I have a few EC2 instances.
Only one instance is accessible (ssh port 22) from the Internet.
I want to connect to the others EC2 instances in ssh through the first one.
The public key is set on all EC2 instance.
I enable the forward agent (.ssh/config) for my first instance:
Host my-first-instance
ForwardAgent yes
I thought it was enough but when I connect to the first instance and try to connect to another one (ssh my-second-instance-private-IP), I have a "permission denied". They both use the same user.
I use the same ssh key to access Github from the first instance and it works (so the ForwardAgent works as well).
I don't want to use a VPC feature.
Any idea ?
Thanks in advance.
Jeremy
I had done similar thing earlier by changing the ip-tables of the public instance so that I can connect to different private instances by connecting on different ports. Here is the link to blog that I wrote to explain the same. Hope it helps
http://cloudpages.wordpress.com/2013/08/05/ssh-to-an-instance-in-private-subnet/
Bests,
Himanshu
You are getting permission denied probably because you may not have pub keys of your jump server in your ec2 server's authorized_keys. please do the following -
ssh to the 1st ec2 instance.
generate public and private key pair using keygen.
put the content of the public key (default is .ssh/id_rsa.pub (in case you are
using rsa)) in other ec2 instance's .ssh/authorized_keys.
Now check again.
Related
I am trying to set up a bastion host in AWS in order to perform administrative options on an RDS instance in a private subnet. I am following the instructions from the official documentation (https://docs.aws.amazon.com/quickstart/latest/linux-bastion/step1.html), but there it is not clear how the bastion will know which RDS instance to connect to. How would I make sure that it can 'talk to' my intended RDS? (as far as I understand, the key pair is just something I can create anytime and enter to connect to the bastion itself, but not the RDS, or am I wrong?)
The documentation you linked uses an AWS CloudFormation stack to deploy the Bastion. I'm not sure exactly what configuration it is using, so my answer will be generic, rather than applying to this specific situation.
The normal configuration is:
A database in a private subnet
A Bastion server (EC2 instance) in a public subnet
A connection is made to the Bastion, which then allows an on-connection to the database
There are a number of ways of connecting to the database through the Bastion. Here's one that I use:
ssh -i key.pem ec2-user#BASTION-IP -L 3306:DATABASE-DNS-NAME:3306
This tells the SSH connection to forward any traffic sent to my local port 3306 (the first number), through the SSH connection, but then send it to DATABASE-DNS-NAME:3306 (the database server). Any response from the database will come back the same way.
Then, when I wish to refer to the database from my computer, I reference:
localhost:3306
It appears that the database is on my own computer, but the traffic is actually sent across SSH to the Bastion, then onto the database.
There are newer and better ways of doing this forwarding that other people might (hopefully) add as a comment or another answer, but this is the way I make my connections through a Bastion.
Fun fact: A Bastion is the bit of a castle wall that sticks out, allowing defenders to shoot arrows at attackers attempting to climb the wall. In a similar way, the Bastion Server sticks out into the Internet, beyond the protected part of the network.
I'm trying to use elastic beanstalk to deploy an application and one of the things I need to do is be able to log into the underlying ec2 instance and add dependencies. I added a key pair to the instance and put the private key file in ~/.ssh on my computer. Next I specified the key pair for the ec2 instance and it restarted and eventually the status was green
When I try to ssh into the ec2 instance I get the following error:
$ ssh ec2-user#myinstance.us-east-1.elasticbeanstalk.com
ec2-user#myinstance.us-east-1.elasticbeanstalk.com: Permission denied (publickey).
In the docs is says this could be due to an incorrect username.
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/TroubleshootingInstancesConnecting.html
Does anyone know what the default username is for ec2 instances created by elastic beanstalk?
Also if I'm doing this all wrong would appreciate some pointers there too.
1.To make sure that the there's no mistake the way you connect:
Go to EC2-> Instances
Select your instance
And press Connect
You should get the command to connect from the instructions from the Connect Popup. The correct username is mentioned there plus instructiins on how to set the correct permissions on the pem (applies to linux)
2.
Make sure that you modified the security group of the instance you're trying to connect do that it allows ssh from the ip of your pc. (This is not the case for the question, since the error is Permission denied (publickey), it means that it's not an sg issue, thx #diego)
3.
Also if you connect from a corporate network, try connecting from another network. It might be firewall issue.
4.
Last but not least make sure you ssh inside the .ssh path, or provide the correct pem path
After I created a ubuntu VM(Amazon EC2 instance), I see below entry in "view instances":
I see public dns as Public DNS: ec2-13-58-17-118.us-east-2.compute.amazonaws.com
Instance: i-08c551d9713dfcd06 (ubuntu_VM)
Security groups: sg_ubuntu. view inbound rules. view outbound rules
To connect to this Amazon EC2 instance(ubuntu VM), am using below syntax from my ubuntu laptop:
ssh -i "ubuntu_key.pem" ubuntu#ec2-13-58-17-118.us-east-2.compute.amazonaws.com
and it works, but I do not know the reason, for its working
I understand that ec2-13-58-17-118.us-east-2.compute.amazonaws.com is domain name
1) What is ubuntu in ubuntu#ec2-13-58-17-118.us-east-2.compute.amazonaws.com?
