EC2 directly. I even tried the 2 step process but I can only login into Bastion host, I cannot ssh to EC2. All my Security groups, ACL, Internet gateway, NAT gateway and VPC settings are fine, otherwise Approach 2 wouldn't have worked. What could I be doing wrong?
cat ~/.ssh/config
HOST bastion
Hostname ec2-5x-xx-xx-xx.compute-1.amazonaws.com
User ec2-user
IdentityFile /Users/myname/Downloads/BastionKey.pem
HOST *.ec2.internal
User ec2-user
IdentityFile /Users/myname/Downloads/Ec2.pem
ProxyCommand ssh -q -W %h:%p bastion
Question 4: Which is the recommend approach among 1 & 2 and what additional steps must be followed when different keys are chosen for Bastion and EC2?
Error output:
ssh -v ip-10-0-1-12.ec2.internal
OpenSSH_7.8p1, LibreSSL 2.6.2
debug1: Reading configuration data /Users/myname/.ssh/config
debug1: /Users/myname/.ssh/config line 6: Applying options for *.ec2.internal
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 48: Applying options for *
debug1: Executing proxy command: exec ssh -q -W ip-10-0-1-12.ec2.internal:22 bastion
debug1: identity file /Users/myname/Downloads/Ec2.pem type -1
debug1: identity file /Users/myname/Downloads/Ec2.pem-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_7.8
/bin/false: No such file or directory
ssh_exchange_identification: Connection closed by remote host
HOST bastion
Hostname ec2-example-ip.compute-1.amazonaws.com
User ec2-user
IdentityFile /Users/myname/Downloads/BastionKey.pem
HOST *.ec2.internal
User ec2-user
IdentityFile /Users/myname/Downloads/Ec2/Ec2.pem
ProxyCommand ssh -q -W %h:%p bastion
Try using the bastions public DNS name in your ssh config, also use the internal ec2 DNS name for the one behind the VPC. (AWS DNS is sketchy at best sometimes)
Note: *.ec2.internal assums you will use the same ssh key for each ec2 you need to access proxying through your bastion. If this is not the case replace *.ec2.internal with whatever-internal-ip.ec2.internal and add an entry for each individual ec2.
Hope this can fix your issue.