I created a new EC2 Amazon Linux instance. I want to allow a developer to SSH into the EC2 instance. To test this, I'm trying it from my windows computer. I have followed the instructions in the link below but I can't get SSH (Putty) to connect using the key pair I'm generating.
I'm following the instructions here as reference
and here
After logging into EC2 as ec2-user using FireSSH and the pem generated by AWS, I use SSH to run the following commands to create a new user, .ssh directory, and permissions.
[ec2-user ~]$ sudo adduser newuser
[ec2-user ~]$ sudo su - newuser
[newuser ~]$ mkdir .ssh
[newuser ~]$ touch .ssh/authorized_keys
[newuser ~]$ chmod 600 .ssh/authorized_keys
[newuser ~]$ vim .ssh/authorized_keys
Then I paste a public key into authorized_keys using vim. I will explain where I get the public key in the next step.
ssh-rsaAAAAB3NzaC1yc2EAAAADAQABAAABAQClKsfkNkuS ....
To create the public key which I pasted in the previous step I followed the steps in this reference starting at "Generating an SSH Key"
I copied the public key from PuttyKeyGen which is showed in the box labeled "Public key for pasting into OpenSSH authorized_keys". Then I pasted that into the .ssh/authorized_keys file on my EC2 instance in the newuser directory.
I log out of the SSH client on EC2. Then I try to login with Putty using the newly created private key on my windows machine. I use the newuser login name. I get this error in Putty: server refused our key. There is also a dialog box that says Disconnected: No supported authentication methods available {server sent: publickey)
What am I doing wrong in these steps?
I did two things different and it works now. It's probably the number of bits that made it work.
I generated a new key pair using PuttyGen but I specified SSH-2 RSA with 1024 bits instead of the default that PuttyGen was putting in which was like 2048.
When I logged back into EC2 with my SSH I pasted the public key using nano instead of vim.
Always use ec2-import-keypair features to verified whether it is GOOD for EC2 instance. It the import works, then it is good, otherwise, regen a compliance keypair. If you simply copy a keypair that is not compliance , you will run into trouble.
Here is the document for import key pair
OpenSSH public key format (the format in ~/.ssh/authorized_keys)
Base64 encoded DER format SSH public key file format as specified in
RFC4716 DSA keys are not supported. Make sure your key generator is
set up to create RSA keys.
Supported lengths: 1024, 2048, and 4096.
Related
I've been using Puttygen to generate SSH Key pair for Azure Linux VM.
recently i found openssh is available on Windows 10 and i can use "ssh-keygen" command on Windows 10 CMD and generate Private and Public Key.
I've tried this but with unsuccessful attempt.
As per the article click here ask us to use below command and it completes successfully. It exports private and public key in a location. But when i load the private key in putty and connect to my server it throws error
Unable to use key file "C:\publickey\id_rsa.ppk" (OpenSSH SSH-2 private key (old PEM format))
login as:
Below is the command which i used to generate key pairs on windows 10
C:\Users\xxx>ssh-keygen -t rsa -b 2048 -C "azureuser#vm"
Generating public/private rsa key pair.
Enter file in which to save the key (C:\Users\xxx/.ssh/id_rsa): C:\publickey\id_rsa.ppk
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in C:\publickey\id_rsa.ppk.
Your public key has been saved in C:\publickey\id_rsa.ppk.pub.
The key fingerprint is:
Has anyone tried this method on windows 10 to generate keys?
You've used ssh-keygen to create a private key file called id_rsa.ppk. However this is an OpenSSH-format private key and needs to be converted to Putty's own format to use in Putty.
Your options are:
Use this key with command-line SSH (it's in the correct format). You can either
specify the file on the command line e.g. ssh -i id_rsa.ppk azureuser#vm
make a folder C:\Users\Aquib\.ssh and move it there as C:\Users\Aquib\.ssh\id_rsa (no extension): ssh will now load this file by default to use for all servers that you try to connect to
if you don't want to use this for all servers, or e.g. if you already have a default id_rsa that you use with git, you can set up a C:\Users\Aquib\.ssh\config file that tells SSH where to find the key and tell it which servers it should use it for.
Convert this file into the right format to use with Putty:
In Puttygen, in the 'Conversions' menu choose 'Import' and load id_rsa.ppk
'Save private key' to a different file
Use this new file with Putty, either on the connection properties menu or run Pageant (the Putty key agent) and 'Add key' the new file. (You can e.g. create a shortcut to pageant in your Startup menu and give it the key file name as a commandline parameter so this is loaded automatically for you.)