2) Why Amazon EC2 instance creation process does not ask for assigning hostname to the EC2 instance, on aws website? after sshing, I see some dynamic hostname assigned(ip-172-31-30-203) which is not good for me...
3) What is security group? amidst creation of EC2 instance...
1) ubuntu is the username of that particular ec2 instance. In this case, since your instance is using Ubuntu, then by default you get that username. If you had created an instance using Amazon Linux 2, it would of have been ec2-user. You can check more here.
If you intend to change this username, you can in fact. Just like you would in any Linux OS, except for a few extra steps you need to follow in order to connect using SSH with this new username.
2) Each time you stop and restart your Amazon EC2 instance (unless you are using an Elastic IP address), the public IPv4 address changes, and so does your public DNS name, system hostname, and shell prompt. This is found in the user guide. If you want to have a static IP, you must create an Elastic IP address, although, it has a cost.
3) The security group, is a set of rules of how to access (inbound rules) your instance and what can your server reach (outbound rules). By default, if not mistaken, in your inbound rules, you should only have your SSH connection available.
ubuntu is the username on the server
I'm not sure why this is, but you are able to change it using the command sudo hostnamectl set-hostname your-desired-hostname. You can read more in the AWS UserGuide
Security groups are firewall rules that you can use to protect your VM from the outside world. You can block access to specific ports, only allow access to specific ports from an IP address or IP range. For example, you can use it to restrict access to SSH only to your office IP address to prevent anyone else from logging into your EC2 instance.
Am following this tutorial
http://thoughtsandideas.wordpress.com/2012/05/17/monitoring-and-managing-amazon-rds-databases-using-mysql-workbench/
I am not able to Test DB Connection while creating new server instance to connect to the RDS database.
It says Bad_Authentication[allowed_types=public_key], i have a tried different .pem files and have done through a lot of forums.
I have also allowed access to my IP in the DB SecurityGroups for RDS and the Security Groups for EC2.
Please help me out. Thanks.
This worked for me. Assuming you have logged into AWS:
Go to RDS -> Databases -> Select your database
Make sure the Public Accessibility value is Yes
Check your IP address using http://checkip.amazonaws.com/. If it is not added to the Security Rule Groups, you should add it. this step is crucial
3.1. Click on the rule name. This will open up a new tab, then click in the name of the rule.
3.2. Click on Edit inbound rules
3.3. Click on Add new rule, and add a rule with the following values:
Type: MYSQL/Aurora.
Protocol: TCP (default)
Port range: 3306 (default)
Source: My IP -> This will be the IP Address you got at http://checkip.amazonaws.com/.
Fill information in MySQL Workbench
Hostname: Use the value you have for Endpoint at Connectivity and Security
Port: Use the value you have for Port at Connectivity and Security, by default it is 3306.
Username: Use the value you have for master username at Configuration
Password: Use the value you set when you created the database instance.
If you forgot the password, you can change it by clicking on Modify in your database instance)
I hope this also helps you.
In my scenario the problem was simple
I had to enable 3306 port for MYSQL in the related Security group in RDS > db instance section.
For RDS no need to use ssh. You can directly connect the RDS with MySql workbench.
Follow the following steps-
Make sure that in Security Group you should have provide access for MYSQL
Open MySQL workbench and setup New Connection.
Provide a Connection Name.
Connection Method is set to Standard (TCP/IP)
In the HostName provide your RDS end point
Port is 3306
Enter the username what you have given in the RDS.
Test Connection, and provide the password.
That's it.
For Reference GoTo This Link
If you are not using EC2 Instance to connect with RDS DB Instance then DB Instance should have public access to connect.
While launching DB Instance you need to set Publicly Accessible to yes. You will get Public IP to connect from outside network. That means outside of VPC.
You need to launch DB Instance in Public Subnet which has directly access to Internet. To check Subnet has Internet access, you need to check Route Table which was attached with the subnet. In Route table, check Internet Gateway is attached to the subnet.
You don't need to SSH into DB Instance. Though the option is not available also.
In MySQL WorkBench, click on Setup New Connection.
Give connection name. Choose Standard (TCP/IP) option. You are not trying to connect DB Instance over EC2 Instance so the option with SSH with not work out in this case. You have to provide MySQL hostname, username, password and port.
To verify connection, click on Test Connection button.
If you want to use EC2 Instance and connect DB Instance over EC2 Instance, you have to use Standard (TCP/IP) over SSH option. Check the following link
What would prevent me from connecting to a MySQL server on AWS RDS from an AWS EC2 VM?
