Skip to main content

How to SSH EC2 instance with ssh-agent along with SSH agent forwarding to SSH private instances in VPC?

          Image Source: atulhost.com and modified by me

      

Hi,


I have taken this post from AWS Blog, and this very important to SSH into your VM using ssh-agent and SSH forwarding for EC2 private instance to SSH without storing the private key securely in Windows, Mac, and Linux. 

So, I want you to using this as this is very important as per security reasons.


Configuring ssh-agent

The first step in using SSH agent forwarding with EC2 instances is to configure a bastion in your VPC. We suggest that the instance you use for your bastion be purpose-built and that you use it only as a bastion and not for anything else. The bastion should also be set up with a security group that’s configured to listen only on the SSH port (TCP/22). 

Always remember the following when configuring your bastion:

  • Never place your SSH private keys on the bastion instance. Instead, use SSH agent forwarding to connect first to the bastion and from there to other instances in private subnets. This lets you keep your SSH private key just on your computer.
  • Configure the security group on the bastion to allow SSH connections (TCP/22) only from known and trusted IP addresses.
  • Always have more than one bastion. You should have a bastion in each availability zone (AZ) where your instances are. If your deployment takes advantage of a VPC VPN, also have a bastion on premises.
  • Configure Linux instances in your VPC to accept SSH connections only from bastion instances.

Configuring ssh-agent on a Mac

For Mac users, ssh-agent is already installed as part of the OS. You can add your private keys to the keychain application by using the ssh-add command with the -K option and the .pem file for the key, as shown in the following example. The agent prompts you for your passphrase if there is one, and stores the private key in memory and the passphrase in your keychain.


ssh-add -K myPrivateKey.pem

Enter passphrase for myPrivateKey.pem:

Passphrase stored in keychain: myPrivateKey.pem

Identity added: myPrivateKey.pem (myPrivateKey.pem)


Adding the key to the agent lets you use SSH to connect to an instance without having to use the –i <keyfile> option when you connect. 


To verify the keys available to ssh-agent, run the following command -

ssh-add -L

OR

ssh-add -l
Remove all Identities
ssh-add -D
To Remove specific identity
ssh-add -D <ssh key path>

After the key is added to your keychain, you can connect to the bastion instance with SSH using the –A option. This option enables SSH agent forwarding and lets the local SSH agent respond to a public-key challenge when you use SSH to connect from the bastion to a target instance in your VPC.

For example, to connect to an instance in a private subnet, enter the following command to enable SSH agent forwarding using the bastion instance:

ssh -A user@<bastion-IP-address>

When you first connect to the instance, you should verify that the RSA key fingerprint that the bastion presents matches what is displayed in the instance’s console output. 

After you’re connected to the bastion instance, use SSH to connect to a specific instance using a command like this:

ssh user@private-instance-ip>

Note that ssh-agent does not know which key it should use for a given SSH connection. Therefore, ssh-agent will sequentially try all the keys that are loaded in the agent. Because instances terminate the connection after five failed connection attempts, make sure that the agent has five or fewer keys. Because each administrator should have only a single key, this is rarely a problem for most deployments. For details about how to manage the keys in ssh-agent, use the man ssh-agentcommand.


Configuring ssh-agent on Linux distribution

ssh-add myPrivateKey.pem


For SSH agent forwarding, we will use the same command as macOSX

ssh -A user@<bastion-IP-address>


Configuring ssh-agent on Windows

In Windows, you can connect to Linux VPC instances using PuTTY. To get SSH agent functionality, you can use Pageant, which is available from the PuTTY download page. When Pageant is installed, you can use the agent forwarding option in PuTTY to connect to instances in private subnets.

To use Pageant, you need to convert your private key from PEM format to PuTTY format using PuTTYGen (available from the PuTTY download page). In PuTTYGen, choose Conversions > Import Key and select your PEM-formatted private key. Enter a passphrase and then click Save private key, as shown in the following screenshot. Save the key as a .ppk file.


Image of saving the private key

After you convert the private key, open Pageant, which runs as a Windows service. To import the PuTTY-formatted key into Pageant, double-click the Pageant icon in the notification area and then click Add Key. When you select the .ppk file, you’re prompted to enter the passphrase you chose when you converted the key, as shown in the following screenshot.

Screenshot of typing the passphrase


After you add the key, close the Pageant Key List window.

Finally, when you are configuring the connections for SSH in PuTTY, check the Allow agent forwarding box and leave the Private key file for authentication field empty.

When you use PuTTY to connect to the public IP address of your bastion, you will see that the Pageant PuTTY component provides the SSH key for authentication, as shown in the following screenshot.


Screenshot of the Pageant PuTTY component providing the SSH key for authentication

With agent forwarding enabled in the PuTTY configuration, you can connect from the bastion to any other instance in the VPC without having the SSH private key on the bastion. To connect to other instances, use the following command:

ssh user@<instance-IP-address>

As long as the matching private key for the instance is loaded into Pageant, the connection will be successful, as shown in the following screenshot.


Screenshot of a successful connection


Conclusion

Using this information on how to configure bastions in front of Linux instances in a VPC, you now have additional tools to help improve the security of your EC2 instances by closing off Internet access to their management ports.


Blog credit: aws.amazon.com/blog

Popular posts from this blog

WordPress Site is not loading properly behind Google Cloud/AWS Load Balancer

Hello Guys, Today we are going to understand how can we fix a WordPress loading issue (CSS and JS loading issue) behind the Google Cloud Load Balancer or AWS Load Balancer. Generally, When we host a WordPress site directly with Google Cloud Compute Engine VM instance or AWS EC2 instance. It's loading perfectly fine. But once we added this WordPress server behind any Load Balancer either from GCP Load Balancer or AWS Load Balancer, you site will completely broken, means the CSS and JS of your site not loaded properly. The reason for this is - When you put a load balancer in front of WordPress, you need to modify wp-config.php to process the HTTP header HTTP_X_FORWARDED_PROTO to detect the protocol that the user is using and not the protocol the load balancer is using to connect to your backend. To fix this issue, we have to make following changes in the  wp-config.php  file and add the below code snippet on the top of  wp-config.php file - Google Cloud Platform Load Bal...

Git and GitHub Commands Mastery

1. Setup Git and GitHub Global Configuration  git config --global user.email "gautamthakur1983@gmail.com" git config --global user.name "Gautam Thakur" git config --global list git config --list 2. Git Lifecycle | Initilize, Status, Add, Commit git status git init git add git commit -m "Commit Message" git log git log --oneline 3. Git Difference between last commit changes and current version changes git diff 4. Git Compare between 2 different Git Commits git diff eac4c5b 82485b1 5. Git Statsh - To save some changes for temporary purpose ## Pop take out stash and clear but apply take out stash but not clear git stash (To save current changes for temporary) git stash pop (To take out all stash contents) git stash list git stash clear (To clear all the stash changes) git stash save "NAME"  git stash save "NAME1" (Working with multiple stash) git stash sapply 0 or 1 (0 for name, 1 for about) after that run git stash clear git stash clear 6...

How to Setup Kubernetes Cluster in Google Cloud Virtual Machine using "kubeadm"? | Ubuntu 20.04/22.04 LTS

  Hello Friends, In this post, we are going to setup Kubernetes Cluster on Virtual Machine in Google Cloud Platform using kubeadm tool. Hope this post will help you in Kubernetes learning Hand-On Labs (HOL). Requirements: Master Node: No. of VMs 1 Specifications - 2 vCPUs, 4GB RAM, 20 GB HDD (Balanced PD or SSD PD), Operating System (OS) Ubuntu 20.04 LTS x86/64, amd64  Firewall Rule - Ingress Allow 6443 (API Server) | 2379 (ETCD) | 10251 (Scheduler) | 10252 (Controller Manager) 10250 (Kubelet), sudo access with admin access  Worker Node: No. of VMs 2 Specifications - 2 vCPUs, 4GB RAM, 20 GB HDD (Balanced PD or SSD PD), Operating System (OS) Ubuntu 20.04 LTS x86/64, amd64  Firewall Rule - Ingress Allow 30000-32767 (Services) | 10250 (Kubelet),  sudo access with admin access  Disable Swap and comment fstab entry: First, Disable Swap and remove or comment the Swap entries from fstab file : sudo swapoff -a sudo sed -i '/ swap / s/^\(.*\)$/#\1/g' /etc/fstab Next...