How to SSH EC2 instance with ssh-agent along with SSH agent forwarding to SSH private instances in VPC?

          Image Source: atulhost.com and modified by me

      

Hi,


I have taken this post from AWS Blog, and this very important to SSH into your VM using ssh-agent and SSH forwarding for EC2 private instance to SSH without storing the private key securely in Windows, Mac, and Linux. 

So, I want you to using this as this is very important as per security reasons.


Configuring ssh-agent

The first step in using SSH agent forwarding with EC2 instances is to configure a bastion in your VPC. We suggest that the instance you use for your bastion be purpose-built and that you use it only as a bastion and not for anything else. The bastion should also be set up with a security group that’s configured to listen only on the SSH port (TCP/22). 

Always remember the following when configuring your bastion:

  • Never place your SSH private keys on the bastion instance. Instead, use SSH agent forwarding to connect first to the bastion and from there to other instances in private subnets. This lets you keep your SSH private key just on your computer.
  • Configure the security group on the bastion to allow SSH connections (TCP/22) only from known and trusted IP addresses.
  • Always have more than one bastion. You should have a bastion in each availability zone (AZ) where your instances are. If your deployment takes advantage of a VPC VPN, also have a bastion on premises.
  • Configure Linux instances in your VPC to accept SSH connections only from bastion instances.

Configuring ssh-agent on a Mac

For Mac users, ssh-agent is already installed as part of the OS. You can add your private keys to the keychain application by using the ssh-add command with the -K option and the .pem file for the key, as shown in the following example. The agent prompts you for your passphrase if there is one, and stores the private key in memory and the passphrase in your keychain.


ssh-add -K myPrivateKey.pem
Enter passphrase for myPrivateKey.pem:
Passphrase stored in keychain: myPrivateKey.pem
Identity added: myPrivateKey.pem (myPrivateKey.pem)

Adding the key to the agent lets you use SSH to connect to an instance without having to use the –i <keyfile> option when you connect. 


To verify the keys available to ssh-agent, run the following command -

ssh-add -L

OR

ssh-add -l
Remove all Identities
ssh-add -D
To Remove specific identity
ssh-add -D <ssh key path>

After the key is added to your keychain, you can connect to the bastion instance with SSH using the –A option. This option enables SSH agent forwarding and lets the local SSH agent respond to a public-key challenge when you use SSH to connect from the bastion to a target instance in your VPC.

For example, to connect to an instance in a private subnet, enter the following command to enable SSH agent forwarding using the bastion instance:

ssh -A user@<bastion-IP-address>

When you first connect to the instance, you should verify that the RSA key fingerprint that the bastion presents matches what is displayed in the instance’s console output. 

After you’re connected to the bastion instance, use SSH to connect to a specific instance using a command like this:

ssh user@private-instance-ip>

Note that ssh-agent does not know which key it should use for a given SSH connection. Therefore, ssh-agent will sequentially try all the keys that are loaded in the agent. Because instances terminate the connection after five failed connection attempts, make sure that the agent has five or fewer keys. Because each administrator should have only a single key, this is rarely a problem for most deployments. For details about how to manage the keys in ssh-agent, use the man ssh-agentcommand.


Configuring ssh-agent on Linux distribution

ssh-add myPrivateKey.pem


For SSH agent forwarding, we will use the same command as macOSX

ssh -A user@<bastion-IP-address>


Configuring ssh-agent on Windows

In Windows, you can connect to Linux VPC instances using PuTTY. To get SSH agent functionality, you can use Pageant, which is available from the PuTTY download page. When Pageant is installed, you can use the agent forwarding option in PuTTY to connect to instances in private subnets.

To use Pageant, you need to convert your private key from PEM format to PuTTY format using PuTTYGen (available from the PuTTY download page). In PuTTYGen, choose Conversions > Import Key and select your PEM-formatted private key. Enter a passphrase and then click Save private key, as shown in the following screenshot. Save the key as a .ppk file.