I had the same issue. I think you need to enable inbound traffic to the VPC. Follow the below article and you'll be fine. Default VPC is not allowing users to access 3306 by default and you need to allow traffic.
RDS and MySQL Connectivity
Make sure Public accessibility should be yes.
Also, Inside security Group section, click on the security link and then add a new rule under inbound rule section which will whitelist your IP address with the below data :
Type: MYSQL/Aurora.
Protocol: TCP (default)
Port range: 3306 (default)
Source: My IP -> This will be the IP Address you got at http://checkip.amazonaws.com/.
Hope this will help to connect with AWS RDS successfully. Thanks!
Based on the details in your question, it seems that you are trying to SSH into the RDS instance. This is not supported on RDS, it only works for EC2 based MySQL servers.
You should instead connect directly to the MySQL server, on port 3306 (or the one you set manually, if this is the case) and using the username and password you created when provisioning the RDS instance. This means using the Connection Type "Standard TCP/IP" in WB.
Also, the public IP address of the machine you're using MySQL Workbench on should be allowed in the RDS security group.
Even I had the same issue, like after trying all the things out there. A thing worked is modifying the RDS database and making it publically accessible. That sorted things out.
All of the other answers are extremely helpful to debug the connection process but for me the literal fix was to not put in the password into the keychain when initializing the MySQL Connections. Instead, I pressed Test and put in the password when prompted to do so. Running on macOS Monterey V.12.3.1 with a MBP M1, 2020
I created a VM using Hyper-V on my local machine which I can RDP onto fine. I exported the VHDX to VHD and then uploaded it to AWS via the API.
This created a new EC2 instance for me but I cannot connect to it as it has no security keypair associated.
Thus I created a private AMI from the instance and re-instantiated a new EC2 instance from this AMI, setting the keypair in the process to ensure HTTP, RDP etc are permitted. The EC2 instance is running, but when I download teh RDP shortcut if fails to connect. I've tried rebooting the instance several times (as this was one of the suggested solutions on here when I searched) but it hasn't helped.
I also cannot ping any of these instances via the public DNS or private DNS.
Any idea what I'm doing wrong? I'm not even getting as far as the password prompt, its the connectivity is the problem.
Thanks
I had a similar problem - this is the tip from the AWS documentation that helped me solve it:
Verify that the route table for the subnet has a route that sends all traffic
destined outside the VPC (0.0.0.0/0) to the Internet gateway for the VPC
Additional debugging tips for this problem can be found here: Remote Desktop can't connect to the remote computer
The problem is probably the security group configuration attached to the instance. Make sure you have inbound TCP port 3389 permitted to be able to connect via RDP.
in username type:
.\Administrator
....and your decrypted password
See, this is local user. but you dont know real local hostname, that different from public DNS name.
Was helpful for me, hope for you too.
My guess for the reason you aren't getting anywhere has to do with the host certificates.
Be mindful that each computer connecting to the server via RDP needs to have an IAM user in AWS with an X.509 certificate uploaded to their account.
When importing or creating a windows AMI it is best to install and configure the EC2Config service.
The EC2 Config service does the following when you launch the instance:
At initial setup:
Sets the hostname to the private DNS name
Generates and sets a random password on the Administrator account
Initializes and formats the ephemeral disks
Generates and installs the host certificate used for Terminal
Services
Syncs the instance clock with a time server
After initial setup:
Writes the last three entries in the System event log to the Amazon
EC2 console so you can debug startup problems.
Prepares instances for bundling
Also, by default, security groups do not allow you to ping the instances. You must enable ICMP in the security group.
Hope that helps.
EDIT: Here is the link to the 64bit version of the EC2Config Installer
I also had the same problem. This is what I got from EC2.
Public DNS ec2-23-22-109-251.compute-1.amazonaws.com
User name Administrator
Password MyPassword
On the remote desktop, enter the domain and user name as
ec2-23-22-109-251\Administrator
If you paste the password is may not work, try to paste it but reenter the last 1 or 2 characters. Once you get the security certificate prompt accept/install it and your connection should open soon.
This is what worked for me:
Use your cell phone as a "hot spot" - which gives you a static IP address. That worked. Now, I'll need to contact my Internet provider to assign a static IP to my wireless router. Currently, it is spitting out DHCP IP addresses.
UPDATE:
12.7.2016
You need to go to the Security Group, select the Instance, then EDIT the RDP. If you click "MyIP" that should work for those of us working from home. If you are onsite, you may need to put in a custom CIDR.
After rebooting an EC2 instance, I found that I needed to reassociate the Elastic IP address associated with the instance. You click the button below then select the instance and private instance IP address when prompted.
RDP access worked after this step.
After patching Windows 2019 on my server, I couldn't access the instance anymore despite all my working settings didn't change. I used EC2Rescue to fix my issue
Please refer to the link below for details on how to use it: https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/troubleshoot-connect-windows-instance.html#AWSSupport-ExecuteEC2Rescue