I am attempting to install and access vscode in an instance of Compute Engine of GCP using the instructions on Coder.1
I have also been going through their instructions on exposing code-server using SSH2, however, when I try and run the command ssh -N -L 8080:127.0.0.1:8080 [user]#<instance-ip> swapping out [user] and ip address, I get the following:
The authenticity of host 'ip address (ip address)' can't be established.
ECDSA key fingerprint is SHA256:"hash".
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'ipaddress' (ECDSA) to the list of known hosts.
[user]#<instance-ip>: Permission denied (publickey).
Code server should be running as when trying to execute I get:
info code-server 4.9.1
info Using user-data-dir ~/.local/share/code-server
error listen EADDRINUSE: address already in use 127.0.0.1:8080
Attempting to login using http:\\127.0.0.1:80 on Firefox making sure Don’t enable HTTPS-Only Mode is on, page cannot be found.
Admittedly, I have little experience with Linux and SSH.
Any way I can troubleshoot this?
Permission denied: states that you are not authorized to use SSH to access the remote server. You should make sure that the private key for your SSH keychain has been added to your SSH keychain and that the SSH public key for your user account has been uploaded to the server in order to resolve this issue. When running the ssh command, you can also try specifying the path to your private key file by using the -i flag. For instance:
ssh -i /path/to/private_key [user]#<instance-ip>
ssh -i /path/to/private_key -N -L 8080:127.0.0.1:8080 [user]#instance-ip>
If the private key file is protected by a passphrase, you will also need to provide the correct passphrase and the -p flag.
Attaching a troubleshooting doc for reference.
Overview
I'm trying to configure ~/.ssh/config to connect my local VSCode to remote (EC2). I've done a lot of testing and can't understand why situation one is working and others are failing. I'm able to get RemoteCommand to work successfully for ssh'ing into EC2 instance after ssh'ing into BastionHost, however I'm unable to achieve the same with ProxyJump or ProxyCommand. VSCode doesn't list the EC2 filesystem when using the RemoteCommand example (just gets to BastionHost), so thinking I'll need to resolve to either ProxyJump/ProxyCommand based on most of the documentation.
I've tried to follow the instructions here exactly along with trying out different approaches from other articles to no avail.
##WORKS
Host dev-ec2
HostName 10.248.000.206
User meme1
RemoteCommand ssh 10.248.000.201
RequestTTY yes
IdentityFile ~/.ssh/mykey
##WORKS
Host bastion-dev
HostName 10.248.000.206
User meme1
IdentityFile ~/.ssh/mykey
RequestTTY yes
##FAILS (times out)
Host dev-ec2-proxycommand
HostName 10.248.000.201
User meme1
ProxyCommand ssh.exe bastion-dev -W %h:%p
##FAILS (Permission denied on public key, even though no issue in the RemoteCommand example)
Host ec2-dev-proxyjump
HostName 10.248.000.201
User meme1
ProxyJump bastion-dev
IdentityFile ~/.ssh/mykey
System Info
OS: Windows 10
Bastion OS: Linux (Amazon Linux AMI)
Disclaimer
I've been trolling StackOverflow and other forums for the past couple days to no avail, and although I've found similar questions none have provided viable answers for resolving.
I suppose this one below is failing because you are using a command from Windows at your bastion, that is Linux.
Command ssh.exe will not work on Linux. Everything that you put on ProxyCommand will run inside your bastion host, in your case it is a Linux OS.
Also make sure your instance Security Group allow connection from bastion IP, not from your computer.
##FAILS (times out)
Host dev-ec2-proxycommand
HostName 10.248.000.201
User meme1
ProxyCommand ssh.exe bastion-dev -W %h:%p
I have the config below on my ~/.ssh/config file and it works fine for me to connect on my instance behind bastion host.
Bastion IP: 172.31.4.238
Host IP (behind bastion): 172.31.11.98
Host 172.31.11.98
HostName 172.31.11.98
User ec2-user
ProxyCommand ssh -W %h:%p ec2-user#172.31.4.238
See it below
$ ssh 172.31.11.98
The authenticity of host '172.31.11.98 (<no hostip for proxy command>)' can't be established.
