Amazon Web Service (AWS) VPC private subnet instance 'Permission denied (publickey).' - ssh from osx












0















I’m connecting to an Amazon Web Service (AWS) EC2 instance in a virtual private server’s private subnet via a NAT instance and getting the following error:




Permission denied (publickey)




This is happened after I have connected to the NAT and am trying to SSH to the private subnet EC2 instance.



Procedure:





  1. Define host in ~/.ssh/config with the following :



    Host my_aws_nat
    Hostname xx.xx.xx.xx
    User ec2-user
    IdentityFile /location/of/my/aws/key_pair.pem
    ForwardAgent yes


  2. SSH to NAT instance via ssh my_aws_nat (which is successful)


  3. SSH to instance in private subnet ssh ec2-user@10.0.X.X - which is when I get the error



I’m able to ping my private instance from my NAT with ping 10.0.X.X. So I’m fairly sure it’s not security groups issue. It looks like it’s an agent forwarding issue.



Currently the instance I’m connecting to uses the same key pair as the NAT instance (in learning mode).



The other way I’ve tried is to connect to the NAT with:



ssh -A ec2-user@XX.XX.XX.XX -i key_pair.pem


Which again, connects correctly to the NAT but gives the same error when connecting to the private instance.



Do I have to use ssh-agent on Mac OS X?



Or shouldn’t specifying ForwardAgent yes in /.ssh/config do the same thing ?










share|improve this question















migrated from serverfault.com Mar 17 '15 at 23:16


This question came from our site for system and network administrators.























    0















    I’m connecting to an Amazon Web Service (AWS) EC2 instance in a virtual private server’s private subnet via a NAT instance and getting the following error:




    Permission denied (publickey)




    This is happened after I have connected to the NAT and am trying to SSH to the private subnet EC2 instance.



    Procedure:





    1. Define host in ~/.ssh/config with the following :



      Host my_aws_nat
      Hostname xx.xx.xx.xx
      User ec2-user
      IdentityFile /location/of/my/aws/key_pair.pem
      ForwardAgent yes


    2. SSH to NAT instance via ssh my_aws_nat (which is successful)


    3. SSH to instance in private subnet ssh ec2-user@10.0.X.X - which is when I get the error



    I’m able to ping my private instance from my NAT with ping 10.0.X.X. So I’m fairly sure it’s not security groups issue. It looks like it’s an agent forwarding issue.



    Currently the instance I’m connecting to uses the same key pair as the NAT instance (in learning mode).



    The other way I’ve tried is to connect to the NAT with:



    ssh -A ec2-user@XX.XX.XX.XX -i key_pair.pem


    Which again, connects correctly to the NAT but gives the same error when connecting to the private instance.



    Do I have to use ssh-agent on Mac OS X?



    Or shouldn’t specifying ForwardAgent yes in /.ssh/config do the same thing ?










    share|improve this question















    migrated from serverfault.com Mar 17 '15 at 23:16


    This question came from our site for system and network administrators.





















      0












      0








      0








      I’m connecting to an Amazon Web Service (AWS) EC2 instance in a virtual private server’s private subnet via a NAT instance and getting the following error:




      Permission denied (publickey)




      This is happened after I have connected to the NAT and am trying to SSH to the private subnet EC2 instance.



      Procedure:





      1. Define host in ~/.ssh/config with the following :



        Host my_aws_nat
        Hostname xx.xx.xx.xx
        User ec2-user
        IdentityFile /location/of/my/aws/key_pair.pem
        ForwardAgent yes


      2. SSH to NAT instance via ssh my_aws_nat (which is successful)


      3. SSH to instance in private subnet ssh ec2-user@10.0.X.X - which is when I get the error



      I’m able to ping my private instance from my NAT with ping 10.0.X.X. So I’m fairly sure it’s not security groups issue. It looks like it’s an agent forwarding issue.



      Currently the instance I’m connecting to uses the same key pair as the NAT instance (in learning mode).



      The other way I’ve tried is to connect to the NAT with:



      ssh -A ec2-user@XX.XX.XX.XX -i key_pair.pem


      Which again, connects correctly to the NAT but gives the same error when connecting to the private instance.



      Do I have to use ssh-agent on Mac OS X?



      Or shouldn’t specifying ForwardAgent yes in /.ssh/config do the same thing ?










      share|improve this question
















      I’m connecting to an Amazon Web Service (AWS) EC2 instance in a virtual private server’s private subnet via a NAT instance and getting the following error:




      Permission denied (publickey)




      This is happened after I have connected to the NAT and am trying to SSH to the private subnet EC2 instance.