For Linux (for example Ubuntu) you can install the command line puttygen like this:
# sudo apt install putty-tools
... and generate from your local ssh-key id_rsa to putty version id_rsa.ppk like this:
# puttygen id_rsa -O private -o id_rsa.ppk
Requirement- Connecting SFTP server from local windows machines using WinSCP with keys
Technical- I have Azure VM(Windows 2012 server R2) in which Cygwin64 is installed for SFTP.
I want to connect SFTP server using RSA authentication i.e using keys.
I have edited the sshd_config file for RSA authentication. In cygwin64 folder I have also created .ssh folder and under that Authorized_keys file.
From local machine using putty I have generated Public and private keys and this public key I have entered in Authorized keys file but when I am trying to connect with that Private key it is saying "Server refused our key"
I have entered in Authorized keys file but when I am trying to connect
with that Private key it is saying "Server refused our key"
If you see this type of message, the first thing you should do is check your server configuration carefully. Common errors include having the wrong permissions or ownership set on the public key or the user’s home directory on the server.
Maybe you can follow those steps to setup CYGWIN authenticate with private key:
1.Install GYCWIN (OpenSSH and cygrunsrv)
2.configure sshd use this command ssh-host-config -y
3.Start SSHD service with this command cygrunsrv --start sshd
4.Add your public key to authorized_keys(we can copy public Key to this file):
jason#jasonvm ~/.ssh
$ ls -a
. .. authorized_keys id_rsa id_rsa.pub id_rsa1 known_hosts
$ cat authorized_keys
ssh-rsa AAAAB3Nxxx.......xxxxzaAVbeVFw==
jason#jasonvm ~/.ssh
$ pwd
/home/jason/.ssh
By the way, if you can't find this directory, you can use ssh-keygen.exe command to create this directory /home/user/.ssh, if you can't find this file authorized_keys, we should create it, and run this command chmod 600 authorized_keys
Afther that, we can use other Linux VM to SSH or SFTP this VM(we should open port 22 on Azure NSG inbound rules).
If you want to use winscp to login this VM, we should convert private key to .ppk. In this way, we can use this key to login this SFTP.
Note:
we can use winscp to convert .key to .ppk.
For test, you may try to use Putty to login azure vm with your private key, to make sure you are using the right private key and public key.
Update:
We can add open ssh and sftp like this:
I have two Amazon EC2 Ubuntu instances. When I connect to one of them, I can do
ssh ubuntu#54.123.4.56
and the shell uses the correct keyfile from my ~/.ssh directory.
I just set up a new instance, and I'm trying to figure out how to replicate that behavior for this new one. It's a minor thing, just driving me nuts. When I log in with:
ssh -i ~/.ssh/mykey.pem ubuntu#54.987.6.54
it works fine, but with just
ssh ubuntu#54.987.6.54
I get:
Permission denied (publickey).
I have no idea how I managed to get it to work this way for the first server, but I'd like to be able to run ssh into the second server without the "-i abc.pem" argument. Permissions are 600:
-r-------- 1 mdexter mdexter 1692 Nov 11 20:40 abc.pem
What I have tried: I copied the public key from authorized_keys on the remote server and pasted it to authorized_keys on the local server, with mdexter#172.12.34.56 (private key) because I thought that might be what created the association in the shell between that key and that server for the shell.
The only difference I can recall between how I set up the two servers is that with the first, I created a .ppk key in PuTTy so that I could connect through FileZilla for SFTP. But I think SSH is still utilizing the .pem given by Amazon.
How can I tell the shell to just know to always use my .pem key for that server when SSHing into that particular IP? It's trivial, but I'm trying to strengthen my (rudimentary) understanding of public/private keys and I'm wondering if this plays into that.
You could solve this in 3 ways:
By placing the contents of your ~/.ssh/mykey.pem into ~/.ssh/id_rsa on the machine where you are ssh'ing into 2nd instance. Make sure you also change the permissions of ~/.ssh/id_rsa to 600.
Using ssh-agent (ssh-agent will manage the keys for you)
Start ssh-agent
eval `ssh-agent -s`
Add the key to ssh-agent using ssh-add
ssh-add mykey.pem
Using ssh-config file:
You could use ssh config file. From the machine where you are trying to ssh, keep the following contents in the ~/.ssh/config file (make sure to give this file 600 permissions):
Host host2
HostName 54.987.6.54
Port 22
User ubuntu
IdentityFile ~/.ssh/mykey.pem
Once you do that now you could access do the ssh like this:
ssh host2
After performing any of the above steps you should be able to ssh into your second instance with out specifying the key path.
