AWS EC2 SSH with Private key to incorrect instance - amazon-web-services

I've setup a new EC2 Instance in AWS with a Private Key (downloaded and added to my ~/.ssh folder).
However, once the EC2 Instance has started, I try to ssh to that instance "a.a.a.a" public IP using the Private Key, however it logs me in to a different IP/instance.
Is there an ssh or private key cache of some sort I don't know about, or howcome I get ssh'd into a different EC2 Instance (in a different subnet)?

Instead of guessing, do this. Once you ssh into the instance, invoke ec2metadata which will list among other data, the private ip and public ip (if it is assigned one) of the instance.
/usr/bin/ec2metadata
~$ ec2metadata
ami-id: ami-xxxxx
...
availability-zone: us-east-1a
...
instance-id: i-8080abcd
instance-type: m3.medium
...
local-ipv4: 10.2.1.40
...
public-hostname: ec2-23-64-195-76.compute-1.amazonaws.com
public-ipv4: 23.64.195.76
...
In case you do not find ec2metadata, download it:
$ wget http://s3.amazonaws.com/ec2metadata/ec2-metadata
EC2 Instance Metadata Query Tool

I believe you have already found solution, if not, you may consider trying below.
In your Mac/Windows there should be a file called '/xxx/xxx/.ssh/known_hosts' and please try to find entries of both IP's and remove those lines (These lines are added when you are trying to SSH to new instance. So there could be some conflict due to the old entries). I had faced similar issues and I did and it was working. Thanks

You can still get all meta-data or user-data of the instance by doing simple http request using curl/wget inside your instance:
$ curl http://169.254.169.254/latest/meta-data/
It should return all keys that you might be interested in getting its value like the following:
ami-id
ami-launch-index
ami-manifest-path
block-device-mapping/
hostname
instance-action
instance-id
instance-type
kernel-id
local-hostname
local-ipv4
mac
metrics/
network/
placement/
profile
public-hostname
public-ipv4
public-keys/
reservation-id
security-groups
Now get only the key/data you want by specifying its name, the following will help distinguish your instance(s):
$ curl http://169.254.169.254/latest/meta-data/public-ipv4
$ curl http://169.254.169.254/latest/meta-data/local-ipv4
$ curl http://169.254.169.254/latest/meta-data/ami-id
$ curl http://169.254.169.254/latest/meta-data/public-hostname
$ curl http://169.254.169.254/latest/meta-data/local-hostname
$ curl http://169.254.169.254/latest/meta-data/mac
To know more about EC2 Metadata, you can check http://www.dowdandassociates.com/blog/content/howto-get-amazon-ec2-instance-metadata/

Related

Permission denied when connection to ec2 intance, i have given the file permisson 400, but still not working

I have created an ec2-intance on AWS. But when im trying to connect to it by using my .pem file, im getting error message: Permission denied (publickey,gssapi-keyex,gssapi-with-mic). I have changed the permission to this file by chmod 400 myfile.pm.
This is the command i use to connect to my instance: ssh -i ec2demo.pem ec2demo#ec2-35-158-140-25.eu-central-1.compute.amazonaws.com
I also searched for the issue on internet, and some people say i need to type chmod 600 myfile.pem. It still not works. Im using macOS Mojave, and the ssh client integrated. Do i need to install the AWS-CLI to make it works? Or should it work without AWS-CLI? And is it better to use ssh client from homebrew, or?
Thanx for help
When launching a new Amazon Linux instance on Amazon EC2, the public half of the keypair is copied to:
/users/ec2-user/.ssh/authorized_keys
You can then login to the instance using the private half of the keypair:
ssh -i key.pem ec2-user#1.2.3.4
(Or, you can use a DNS name instead of an IP address.)
It sounds like you have not logged into this instance yet, so make sure you login as ec2-user instead of ec2demo. The name of the instance does not impact the Linux user on the instance.

I have a problem connecting to AWS EC2 via SSH with .pem

I used the following command in the directory where .pem exists to use the Chrome Extension, Secure Shell.
$ sudo chmod 400 myKeyPair.pem
$ ssh-keygen -y -f myKeyPair.pem > myKeyPair.pub
$ touch myKeyPair
$ sudo cat myKeyPair.pem > myKeyPair
And it worked perfectly within the Secure Shell Extension.
And I deleted all the files and created a new key pair (with the same name). And I ssh through the MacOS terminal. However, this will result in "Permission denied (publickey)." I think .pem is a new file, but the previous command still seems to have an effect.
How can I run an existing .pem before the public key conversion and SSH connection through a single .pem?
Ah! And I have another completely different question. For example, after creating EC2 via the WordPress AMI in AWS Marketplace and writing a post, is this stored in EBS?
Thanks in advance to everyone who answers.
When a Keypair is generated, it contains a random key. Therefore, every time a keypair is generated, it is different. The actual name of a keypair is irrelevant.
So if you do the following:
Create a keypair
Launch an EC2 instance providing that keypair
Delete the keypair
then you will never be able to login to the instance because you no longer have the keypair used when the instance was launched.
What actually happens is that when an instance is launched, some code on the instance copies the public half of the keypair to the /users/ec2-user/.ssh/authorized_keys file. Then, when somebody tries to login with the private half of a keypair, Linux compares the two halves of the keypair. If they match, the user is allowed to login.