ECDSA key fingerprint is SHA256:vy....
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '172.31.11.98' (ECDSA) to the list of known hosts.
__| __|_ )
_| ( / Amazon Linux 2 AMI
___|\___|___|
https://aws.amazon.com/amazon-linux-2/
[ec2-user#ip-172-31-11-98 ~]$
I have created an EC2 Linux Instance in AWS. I used Ubuntu Server 20.04 LTS (HVM) AMI. After create the instance I was downloaded the key pair file (.pem). I gave it a name "EC2-Key-Pair". Then I launched the instance. Then in my Kali Linux system I open a Linux terminal where I saved the .pem file. After that I used this command:
chmod 400 EC2-Key-Pair
After run this command, I used this command:
ssh -i "EC2-Key-Pair.pem" ubuntu#ec2-13-232-252-152.ap-south-1.compute.amazonaws.com
Where ubuntu is the username and
ubuntu#ec2-13-232-252-152.ap-south-1.compute.amazonaws.com
is the Public IPv4 DNS of my instance. But when I executed this command I get this error:
Host key verification failed.
How to fix this error. I have executed this command using sudo and not using sudo. But both way was failed. Even I searched the error on internet, I found a solution that by using this command I can fix this error:
ssh-keygen -R Hostname
Where I used my instance's public IPv4 DNS as Hostname:
ssh-keygen -R ec2-13-232-252-152.ap-south-1.compute.amazonaws.com
But it shows an error that:
Cannot stat /home/sanniddha/.ssh/known_hosts: No such file or directory
Error after execute the SSH command as root user
Error after execute the SSH command
Error after execute ssh-keygen -R Hostname
This error means that there is something changed in your instance since the last login, and most properly
you created the EC2 instance, with No fixed IP assigned to this instance. so
When you start this instance, it will get (dynamic) IP and a DNS name which will be based on that IP.
If you shutdown the instance and start it again few hours later, it might get a new IP and a new DNS name.
The trouble you are getting because of the ssh key fingerprint changed. In general, it is not a bad thing and you accept the warning but double-check everything.
What is an SSH key fingerprint and how is it generated?
What can cause a changed ssh fingerprint
In your case, it might be because you launched an instance earlier and which has a similar DNS name that got added to ~/.ssh/known_hosts file.
xx.xx.xx.xx ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBP2oAPXOCdClEnRzlXuxKtygT3AROcruefiPi6JPdzo+=
You can clean ~/.ssh/known_hosts by issueing following command
ssh-keygen -R ec2-13-232-252-152.ap-south-1.compute.amazonaws.com
As the IP got recycled on AWS side for the instance when you launched a new instance. The new instance has a different ssh fingerprint from the one you have in your ~/.ssh/known_hosts file, hence the warning.
As pointed out already, you need to open port 22 for your IP to access the instance.
If possible use IP address instead of DNS name for ssh. Plus for ssh you don't need sudo
AWS EC2
I tried it and don't know why it doesn't work?
Example:
ssh -i "bruce202101.pem" ec2-user#ec2-18-218-105-7.us-east-2.compute.amazonaws.com
cmd:
D:\awskey>ssh -i "bruce202101.pem" ec2-user#ec2-18-218-105-7.us-east-2.compute.amazonaws.com
The authenticity of host 'ec2-18-218-105-7.us-east-2.compute.amazonaws.com (18.218.105.7)' can't be established.
ECDSA key fingerprint is SHA256:9N7GOCZxXLqE5+NGfIykiDDSP8G+jXwLDHHmDaiBhrc.
Are you sure you want to continue connecting (yes/no)?
This is normal the first time you connect to a remote ssh host. As a part of the ssh connection there is an identity establishment mechanism. If you do not manually add the identity of the remote host to your local config prior to connection it will prompt you the first time you connect and then save it to your local config. Assuming you are connecting to the right server and it is secure it should be safe to answer yes to the question.
Recently I set up a new EC2 instance. The next day I was not able to connect to my instance via ssh. I could connect and disconnect the day before, I am sure I did nothing. Here is ssh debug info:
ssh -i webserver.pem -v ubuntu#my.elastic.ip
OpenSSH_5.9p1, OpenSSL 0.9.8r 8 Feb 2011
debug1: Reading configuration data /etc/ssh_config
debug1: /etc/ssh_config line 20: Applying options for *
debug1: Connecting to my.elastic.ip [my.elastic.ip] port 22.
debug1: Connection established.
debug1: identity file webserver.pem type -1
debug1: identity file webserver.pem-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.9p1 Debian-5ubuntu1.1
debug1: match: OpenSSH_5.9p1 Debian-5ubuntu1.1 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.9
debug1: SSH2_MSG_KEXINIT sent
Connection closed by my.elastic.ip
Is there a way to resolve this issue? Or shall I reinstall my instance again?
PS rights to my .pem are set to 600.
My problem was that the username was incorrect. On ubuntu instances it should be "ubuntu" and on amazon instances it should be "ec2-user".
Often times, you should use the default user name for the AMI that you used to launch your instance:
For Amazon Linux 2 or the Amazon Linux AMI, the user name is
ec2-user.
For a CentOS AMI, the user name is centos.
For a Debian AMI, the user name is admin or root.
For a Fedora AMI, the user name is ec2-user or fedora.
For a RHEL AMI, the user name is ec2-user or root.
For a SUSE AMI, the user name is ec2-user or root.
For an Ubuntu AMI, the user name is ubuntu.
Otherwise, if ec2-user and root don't work, check with the AMI provider.
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/connection-prereqs.html#connection-prereqs-get-info-about-instance
Please check your username. if you are using ubuntu instance try using "ubuntu" in username instead of "ec2-user", and vice-versa
Check your security group. Make sure that you have an outbound rule that allows traffic to return from the instance.
With the default outbound rule
type: All traffic, Protocol: All, Ports: All, Destination: 0.0.0.0/0
it will work.
(1) Please check when you execute the ssh command, are you in the same folder where you put your pem key. Else you should use "ssh -i /your_key_path /mykey.pem".
(2) If that doesn't help. I think you could create another key and set your EC2 instance through AWS webpage. Then try again.
I had this problem and it turned out the PEM file was incorrect. You can check following the instructions in Amazon EC2 Key Pairs - Verifying Your Key Pair's Fingerprint:
If you created your key pair using AWS, you can use the OpenSSL tools to generate a fingerprint from the private key file:
$ openssl pkcs8 -in path_to_private_key -inform PEM -outform DER -topk8 -nocrypt | openssl sha1 -c
If you created your key pair using a third-party tool and uploaded the public key to AWS, you can use the OpenSSL tools to generate a fingerprint from the private key file on your local machine:
$ openssl rsa -in path_to_private_key -pubout -outform DER | openssl md5 -c
The output should match the fingerprint that's displayed in the console.
I had the same issue, Its the problem of the permissions you give to pem private key file. Make sure you run ssh command in the terminal with the sudo (Administrative) Access.
I have the same issue but i fixed it by "restarting" the EC2. Note that restarting EC2 does not change its IP address but stopping and starting it again does change it.
It was an easy fix but make sure you can bear the small downtime. In my case website stopped working suddenly.
Solved this issue by creating a new private key file/pair.
The problem arose while I wanted to reuse an existing key a few days after its creation.
Then, just use the commands provided here
I had this problem with an ubuntu vm, so:
the security groups with 22/tcp access was ok
the user name is ubuntu, ok
accessed using the pem key and
/var/log/auth.log was showing the session end in the preauth stage (not ok)
Noticed there's a missing package: ec2-instance-connect (ref: https://aws.amazon.com/premiumsupport/knowledge-center/ec2-instance-connect-troubleshooting/) (not ok)
sudo apt install ec2-instance-connect
After that, got access through instance connect
I had this problem when using EC2 instance connect. I finally could connect after downgrading my Ubuntu version from 22 to 20.