11

I have created two EC2 instances on AWS. I created a key pair for each of them. I downloaded the .pem private keys and converted them into .ppk format. I can connect to each of my ec2 instances using PuTTY and their .ppk private key. But how do I SSH from one of my ec2 instance to the other? I can ping the Public DNS of either of them from the other. But if I try ssh from one to the other, I get:

Permission denied (publickey).

Improve this question
3
  • set up these keys into your keypairs (only the public half). launch 2 new instances with each of these keypairs. upload everything (private half in particular) to be the designated client (e.g. for key A it is used to launch instance B and its private half is uploaded to instance A).
    – Skaperen
    Commented Nov 17, 2016 at 6:18
  • I think you might need to convert the keys into an openssh format: stackoverflow.com/questions/2224066/…
    – matiu
    Commented Nov 24, 2016 at 3:52
  • Just a general FYI, there's little security benefit to utilizing multiple SSH keys for multiple SSH servers, provided the SSH key utilized is encrypted with a complex password (at time of creation) of at least 16 characters containing two each of the following: Uppercase, Lowercase, Symbols, & Numbers. Utilizing multiple SSH keys overcomplicates management while offering negligible additional security.
    – JW0914
    Commented Sep 2, 2019 at 13:43

3 Answers 3

Reset to default
14

Method 1 - use the same keys on the servers:

Convert the keys to openssh format and upload the private keys to the servers. When you ssh to the destination host, specify the private key file:

ssh -i mykey.pem private.ip.of.other.server

Method 2 - Create new keys

On each server run:

ssh-keygen

Hit enter enter enter. You'll have two files:

.ssh/id_rsa
.ssh/id_rsa.pub

On Server A, cat and copy to clipboard the public key:

cat ~/.ssh/id_rsa.pub
[select and copy to your clipboard]

ssh into Server B, and append the contents of that to the it's authorized_keys file:

cat >> ~/.ssh/authorized_keys
[paste your clipboard contents]
[ctrl+d to exit]

Now ssh from server A:

ssh -i ~/.ssh/id_rsa private.ip.of.other.server
Improve this answer
2
  • Thank you for such a simple and straightfoward explanation! It worked perfectly.
    – raphael75
    Commented Apr 7, 2017 at 12:31
  • 1
    Method 1 is highly discouraged as it is a serious security breach imho
    – Mehdi LAMRANI
    Commented Jan 13, 2020 at 9:35
8

There is a 3rd and IMHO the best solution so called ssh agent forwarding:

  • on local machine configure ~/.ssh/config, by adding following section:
Host <ip-or-name-of-A-server>
  ForwardAgent yes
  • I assume on server A and B you have your local ~/.ssh/id_rsa.pub added to server's ~/.ssh/authorized_keys

While working on server A your keys can be used in further ssh communication - e.g.:

  • connecting to other server with ssh client - in this case to server B,
  • scp (secure copy),
  • git - you can pull/push using your local identity to your remote git repositories
  • etc.

To check to see if this works:

  • connect to server A
  • check if there is socket connection for key exchange by detecting SSH_AUTH_SOCK env var:
set|grep SSH_AUTH_ # output should be something like this:
SSH_AUTH_SOCK=/tmp/ssh-sEHiRF4hls/agent.12042

Notes:

Improve this answer
2
  • You will also need to ensure that the Security Group has an inbound rule for port 22 (SSH) with your EC2 subnet as the source.
    – weston
    Commented Aug 10, 2018 at 22:47
  • In my opinion, this answer is significantly underestimated.
    – Nulldevice
    Commented Apr 29, 2021 at 20:22
0

A new AWS solution for the problem.

EC2 Instance Connect

Here's a blog post for the same:

AWS Blog

Please note:

The SSH public keys are only available for one-time use for 60 seconds in the instance metadata. To connect to the instance successfully, you must connect using SSH within this time window. Because the keys expire, there is no need to track or manage these keys directly, as you did previously.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .