0

When I try to connect to an EC2 in a private network through a bastion server I get this message:

<username>@<ec2-server>: Permission denied (publickey)

However, I can ssh to bastion from my local machine, and I can ssh to the EC2 from the bastion server,

Here is the .ssh/config I'm using:

Host <ec2-servers>*
    IdentityFile ~/.ssh/id_rsa
    User <username>

Here is the command I use to ssh:

ssh -J <bastion-server> <ec2-server>

Note: Permissions are good (700 for ~/.ssh/ and 600 for ~/.ssh/*)

Thanks in advance for your help!

Arsalen
  • 9
  • 4
  • I don't understand the issue. You wrote that you can ssh from bastion to your private ec2 instance, so what is the issue? – Marcin May 29 '21 at 23:43
  • Thank you for your response @Marcin the problem is that I can't ssh directly from my local machine to the ec2 server through the bastion (even though I can ssh from local to bastion and I can ssh from bastion to ec2 as well) – Arsalen May 29 '21 at 23:48

4 Answers4

0

There is likely no user on the remote system called 'username'. Make sure both systems have the same username and public key.

Rodrigo Murillo
  • 13,080
  • 2
  • 29
  • 50
  • Thank you very much @Rodrigo for your response, actually I put username for the sake of simplicity and is right, also the public keys are well in the `authorized_keys` (since I can ssh from local to bastion and from bastion to ec2) – Arsalen May 29 '21 at 23:37
0

can you try the following configuration as the username you mentioned as same for both jump host and actual instance you are trying to connect to?

Host 10.2.2.* #ec2 servers cidr range
    ProxyJump jumpuser@proxy.example.com

I think specifying the IdentityFile ~/.ssh/id_rsa might not be needed as that seems like the default key on your system you are using.

Make sure jumpuser exists with appropriate permissions.

Just fo debugging purposes , run this manually with debug options

ssh -vvv -J username@host1:port username@host2:port

will give plenty of information and you might be able to see where the problem is.

If you are using ssh-agent it remove all the identities and trying might also help.

ssh-add -D

How to Access a Remote Server Using a Jump Host

How to Set Up an SSH Jump Server

samtoddler
  • 8,463
  • 2
  • 26
  • 21
  • Thank you for your response @samtoddler well I've created a new user on my local machine with the same username as the bastion and the remote ec2, still the error persists, I've also followed the tutorials you attached and also failed, is it possible that the problem is that my local keys are not in the target ec2 instance `authorized_keys`? Since I've them on the bastion `authorized_keys` and the bastion's are on the ec2 instance `authorized_keys` i thought that would be enough. – Arsalen May 30 '21 at 13:57
  • @Arsalen can you check your `ssh-agent` if it is forwarding the connection further correctly? – samtoddler May 30 '21 at 15:57
0

Just note that RSA keys are being depreciated, and later versions of operating systems disable their use on the CLIENT. That is, where you ssh from. To re-enable it on the client, in your ~/.ssh/config file, enter the following line:

PubkeyAcceptedKeyTypes +ssh-rsa

Note: there are security implications of doing this, so read up on the security issues of rsa if you are concerned. For instance, the following article: https://www.thesslstore.com/blog/is-it-still-safe-to-use-rsa-encryption/ says:

....RSA encryption provides less than 99.8% security.
That sounds negligible, it’s about two in every 1,000.
But does that mean RSA is cracked? Not quite, just vulnerable..
MagicLAMP
  • 1,032
  • 11
  • 26
-1

Fixed it by adding local ssh public key in the authorized_keys of the remote ec2 instance.

Arsalen
  • 9
  • 4