I have three ec2 instances (ec2-01, ec2-02 and ec2-03) with ubuntu installed. I have pem-key-1 associated with ec2-01 and ec2-02 and pem-key-2 associated with ec2-03.
I have setup passwordless ssh between ec2-01 and ec2-02 using below commands and it's working.
ssh-keygen (generates key)
ssh-copy-id user#ec2-02 (copies ssh key to remote ec2)
ssh user#ec2-02 (login to remote ec2)
Next, I want to setup passwordless ssh from ec2-01/ec2-02 to ec2-03. I think I have to use ssh-keygen with pem_key_2 but don't know the correct way to do this. FYI, I am able to login to ec2-03 using below command from ec2-01:
ssh -i pem-key-2 user#ec2-03
ssh-copy-id copies the public side of the keypair that ssh-keygen generates and drops it on ec2-02 so that the private side of the keypair (pem-key-2 based on your ssh command) is sufficient to authorize your connection ( this is done by adding the public key to ~/.ssh/authorized_keys on the remote end, but ssh-copy-id took care of that detail for you).
to be able to login to ec2-03 from ec2-02 you'd have to either copy the private key from ec2-01 to ec2-03 or else just repeat the steps to generate a key pair on ec2-02 and distribute to ec2-03 the same way you did between ec2-01 and ec2-02. All else being equal I'd recommend the later option; ideally, private keys of any kind are not transmitted over the network if it can be avoided, even a secure connection, and it's a best practice the industry still struggles with today.
Related
I recently spun up a new EC2 instance running Ubuntu 22.04.01. I use deployhq to manage my deploys and use the ssh key they provide for it to authenticate. I was encountering an issue where it couldn't connect. It turns out that ssh-rsa was no longer supported by default. So I made the following changes to sshd_config:
PubkeyAuthentication yes
PubkeyAcceptedKeyTypes +ssh-rsa
This allowed deployhq to connect, but had the knock off effect of no longer allowing me to authenticate using the pem key. Fortunately, I had added my public key to the authorized keys list on the server so I was still able to connect to the server so I'm not locked out.
My question is, how can I reenable the pem key to be supported?
I have a bastion server on AWS which I connect to through the following configuration:
host bastion
Hostname <bastion_public_ip>
IdentityFile ~/.ssh/id_rsa
User ubuntu
Now, I have setup an instance where this bastion is used as a jump server. However, the instance is created with a separate key mykey.pem and not the SSH key used to connect to the bastion. Earlier, when I was using the same key, I could connect with the following config:
host test-ec2
hostname <ec2_private_ip>
IdentityFile .ssh/id_rsa
User ec2-user
ProxyCommand ssh -W %h:%p bastion
However, now when I change the identity file to ~/mykey.pem, this does not work anymore. I wonder how I can set this up to use different keys and pass that through this SSH proxy command.
Generate a public key for the key you want to use. You can do this by using tools like PuTTYgen.
Copy the public key and ssh into your jump host (using mykey.pem (new key) )
run the following command vi .ssh/authorized_keys hit "i" to edit file and paste the public key you have copied (don't delete the existing public key in that file if you still need to access the jump host using new pem file) now hit escape and :wq and hit enter to save the file.
Now exit the jump host and try to ssh again with your old key which you have created public key.
When I try to connect to an EC2 in a private network through a bastion server I get this message:
<username>#<ec2-server>: Permission denied (publickey)
However, I can ssh to bastion from my local machine, and I can ssh to the EC2 from the bastion server,
Here is the .ssh/config I'm using:
Host <ec2-servers>*
IdentityFile ~/.ssh/id_rsa
User <username>
Here is the command I use to ssh:
ssh -J <bastion-server> <ec2-server>
Note: Permissions are good (700 for ~/.ssh/ and 600 for ~/.ssh/*)
Thanks in advance for your help!
There is likely no user on the remote system called 'username'. Make sure both systems have the same username and public key.
can you try the following configuration as the username you mentioned as same for both jump host and actual instance you are trying to connect to?
Host 10.2.2.* #ec2 servers cidr range
ProxyJump jumpuser#proxy.example.com
I think specifying the IdentityFile ~/.ssh/id_rsa might not be needed as that seems like the default key on your system you are using.
Make sure jumpuser exists with appropriate permissions.
Just fo debugging purposes , run this manually with debug options
ssh -vvv -J username#host1:port username#host2:port
will give plenty of information and you might be able to see where the problem is.
If you are using ssh-agent it remove all the identities and trying might also help.
ssh-add -D
How to Access a Remote Server Using a Jump Host
How to Set Up an SSH Jump Server
Just note that RSA keys are being depreciated, and later versions of operating systems disable their use on the CLIENT. That is, where you ssh from. To re-enable it on the client, in your ~/.ssh/config file, enter the following line:
PubkeyAcceptedKeyTypes +ssh-rsa
Note: there are security implications of doing this, so read up on the security issues of rsa if you are concerned. For instance, the following article:
https://www.thesslstore.com/blog/is-it-still-safe-to-use-rsa-encryption/
says:
....RSA encryption provides less than 99.8% security.
That sounds negligible, it’s about two in every 1,000.
But does that mean RSA is cracked? Not quite, just vulnerable..
Fixed it by adding local ssh public key in the authorized_keys of the remote ec2 instance.
current my .ssg/config has
Host git-codecommit.*.amazonaws.com
User APKAS2GIPODK72AAAAAA
IdentityFile ~/.ssh/codecommit_rsa
Host github.com
User durrantm
IdentityFile ~/.ssh/id_rsa
I believe I can add an entry for a specific EC2 machine that I want to ssh into.
Is there a way to make the pem file by a default for all my EC2 ssh connections (while I am using the awscli, configured for my account-user) so that I don't have to -i "abc.pem" for each ec2 connection?
Yes, you can if you connect to the instances via their public DNS.
Add this to your SSH config:
Host ec2-*.compute.amazonaws.com
IdentityFile abc.pem
This is identical to what you have with Host git-codecommit.*.amazonaws.com
Yes, you can start an ssh-agent on your EC2 instance and have it load your private key. Then whenever you try and SSH to any instance that offers public key authentication, the ssh-agent will attempt to authenticate you using the loaded private key. This article describes it nicely.
eval $(ssh-agent) && ssh-add ~/.ssh/*.pem
I recently lost the ability to connect my master via ssh to my slaves and secondary namenode.
I have 4 EC2 instances on which I have a hadoop cluster (one NameNode, one secondary nameNode, and 2 slaves).
I'm still able to make ssh connection with putty, but then I can't realise the ssh connection as follow : ssh ubuntu#instanceDns.
I have the following error :
Permission denied (publickey).
I'm sure i didn't change anything toward the ssh connection so I'm little bit surprised.
Here is a screen of a verbose tentative of a ssh connection.
I noticed that I don't have id_rsa, id_rsa-cert and the other anymore in my .ssh file. I guess they were here before but I don't know they could disapear like this.
WHy is this happening ?
Is there a solution to get the ssh connection between my machine available again ?
You don't have any private key (ssh would know about) to authenticate to these servers.
Locate where is the private authentication key
configure OpenSSH to use it in ~/.ssh/config
or
Convert the existing PuTTY key to OpenSSH format
configure OpenSSH to use it in ~/.ssh/config