11

I have created two EC2 instances on AWS. I created a key pair for each of them. I downloaded the .pem private keys and converted them into .ppk format. I can connect to each of my ec2 instances using PuTTY and their .ppk private key. But how do I SSH from one of my ec2 instance to the other? I can ping the Public DNS of either of them from the other. But if I try ssh from one to the other, I get:

Permission denied (publickey).

kenorb
  • 24,736
  • 27
  • 129
  • 199
Stephen Walsh
  • 213
  • 1
  • 2
  • 5
  • set up these keys into your keypairs (only the public half). launch 2 new instances with each of these keypairs. upload everything (private half in particular) to be the designated client (e.g. for key A it is used to launch instance B and its private half is uploaded to instance A). – Skaperen Nov 17 '16 at 06:18
  • I think you might need to convert the keys into an openssh format: http://stackoverflow.com/questions/2224066/how-to-convert-ssh-keypairs-generated-using-puttygenwindows-into-key-pairs-use#2224204 – matiu Nov 24 '16 at 03:52
  • Just a general FYI, there's little security benefit to utilizing multiple SSH keys for multiple SSH servers, provided the SSH key utilized is encrypted with a complex password _(at time of creation)_ of _at least_ 16 characters containing two each of the following: Uppercase, Lowercase, Symbols, & Numbers. Utilizing multiple SSH keys overcomplicates management while offering negligible additional security. – JW0914 Sep 02 '19 at 13:43

3 Answers3

13

Method 1 - use the same keys on the servers:

Convert the keys to openssh format and upload the private keys to the servers. When you ssh to the destination host, specify the private key file:

ssh -i mykey.pem private.ip.of.other.server

Method 2 - Create new keys

On each server run:

ssh-keygen

Hit enter enter enter. You'll have two files:

.ssh/id_rsa
.ssh/id_rsa.pub

On Server A, cat and copy to clipboard the public key:

cat ~/.ssh/id_rsa.pub
[select and copy to your clipboard]

ssh into Server B, and append the contents of that to the it's authorized_keys file:

cat >> ~/.ssh/authorized_keys
[paste your clipboard contents]
[ctrl+d to exit]

Now ssh from server A:

ssh -i ~/.ssh/id_rsa private.ip.of.other.server
Community
  • 1
matiu
  • 266
  • 2
  • 9
8

There is a 3rd and IMHO the best solution so called ssh agent forwarding:

  • on local machine configure ~/.ssh/config, by adding following section:
Host <ip-or-name-of-A-server>
  ForwardAgent yes
  • I assume on server A and B you have your local ~/.ssh/id_rsa.pub added to server's ~/.ssh/authorized_keys

While working on server A your keys can be used in further ssh communication - e.g.:

  • connecting to other server with ssh client - in this case to server B,
  • scp (secure copy),
  • git - you can pull/push using your local identity to your remote git repositories
  • etc.

To check to see if this works:

  • connect to server A
  • check if there is socket connection for key exchange by detecting SSH_AUTH_SOCK env var:
set|grep SSH_AUTH_ # output should be something like this:
SSH_AUTH_SOCK=/tmp/ssh-sEHiRF4hls/agent.12042

Notes:

Robert Lujo
  • 193
  • 2
  • 7
0

A new AWS solution for the problem.

EC2 Instance Connect

Here's a blog post for the same:

AWS Blog

Please note:

The SSH public keys are only available for one-time use for 60 seconds in the instance metadata. To connect to the instance successfully, you must connect using SSH within this time window. Because the keys expire, there is no need to track or manage these keys directly, as you did previously.

Tibor Szalai
  • 1