      Procedure:





      1. Define host in ~/.ssh/config with the following :



        Host my_aws_nat
        Hostname xx.xx.xx.xx
        User ec2-user
        IdentityFile /location/of/my/aws/key_pair.pem
        ForwardAgent yes


      2. SSH to NAT instance via ssh my_aws_nat (which is successful)


      3. SSH to instance in private subnet ssh ec2-user@10.0.X.X - which is when I get the error



      I’m able to ping my private instance from my NAT with ping 10.0.X.X. So I’m fairly sure it’s not security groups issue. It looks like it’s an agent forwarding issue.



      Currently the instance I’m connecting to uses the same key pair as the NAT instance (in learning mode).



      The other way I’ve tried is to connect to the NAT with:



      ssh -A ec2-user@XX.XX.XX.XX -i key_pair.pem


      Which again, connects correctly to the NAT but gives the same error when connecting to the private instance.



      Do I have to use ssh-agent on Mac OS X?



      Or shouldn’t specifying ForwardAgent yes in /.ssh/config do the same thing ?







      ssh amazon-ec2 amazon-web-services






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited Mar 17 '15 at 23:23









      JakeGould

      32.1k1098141




      32.1k1098141










      asked Mar 13 '15 at 19:28









      goredwardsgoredwards

      1194




      1194




      migrated from serverfault.com Mar 17 '15 at 23:16


      This question came from our site for system and network administrators.









      migrated from serverfault.com Mar 17 '15 at 23:16


      This question came from our site for system and network administrators.
























          2 Answers
          2






          active

          oldest

          votes


















          0














          As per this answer and this guideline



          I needed to add the key_pair.pem to the OSX ssh agent as follows:



          ssh-add -K /path/to/key_pair.pem


          (in my case it didn't ask for a passphrase)



          After this, everything worked fine using both methodologies outlined above.



          So to answer the question:




          Q: Do I have to use ssh-agent on Mac OS X to log in to a private subnet instance through a NAT/bastion host?
          A: YES







          share|improve this answer

































            0














            For me it helped to remove the bastion's (NAT instance's) public key from ~/.ssh/known_hosts.
            If the key of the remote bastion host changed (which may happen quite often if you allocate EIPs to new instances) and in addition have StrictHostKeyChecking no set in your ssh_config, AgentForwarding will be disabled on the bastion host.
            You'll also find a warning saying so if you login to the bastion host. For my part, I've just not read it -.-



            So, delete the key and connect again, the current key will be added to the known_hosts file and you'll be able to connect to the instance in the private subnet.






            share|improve this answer























              Your Answer








              StackExchange.ready(function() {
              var channelOptions = {
              tags: "".split(" "),
              id: "3"
              };
              initTagRenderer("".split(" "), "".split(" "), channelOptions);

              StackExchange.using("externalEditor", function() {
              // Have to fire editor after snippets, if snippets enabled
              if (StackExchange.settings.snippets.snippetsEnabled) {
              StackExchange.using("snippets", function() {
              createEditor();
              });
              }
              else {
              createEditor();
              }
              });

              function createEditor() {
              StackExchange.prepareEditor({
              heartbeatType: 'answer',
              autoActivateHeartbeat: false,
              convertImagesToLinks: true,
              noModals: true,
              showLowRepImageUploadWarning: true,
              reputationToPostImages: 10,
              bindNavPrevention: true,
              postfix: "",
              imageUploader: {
              brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
              contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
              allowUrls: true
              },
              onDemand: true,
              discardSelector: ".discard-answer"
              ,immediatelyShowMarkdownHelp:true
              });


              }
              });














              draft saved

              draft discarded


















              StackExchange.ready(
              function () {
              StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f890859%2famazon-web-service-aws-vpc-private-subnet-instance-permission-denied-publick%23new-answer', 'question_page');
              }
              );

              Post as a guest















              Required, but never shown

























              2 Answers
              2






              active

              oldest

              votes








              2 Answers
              2






              active

              oldest

              votes









              active

              oldest

              votes






              active

              oldest

              votes









              0














              As per this answer and this guideline



              I needed to add the key_pair.pem to the OSX ssh agent as follows:



              ssh-add -K /path/to/key_pair.pem


              (in my case it didn't ask for a passphrase)



              After this, everything worked fine using both methodologies outlined above.



              So to answer the question:




              Q: Do I have to use ssh-agent on Mac OS X to log in to a private subnet instance through a NAT/bastion host?
              A: YES







              share|improve this answer






























                0














                As per this answer and this guideline



                I needed to add the key_pair.pem to the OSX ssh agent as follows:



                ssh-add -K /path/to/key_pair.pem


                (in my case it didn't ask for a passphrase)



                After this, everything worked fine using both methodologies outlined above.