Changing ssh keypair when creating an ec2 instance with chef

I am bringing up an ec2 instance based on an in house AMI that used a different ssh key for authentication than the one I'd like to use on the instance I create using knife (in the example I call it original-pem-for-ami.pem):
knife ec2 server create -I ami-0123456 -f m2.xlarge \
--ssh-user username --groups sg-1234 \
--identity-file ~/.ssh/original-pem-for-ami.pem \
--node-name solr1 --hint ec2 -a public_ip_address \
--ssh-key name-of-key-i-want-to-use-to-login-to-new-instance
When I run this command the server comes up correctly, the correct security group is assigned etc, but I can only connect it to using:
ssh -i ~/.ssh/original-pem-for-ami.pem username#assigned-ec2-public-dns-name
Is there a way to make the new instance the key associated with the named keypair name-of-key-i-want-to-use-to-login-to-new-instance. I thought using --ssh-key name-of-key-i-want-to-use-to-login-to-new-instance would do this.
Check which version of knife-ec2 you have. --ssh-key is correct in 0.12 but before that (0.11 and earlier) I think it was something different. Also make sure this works through the normal AWS tools, it is possible the AMI wasn't prepared correctly and uses a hardwired key.

Transferring Files between two EC2 Instances in the same region

I have 2 EC2 instances running Ubuntu 14.04 and I need to figure out how to transfer files from one to another. I read the FAQs from Amazon and it says that I can do this without incurring any additional costs if I use the private IP but I am not sure how to transfer the files using that.
Right now I use the scp protocol to do this -
scp -i ~/Path-To-Key-File/AAA.gem /path/file ec2-user#<Elastic IP>:/path/file
I tried replacing the elastic IP with private IP but it doesn't work. Am I doing something wrong here?
Actually, I figured it out ... I just needed to replace the Elastic IP with the private IP and configure the security groups properly to allow instances to communicate!
Transferring from Machine A to Machine B
I am running this code on machine A
scp -i ~/Path-To-Key-File/AAA.pem /path/file ec2-user#<Private IP of Machine B>:/path/file
For security groups, I had to allow SSH protocol over the private IP (from Machine B)!!
Assuming both of your instances are EC2 linux instances.
suppose you want to transfer file from the second instance(ec2-2) to first instance(ec2-1), the command should be run in ec2-1 is:
scp -i /Path-To-Key-File-for-ec2-2/key.pem ec2-user#Elastic-IP-of-ec2-2:/path/filename your/local-path-on-ec2-1/filename
A corresponding discussion you can find here
Hope this help!!
This question is asked about authentication with the .pem file. But accessing without auth could be helpful in some cases. Here, you will authorize another machine instead.
Say, you like to ssh or scp from machine-1 to machine-2.
In machine-1.
Check if there is a public key file (id_rsa.pub) in USER_HOME/.ssh/. If not, generate it with ssh-keygen -t rsa command.
In machine-2
Uncomment PubkeyAuthentication yes in /etc/ssh/sshd_config.
Open file USER_HOME/.ssh/authorized_keys and append contents of id_rsa.pub file from the machine-1.
Now you can copy it with scp as following:
scp username_machine1#ip_machine1:/file/to/copy /destination/path
You are done. Enjoy!!!
For detailed information please check here.
scp -i /home/centos/b1.pem centos#ip:/etc/httpd/conf/httpd.conf httpd.conf.j2
Copy Data from local to ec2 and one ec2 to another(if you are the inside source ec2)
scp -ri <key file path> <copy data file location> <Public DNS (IPv4)>:~/
Example:-
scp -ri practical.pem serverdata1.tar
ubuntu#ec2-xx-xxx-xxx-xxx.ap-southeast-1.compute.amazonaws.com:~/

Get public dns name of a ec2 instance using ec2 command line tools in bash

I have name of the a ec2 instance and want to do ssh to it. How can I figure out the 'Public DNS' of the ec2 instance using the ec2 instance name.
I want to do it using bash.
aws ec2 describe-instances --instance-ids i-12abc34 --query 'Reservations[].Instances[].PublicDnsName'
Where i-12abc34 is your instance id
You can query the instance metadata service.
Using curl:
curl -s http://169.254.169.254/latest/meta-data/public-hostname
Using wget:
wget -qO - http://169.254.169.254/latest/meta-data/public-hostname
If brave, actual bash:
exec 3<> /dev/tcp/169.254.169.254/80
echo -e "GET /latest/meta-data/public-hostname HTTP/1.0\r\n\r\n" >&3
cat <&3
(The last one leaves the connection open for me, so the cat gets stuck. The headers are also present in the output)
(This is from the instance itself and need access to the instnace - it is not the instance name-related version. There are enough of those answers here)
Using the EC2 API tools:
# Region is only needed if not in us-east-1
$ ec2-describe-instances --region <region> <instance id>
Using the unified AWS CLI tool:
$ aws --region <region> ec2 describe-instances --instance-ids <instance id≥
I prefer the unified tool as it offers comprehensive and consistent data.
If you install the cloud-utils tool as described in this answer it's much more straight
forward.
https://stackoverflow.com/a/10600619/28672
ec2-metadata --public-ipv4
> public-ipv4: 54.200.4.52
It depends on what you mean by "figure out". If you mean figuring out yourself, you cannot. The public DNS name has nothing to do with the ec2 instance name. The public DNS name is composed of public IP address, region/availability zone, type of service, aws domain name, etc. For example, ec2-xx-xxx-x-xx.us-west-2.compute.amazonaws.com. Because the public IP address is changed every time you stop and start your instance, unless you use an elastic IP address, your public DNS name will be changed.
If you mean figure out by using AWS API or CLI tool, you can. Using EC2 CLI, you should use command
ec2-describe-instances instance_id. Again, the instance has to be running and the public DNS does change after stop/start.