Note: The second option requires you to add the key using ssh-add every time you logout and log back in so to make that a permanent injection see this SO question.
My main development box uses Linux Mint.
When I am physically at the computer I can do remote operations like git fetch with no problem.
The user I log-in as is "jonbri".
> whoami
jonbri
In ~/.ssh (/home/jonbri/.ssh) is my private key (/home/jonbri/.ssh/jonbri) and public key (/home/jonbri/.ssh/jonbri.pub).
But when I am at another computer, for example another Linux Mint computer, and on the command-line I open a ssh remote shell to my main computer, when I try operations such as git fetch, it looks like the keys in ~/.ssh are not being picked up.
Here's what I see (with pwd being the root of the git repo):
> git fetch
Password:
Then, even no matter which password I enter it doesn't work.
To enable the ability to open a remote ssh shell I used apt-get to install open-ssh-server and open-ssh-client.
Any ideas why my keys aren't being picked up when inside a remote ssh shell.
SSH is likely expecting the standard names of id_dsa for your private key and id_dsa.pub for your public key.
From the github documentation:
Check the directory listing to see if you already have a public SSH key.
The default public key file names are:
id_dsa.pub
id_ecdsa.pub
id_ed25519.pub
id_rsa.pub
I created a new keypair and downloaded it to my mac, then set up a new Amazon Linux AMI server with that keypair and my security group. Now I need to put the keypair .pem file that I downloaded in a .ssh file in my users folder? I am unable to create a folder called ".ssh" however because of the name.
Where do I put the keypair on my mac? and what chmods or other commands are then needed to connect to the server from my linux bash? I know "ssh my public DNS" but what other permissions or anything else should I be aware of? Its a newbie question. Thanks.
You'll want to put the keypair in {your home directory}/.ssh . If that folder doesn't exist, create it. Once you put the keypair in there you have to change the permissions on the file so only your user can read it.
Launch the terminal and type
chmod 600 $HOME/.ssh/<your keypair file>
That limits access to the file, and then to limit access to the folder type
chmod 700 $HOME/.ssh
You have to limit the access because the OpenSSH protocol won't let you use a key that other's can view.
Then to log into your instance, from the terminal you would enter
ssh -i <your home directory>/.ssh/<your keypair file> ec2-user#<ec2 hostname>
you can also create a file ~/.ssh/config
chmod it 644
then inside you can add something like this
host mybox-root
Hostname [the IP or dns name]
User root
IdentityFile ~/.ssh/[your keypair here]
then you can just do
$ ssh mybox-root
and you'll login easier.
You can use Java MindTerm to connect to your EC2 server in Macbook pro. It works for me. here are the more details and step by step instruction.
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AccessingInstancesLinux.html
http://www.openssh.com/ is the suggested one on http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-connect-to-instance-linux.html#using-ssh-client (option 3)
Someone was asking on Mac's an easy way to create the ~/.ssh folder would be by running command ssh-keygen, then use following setup ...
A.
macbook-air$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/Users/sam/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /Users/sam/.ssh/id_rsa.
Your public key has been saved in /Users/sam/.ssh/id_rsa.pub.
B. Then create:
touch ~/.ssh/authorized_keys
C. Fix the permissions:
chmod 600 ~/.ssh/authorized_keys
D. Copy AWS Key to that file:
cp AWS_key.text ~sam/.ssh/authorized_keys
#You would have saved this SSH key earlier when creating the EC2 instance
E. Then test the ssh to AWS Linux server - you will see this error:
ssh -i ./authorized_keys root#ec2-54-76-176-29.ap-southeast-2.compute.amazonaws.com
Please login as the user "ec2-user" rather than the user "root".
F. Re-try that and it should work with allowed AWS user "ec2-user":
ssh -i ./authorized_keys ec2-user#ec2-54-76-176-29.ap-southeast-2.compute.amazonaws.com
__| __|_ )
_| ( / Amazon Linux AMI
___|\___|___|
https://aws.amazon.com/amazon-linux-ami/2014.09-release-notes/
9 package(s) needed for security, out of 12 available
Run "sudo yum update" to apply all updates.
Hope this helps, all the best.