1

I have an EC2 Linux server which has public IP in subnet a, besides I've made another EC2 server in subnet b, which has a private IP. Both servers are in the same VPC. I want to ssh to the private server from the public server. The SSH port is open on the security group setup of the servers. But I got permission denied (Public IP)

[ec2-user@ip-10-0-10-62 ~]$ ssh ec2-user@10.0.20.71
The authenticity of host '10.0.20.71 (10.0.20.71)' can't be established.
RSA key fingerprint is 11:19:79:39:a3:04:d2:23:5e:af:9e:c6:98:9c:7b:bd.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.0.20.71' (RSA) to the list of known hosts.
Permission denied (publickey).

I believe, I need to add the public key of private-server into public-server somehow. But I don't know the proper way for it and if I'm missing some other setup.

I've googled but couldn't find a straight way to fix this.

Updated:

If I use add agent, then only from my pc I can ssh to the private server and if there would be more users that need to ssh to the private server, all needs to do agent forwarding so I'm not sure if that's the best way for this case. What if I use key when I want to connect to public server, then ssh to private server without using key. Like:

ssh ec2-user@10.0.20.71

One Ans: default key location can be used. (Identity File)

Setting the default ssh key location

Community
  • 1
  • 1
Matrix
  • 2,399
  • 5
  • 28
  • 53

4 Answers4

2

You should have assigned a public key to the second instance. You should have also downloaded that public key when you created it. You'll need to upload that public key file to the first instance, using SFTP or SCP. Then you'll need to specify the path to that public key file using the -i option of the ssh command.

Mark B
  • 183,023
  • 24
  • 297
  • 295
  • Thanks for your reply. I have created and assigned a keypair when I was lunching the servers. Each server has its own key (key.pem). Then shall I create a public key from .pem key of my private-sever and copy it to my public-server? which path do you suggest? ~/.ssh/ ? but what about sshd setup? – Matrix Jan 06 '17 at 16:06
  • You don't have to change anything in `sshd`. `~/.ssh/` is the usual path. You need to simply copy the key.pem file for server B onto server A, and use that file when you connecting from server A to server B. – Mark B Jan 06 '17 at 16:59
2

Since you launched each one with its own keypair, you will have to use each server's respective keypair to ssh onto it. So, there are 2 ways to log onto 10.0.20.71. 1) You could put a copy of the private key used to launch it onto the public server and would then use it to auth to the private server - e.g.

[ec2-user@ip-10-0-10-62 ~]$ ssh -i you_private_key.pem ec2-user@10.0.20.71

An arguably more secure solution would be to use ssh agent forwarding. With this solution you are not storing private keys on servers. On your computer you should have the 2 keys you used to create the 2 EC2 instances. You can add both of these to the ssh agent with the command

$ ssh-add /path/to/key

Once in the agent you can log onto the public server with agent forwarding:

 ssh -A ec2-user@<public ip address of public server>

Then ssh to the private server without a key (agent forwards the key from your computer)

ssh ec2-user@10.0.20.71
Kevin Seaman
  • 652
  • 3
  • 9
  • Thanks for your answer.It's very close to what I need. But there are another servers with such setup that I can ssh to private server as you told without key, but when I connect to public server from my computer, I use: ssh -i "/path/key/key1.pem" user@ec2-....aws.com then from public server, I connect to private server by: ssh ec2-user@10.0.10.30. I just know that the keys of private server(id_rsa n id_rsa.pub) are in directory ~/.ssh/ on public server, and it seems it's added by sshd setup somehow not by a user. Do you know how does this setup work? please see the updated question. – Matrix Jan 08 '17 at 16:02
1

The instance from which you want to connect is as good as the machine that you're using to connect. So Assuming that you have an instance A and an instance B, and if you want to connect from A -> B then it is as good as connecting from your machine to B

To achieve this, you have to do the same that you did to connect to machine B, download the pem file of B onto machine A (in this case, you will have to upload the pem file to machine A by using scp command)

Post this, you should be able to ssh correctly. Again, I would like to know the usecase for ssh, since there are many other options to share data between servers with the help of samba, sftp, etc.

You can check this link on how to scp: scp (secure copy) to ec2 instance without password

Cheers!

Community
  • 1
  • 1
Karan Shah
  • 1,304
  • 11
  • 15
1

Assume keypair2.pem is the private key of your private server (10.0.20.71) (if you used AWS dashboard/CLI/SDK to create a keypair, the private key is returned)

From public server:

ssh -i keypair2.pem ec2-user@10.0.20.71

If the private server is a Ubuntu machine:

ssh -i keypair2.pem ubuntu@10.0.20.71

If you still have issues, post the output of:

ssh -v -i keypair2.pem ec2-user@10.0.20.71
helloV
  • 50,176
  • 7
  • 137
  • 145