Amazon Web Service (AWS) VPC private subnet instance 'Permission denied (publickey).' - ssh from osx
I’m connecting to an Amazon Web Service (AWS) EC2 instance in a virtual private server’s private subnet via a NAT instance and getting the following error:
Permission denied (publickey)
This is happened after I have connected to the NAT and am trying to SSH to the private subnet EC2 instance.
Procedure:
Define host in
~/.ssh/config
with the following :
Host my_aws_nat
Hostname xx.xx.xx.xx
User ec2-user
IdentityFile /location/of/my/aws/key_pair.pem
ForwardAgent yes
SSH to NAT instance via
ssh my_aws_nat
(which is successful)SSH to instance in private subnet
ssh ec2-user@10.0.X.X
- which is when I get the error
I’m able to ping my private instance from my NAT with ping 10.0.X.X
. So I’m fairly sure it’s not security groups issue. It looks like it’s an agent forwarding issue.
Currently the instance I’m connecting to uses the same key pair as the NAT instance (in learning mode).
The other way I’ve tried is to connect to the NAT with:
ssh -A ec2-user@XX.XX.XX.XX -i key_pair.pem
Which again, connects correctly to the NAT but gives the same error when connecting to the private instance.
Do I have to use ssh-agent
on Mac OS X?
Or shouldn’t specifying ForwardAgent yes
in /.ssh/config
do the same thing ?
ssh amazon-ec2 amazon-web-services
migrated from serverfault.com Mar 17 '15 at 23:16
This question came from our site for system and network administrators.
add a comment |
I’m connecting to an Amazon Web Service (AWS) EC2 instance in a virtual private server’s private subnet via a NAT instance and getting the following error:
Permission denied (publickey)
This is happened after I have connected to the NAT and am trying to SSH to the private subnet EC2 instance.
Procedure:
Define host in
~/.ssh/config
with the following :
Host my_aws_nat
Hostname xx.xx.xx.xx
User ec2-user
IdentityFile /location/of/my/aws/key_pair.pem
ForwardAgent yes
SSH to NAT instance via
ssh my_aws_nat
(which is successful)SSH to instance in private subnet
ssh ec2-user@10.0.X.X
- which is when I get the error
I’m able to ping my private instance from my NAT with ping 10.0.X.X
. So I’m fairly sure it’s not security groups issue. It looks like it’s an agent forwarding issue.
Currently the instance I’m connecting to uses the same key pair as the NAT instance (in learning mode).
The other way I’ve tried is to connect to the NAT with:
ssh -A ec2-user@XX.XX.XX.XX -i key_pair.pem
Which again, connects correctly to the NAT but gives the same error when connecting to the private instance.
Do I have to use ssh-agent
on Mac OS X?
Or shouldn’t specifying ForwardAgent yes
in /.ssh/config
do the same thing ?
ssh amazon-ec2 amazon-web-services
migrated from serverfault.com Mar 17 '15 at 23:16
This question came from our site for system and network administrators.
add a comment |
I’m connecting to an Amazon Web Service (AWS) EC2 instance in a virtual private server’s private subnet via a NAT instance and getting the following error:
Permission denied (publickey)
This is happened after I have connected to the NAT and am trying to SSH to the private subnet EC2 instance.
Procedure:
Define host in
~/.ssh/config
with the following :
Host my_aws_nat
Hostname xx.xx.xx.xx
User ec2-user
IdentityFile /location/of/my/aws/key_pair.pem
ForwardAgent yes
SSH to NAT instance via
ssh my_aws_nat
(which is successful)SSH to instance in private subnet
ssh ec2-user@10.0.X.X
- which is when I get the error
I’m able to ping my private instance from my NAT with ping 10.0.X.X
. So I’m fairly sure it’s not security groups issue. It looks like it’s an agent forwarding issue.
Currently the instance I’m connecting to uses the same key pair as the NAT instance (in learning mode).
The other way I’ve tried is to connect to the NAT with:
ssh -A ec2-user@XX.XX.XX.XX -i key_pair.pem
Which again, connects correctly to the NAT but gives the same error when connecting to the private instance.
Do I have to use ssh-agent
on Mac OS X?
Or shouldn’t specifying ForwardAgent yes
in /.ssh/config
do the same thing ?
ssh amazon-ec2 amazon-web-services
I’m connecting to an Amazon Web Service (AWS) EC2 instance in a virtual private server’s private subnet via a NAT instance and getting the following error:
Permission denied (publickey)
This is happened after I have connected to the NAT and am trying to SSH to the private subnet EC2 instance.
Procedure:
Define host in
~/.ssh/config
with the following :
Host my_aws_nat
Hostname xx.xx.xx.xx
User ec2-user
IdentityFile /location/of/my/aws/key_pair.pem
ForwardAgent yes
SSH to NAT instance via
ssh my_aws_nat
(which is successful)SSH to instance in private subnet
ssh ec2-user@10.0.X.X
- which is when I get the error
I’m able to ping my private instance from my NAT with ping 10.0.X.X
. So I’m fairly sure it’s not security groups issue. It looks like it’s an agent forwarding issue.
Currently the instance I’m connecting to uses the same key pair as the NAT instance (in learning mode).
The other way I’ve tried is to connect to the NAT with:
ssh -A ec2-user@XX.XX.XX.XX -i key_pair.pem
Which again, connects correctly to the NAT but gives the same error when connecting to the private instance.
Do I have to use ssh-agent
on Mac OS X?