Image of saving the private key

After you convert the private key, open Pageant, which runs as a Windows service. To import the PuTTY-formatted key into Pageant, double-click the Pageant icon in the notification area and then click Add Key. When you select the .ppk file, you’re prompted to enter the passphrase you chose when you converted the key, as shown in the following screenshot.

Screenshot of typing the passphrase


After you add the key, close the Pageant Key List window.

Finally, when you are configuring the connections for SSH in PuTTY, check the Allow agent forwarding box and leave the Private key file for authentication field empty.

When you use PuTTY to connect to the public IP address of your bastion, you will see that the Pageant PuTTY component provides the SSH key for authentication, as shown in the following screenshot.


Screenshot of the Pageant PuTTY component providing the SSH key for authentication

With agent forwarding enabled in the PuTTY configuration, you can connect from the bastion to any other instance in the VPC without having the SSH private key on the bastion. To connect to other instances, use the following command:

ssh user@<instance-IP-address>

As long as the matching private key for the instance is loaded into Pageant, the connection will be successful, as shown in the following screenshot.


Screenshot of a successful connection


Conclusion

Using this information on how to configure bastions in front of Linux instances in a VPC, you now have additional tools to help improve the security of your EC2 instances by closing off Internet access to their management ports.


Blog credit: aws.amazon.com/blog

Popular posts from this blog

How to Convert PEM KeyFile into PPK KeyFile and vice versa?

Image
Hi, In this post, we will learn that how can we convert PEM KeyFile into PPK KeyFile and vice versa including the installation of the tool which we will use to accomplish this. For the Windows Operating System In Windows system is easy and straight forward. You just need a tool called "puttygen.exe" from the URL -  https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html Choose the appropriate version as per your OS. Convert PEM into PPK in Windows After downloading the PuTTYgen and open it, load your file (select All Files (*.*) in the bottom dropdown to select your PEM key file).  You will get a message Successfully imported foreign key, Just click OK, Now click on Save private key button to save that key in the location where do you want to save it. Convert PPK into PEM in Windows Now we will convert PPK file into PEM using PuTTYgen in Windows PC Open the PuTTYgen tool, now load your PPK file into it, and finally, Go to Conversions Menu and Click on Export OpenSSH k
Read more

How to transfer Google Cloud Storage One account data to Google Cloud another account?

Image
                                                          Image Source: infiflex.com Step 1: Go to the account where storage bucket are resides. Select the Select the Bucket, you want to transfer data and Click on SHOW INFO PANEL on the Top Right. Step 2: Under PERMISSIONS click on Add members. Now type the email id of the another account where you want to transfer all of your files in New Members Box. Select Role Storage > Storage Admin. Step 3: Now, Go to second account, Go to your storage bucket and select and repeat the last steps but this time email id will be the 1st account email id. All Set. Step 4: Finally Go to First account open the Google Cloud Shell and run the following command - gsutil -m cp -r gs://SOURCE-BUCKET-NAME /* gs://DESTINATION-BUCKET-NAME /
Read more

MySQL Commands, Administration, Backup, Restore

Image
  SOURCE : STACKOVERFLOW  To export If it’s an entire DB, then:  mysqldump -u [uname] -p[pass] db_name > db_backup.sql If it’s all DBs, then:  mysqldump -u [uname] -p[pass] --all-databases > all_db_backup.sql If it’s specific tables within a DB, then:  mysqldump -u [uname] -p[pass] db_name table1 table2 > table_backup.sql You can even go as far as auto-compressing the output using gzip (if your DB is very big):  mysqldump -u [uname] -p[pass] db_name | gzip > db_backup.sql.gz If you want to do this remotely and you have the access to the server in question, then the following would work (presuming the MySQL server is on port 3306):  mysqldump -P 3306 -h [ip_address] -u [uname] -p[pass] db_name > db_backup.sql To import Type the following command to import sql data file:  mysql -u username -p -h localhost DATA-BASE-NAME < data.sql In this example, import ‘data.sql’ file into ‘blog’ database using sat as username:  mysql -u sat -p -h localhost blog < data.sql If you h
Read more