                So to answer the question:




                Q: Do I have to use ssh-agent on Mac OS X to log in to a private subnet instance through a NAT/bastion host?
                A: YES







                share|improve this answer




























                  0












                  0








                  0







                  As per this answer and this guideline



                  I needed to add the key_pair.pem to the OSX ssh agent as follows:



                  ssh-add -K /path/to/key_pair.pem


                  (in my case it didn't ask for a passphrase)



                  After this, everything worked fine using both methodologies outlined above.



                  So to answer the question:




                  Q: Do I have to use ssh-agent on Mac OS X to log in to a private subnet instance through a NAT/bastion host?
                  A: YES







                  share|improve this answer















                  As per this answer and this guideline



                  I needed to add the key_pair.pem to the OSX ssh agent as follows:



                  ssh-add -K /path/to/key_pair.pem


                  (in my case it didn't ask for a passphrase)



                  After this, everything worked fine using both methodologies outlined above.



                  So to answer the question:




                  Q: Do I have to use ssh-agent on Mac OS X to log in to a private subnet instance through a NAT/bastion host?
                  A: YES








                  share|improve this answer














                  share|improve this answer



                  share|improve this answer








                  edited Apr 13 '17 at 12:14









                  Community

                  1




                  1










                  answered Mar 13 '15 at 23:57









                  goredwardsgoredwards

                  1194




                  1194

























                      0














                      For me it helped to remove the bastion's (NAT instance's) public key from ~/.ssh/known_hosts.
                      If the key of the remote bastion host changed (which may happen quite often if you allocate EIPs to new instances) and in addition have StrictHostKeyChecking no set in your ssh_config, AgentForwarding will be disabled on the bastion host.
                      You'll also find a warning saying so if you login to the bastion host. For my part, I've just not read it -.-



                      So, delete the key and connect again, the current key will be added to the known_hosts file and you'll be able to connect to the instance in the private subnet.






                      share|improve this answer




























                        0














                        For me it helped to remove the bastion's (NAT instance's) public key from ~/.ssh/known_hosts.
                        If the key of the remote bastion host changed (which may happen quite often if you allocate EIPs to new instances) and in addition have StrictHostKeyChecking no set in your ssh_config, AgentForwarding will be disabled on the bastion host.
                        You'll also find a warning saying so if you login to the bastion host. For my part, I've just not read it -.-



                        So, delete the key and connect again, the current key will be added to the known_hosts file and you'll be able to connect to the instance in the private subnet.






                        share|improve this answer


























                          0












                          0








                          0







                          For me it helped to remove the bastion's (NAT instance's) public key from ~/.ssh/known_hosts.
                          If the key of the remote bastion host changed (which may happen quite often if you allocate EIPs to new instances) and in addition have StrictHostKeyChecking no set in your ssh_config, AgentForwarding will be disabled on the bastion host.
                          You'll also find a warning saying so if you login to the bastion host. For my part, I've just not read it -.-



                          So, delete the key and connect again, the current key will be added to the known_hosts file and you'll be able to connect to the instance in the private subnet.






                          share|improve this answer













                          For me it helped to remove the bastion's (NAT instance's) public key from ~/.ssh/known_hosts.
                          If the key of the remote bastion host changed (which may happen quite often if you allocate EIPs to new instances) and in addition have StrictHostKeyChecking no set in your ssh_config, AgentForwarding will be disabled on the bastion host.
                          You'll also find a warning saying so if you login to the bastion host. For my part, I've just not read it -.-



                          So, delete the key and connect again, the current key will be added to the known_hosts file and you'll be able to connect to the instance in the private subnet.







                          share|improve this answer












                          share|improve this answer



                          share|improve this answer










                          answered Jan 27 at 18:15









                          mrmeeseeksmrmeeseeks

                          1




                          1






























                              draft saved

                              draft discarded




















































                              Thanks for contributing an answer to Super User!


                              • Please be sure to answer the question. Provide details and share your research!

                              But avoid



                              • Asking for help, clarification, or responding to other answers.

                              • Making statements based on opinion; back them up with references or personal experience.


                              To learn more, see our tips on writing great answers.




                              draft saved


                              draft discarded














                              StackExchange.ready(
                              function () {
                              StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f890859%2famazon-web-service-aws-vpc-private-subnet-instance-permission-denied-publick%23new-answer', 'question_page');
                              }
                              );

                              Post as a guest















                              Required, but never shown





















































                              Required, but never shown














                              Required, but never shown












                              Required, but never shown







                              Required, but never shown

































                              Required, but never shown














                              Required, but never shown












                              Required, but never shown







                              Required, but never shown







                              Popular posts from this blog

                              Сан-Квентин

                              8-я гвардейская общевойсковая армия

                              Алькесар