Or shouldn’t specifying ForwardAgent yes
in /.ssh/config
do the same thing ?
ssh amazon-ec2 amazon-web-services
ssh amazon-ec2 amazon-web-services
edited Mar 17 '15 at 23:23
JakeGould
31.5k1096138
31.5k1096138
asked Mar 13 '15 at 19:28
goredwardsgoredwards
1194
1194
migrated from serverfault.com Mar 17 '15 at 23:16
This question came from our site for system and network administrators.
migrated from serverfault.com Mar 17 '15 at 23:16
This question came from our site for system and network administrators.
add a comment |
add a comment |
2 Answers
2
active
oldest
votes
As per this answer and this guideline
I needed to add the key_pair.pem
to the OSX ssh agent as follows:
ssh-add -K /path/to/key_pair.pem
(in my case it didn't ask for a passphrase)
After this, everything worked fine using both methodologies outlined above.
So to answer the question:
Q: Do I have to use ssh-agent on Mac OS X to log in to a private subnet instance through a NAT/bastion host?
A: YES
add a comment |
For me it helped to remove the bastion's (NAT instance's) public key from ~/.ssh/known_hosts
.
If the key of the remote bastion host changed (which may happen quite often if you allocate EIPs to new instances) and in addition have StrictHostKeyChecking no
set in your ssh_config, AgentForwarding will be disabled on the bastion host.
You'll also find a warning saying so if you login to the bastion host. For my part, I've just not read it -.-
So, delete the key and connect again, the current key will be added to the known_hosts file and you'll be able to connect to the instance in the private subnet.
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "3"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f890859%2famazon-web-service-aws-vpc-private-subnet-instance-permission-denied-publick%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
As per this answer and this guideline
I needed to add the key_pair.pem
to the OSX ssh agent as follows:
ssh-add -K /path/to/key_pair.pem
(in my case it didn't ask for a passphrase)
After this, everything worked fine using both methodologies outlined above.
So to answer the question:
Q: Do I have to use ssh-agent on Mac OS X to log in to a private subnet instance through a NAT/bastion host?
A: YES
add a comment |
As per this answer and this guideline
I needed to add the key_pair.pem
to the OSX ssh agent as follows:
ssh-add -K /path/to/key_pair.pem
(in my case it didn't ask for a passphrase)
After this, everything worked fine using both methodologies outlined above.
So to answer the question:
Q: Do I have to use ssh-agent on Mac OS X to log in to a private subnet instance through a NAT/bastion host?
A: YES
add a comment |
As per this answer and this guideline
I needed to add the key_pair.pem
to the OSX ssh agent as follows:
ssh-add -K /path/to/key_pair.pem
(in my case it didn't ask for a passphrase)
After this, everything worked fine using both methodologies outlined above.
So to answer the question:
Q: Do I have to use ssh-agent on Mac OS X to log in to a private subnet instance through a NAT/bastion host?
A: YES
As per this answer and this guideline
I needed to add the key_pair.pem
to the OSX ssh agent as follows:
ssh-add -K /path/to/key_pair.pem
(in my case it didn't ask for a passphrase)
After this, everything worked fine using both methodologies outlined above.
So to answer the question:
Q: Do I have to use ssh-agent on Mac OS X to log in to a private subnet instance through a NAT/bastion host?
A: YES
edited Apr 13 '17 at 12:14
Community♦
1
1
answered Mar 13 '15 at 23:57
goredwardsgoredwards
1194
1194
add a comment |
add a comment |
For me it helped to remove the bastion's (NAT instance's) public key from ~/.ssh/known_hosts
.
If the key of the remote bastion host changed (which may happen quite often if you allocate EIPs to new instances) and in addition have StrictHostKeyChecking no
set in your ssh_config, AgentForwarding will be disabled on the bastion host.
You'll also find a warning saying so if you login to the bastion host. For my part, I've just not read it -.-
So, delete the key and connect again, the current key will be added to the known_hosts file and you'll be able to connect to the instance in the private subnet.
add a comment |
For me it helped to remove the bastion's (NAT instance's) public key from ~/.ssh/known_hosts
.
If the key of the remote bastion host changed (which may happen quite often if you allocate EIPs to new instances) and in addition have StrictHostKeyChecking no
set in your ssh_config, AgentForwarding will be disabled on the bastion host.
You'll also find a warning saying so if you login to the bastion host. For my part, I've just not read it -.-
So, delete the key and connect again, the current key will be added to the known_hosts file and you'll be able to connect to the instance in the private subnet.
add a comment |
For me it helped to remove the bastion's (NAT instance's) public key from ~/.ssh/known_hosts
.
If the key of the remote bastion host changed (which may happen quite often if you allocate EIPs to new instances) and in addition have StrictHostKeyChecking no
set in your ssh_config, AgentForwarding will be disabled on the bastion host.
You'll also find a warning saying so if you login to the bastion host. For my part, I've just not read it -.-
So, delete the key and connect again, the current key will be added to the known_hosts file and you'll be able to connect to the instance in the private subnet.
For me it helped to remove the bastion's (NAT instance's) public key from ~/.ssh/known_hosts
.
If the key of the remote bastion host changed (which may happen quite often if you allocate EIPs to new instances) and in addition have StrictHostKeyChecking no
set in your ssh_config, AgentForwarding will be disabled on the bastion host.
You'll also find a warning saying so if you login to the bastion host. For my part, I've just not read it -.-
So, delete the key and connect again, the current key will be added to the known_hosts file and you'll be able to connect to the instance in the private subnet.
answered Jan 27 at 18:15
mrmeeseeksmrmeeseeks
1
1
add a comment |
add a comment |
Thanks for contributing an answer to Super User!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f890859%2famazon-web-service-aws-vpc-private-subnet-instance-permission-denied-publick%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown