0

I have my NAT and Bastion set up to login with SSH forwarding:

ssh-add -K keyfile.pem
ssh -A ec2-user@bastionhost
ssh ec2-user@privateSubnetServer

What's the best method for handling ssh and users at this point between hosts in the private subnet?

I get:

Permission denied (publickey,gssapi-keyex,gssapi-with-mic).

When trying to do it the traditional linux way. I can get to them if I use the AWS created key pairs.

I can't set up or connect to a directory service at this point.

John Rotenstein
  • 241,921
  • 22
  • 380
  • 470
rumplesmyboy
  • 27
  • 6
  • What do you mean by "handling ssh and users at this point"? Is the above working for you? What are you then doing that gives the `Permission denied` error? Feel free to edit your question to clarify the situation. – John Rotenstein Sep 19 '19 at 04:52
  • You might want to research ssh `ProxyCommand`, which is a popular way of transiting through a Bastion. For example: [Convenient SSH proxying through a bastion host - William Tsoi - Medium](https://medium.com/@williamtsoi/convenient-ssh-proxying-through-a-bastion-host-cef9eb832100) – John Rotenstein Sep 19 '19 at 04:53

2 Answers2

0

There can be two reasons, either the key is invalid or the proxy command not working as you expecting.

Before that, you set you proxy command like this

host bastion
   HostName bastion_Adress
   User centos|whatever
   identityFile /mykeys/ec2.pem

Now try to ssh to bastion 

ssh bastion

If the above then bastion working fine, we can set proxy command now.

host private_server
  Hostname 10.0.5.45
  user centos
  IgnoreUnknown UseKeychain
  AddKeysToAgent yes
  ProxyCommand ssh bastion -W %h:%p

Now you can ssh to private server 

ssh private_server

Normally these are necessary but just in case of mac happen sometime

  IgnoreUnknown UseKeychain
  AddKeysToAgent yes

.ssh/config: "Bad configuration option: UseKeychain" on Mac OS Sierra 10.12.6

You can debug the issue using this flow

  • ssh to bastion
  • copy your private server ssh key to the bastion
  • ssh to private instance

If the above worked it mean bastion ssh config is not valid

If the above does not work then the key is not valid.

enter image description here

Adiii
  • 54,482
  • 7
  • 145
  • 148
0
Host bastion.ip.address
       User ec2-user
       IdentityFile ~/.ssh/bastionkey.pem
       CheckHostIP no

Host private.subnet.ip
       User ec2-user
       IdentityFile ~/.ssh/bastionkey.pem
       ProxyCommand ssh ec2-user@bastion.host.ip -W %h:%p
rumplesmyboy
  • 27
  • 6