How do I use a bastion host to securely connect to my Amazon EC2 Linux instance in a private subnet?

Short description

EC2 Linux instances use SSH key-pair files instead of SSH usernames and passwords as the default authentication method. To use a bastion host to connect, use ssh-agent forwarding on the client. The ssh-agent connects an administrator from the bastion to another instance without the need to use a private key from the bastion.

By default, most Linux and macOS distributions include the openssh-clients package that contains ssh-agent. For Windows distributions, use PuTTY to connect to Linux instances, and Pageant to manage private keys. After you install Pageant, you can use the agent forwarding option in PuTTY to connect to instances in private subnets.

Important: To maintain a secure environment, never store private keys on the bastion host.

Resolution

Note: The ssh-agent runs in memory, so you must repeat the following steps each time that you open a new terminal session or restart your computer.

Prerequisites: Make sure that your configuration has the following settings:

• The bastion host is in the public subnet of the virtual private cloud (VPC).
• The security group of the instance in the private subnet allows SSH connections only from the bastion host.
• The bastion host's security group allows SSH connections on port TCP/22 from only known and trusted IP addresses.

Configure ssh-agent forwarding on a macOS or Linux client

Complete the following steps:

1. Run the following command to start the ssh-agent in the background:

   eval $(ssh-agent)

2. Run the following command to add the SSH key to the ssh-agent:

   ssh-add "/path/to/key.pem"

   Note: Replace path/to/key with the path to the .pem file on your local machine. The ssh-agent stores your SSH key in memory.

3. Run the following command to validate that the ssh-agent stored the key:

   ssh-add -l

   Note: Verify that the key appears in the output.
   Example output:

    # 2048 SHA256:abc123... /home/user/.ssh/my-key.pem (RSA) 

4. Run the following command to connect to the bastion host with ssh-agent forwarding activated:

   ssh -A User@Bastion_Host_IP_Address

   Note: Replace User with your username and Bastion_Host_IP_address with the IP address of your bastion host. To view the default username for your Amazon Machine Image (AMI), see Default usernames. To use ssh-forwarding, use the -A flag instead of the -i flag. With ssh-agent, SSH automatically uses the keys that are loaded in memory.

5. Run the following command to connect to the private Linux instance:

   ssh User@Private_instance_IP_address

   Note: Replace User with your username and Private_instance_IP_address with the IP address of your instance.

Configure agent forwarding on a Windows client

Complete the following steps:

1. Download and install PuTTY, Pageant, and PuTTYgen. To download the tools, see Download PuTTY on the PuTTY website.
2. To use PuTTY to connect to your instance, use PuTTYgen to convert your private key from the PEM format to the PuTTY format.
   Note: PuTTY can't use the PEM format for SSH keys.
3. Choose the Start menu, and then open Pageant.
   Note: By default, Pageant opens minimized in the system tray. If the Pageant icon doesn't appear in the system tray, then use the taskbar settings to add it. For instructions, see Customize the taskbar in Windows on the Microsoft website.
4. To add your SSH keys, open the context (right-click) menu for the Pageant icon, and then select Add Key. Then, navigate to your private key.
   Note: To view the added key, open the context (right-click) menu for the Pageant icon, and then select View Keys.
5. Choose the Start menu, and the open All Programs.
6. Choose PuTTY, and then choose PuTTY.
7. Under Category, choose Session.
8. For Host Name, enter user-name@instance-public-dns to connect to your instance's public DNS name. Or, enter user-name@instance-IPv4-address to connect to your instance's IPv4 address.
   Note: Replace user-name with your username, instance-public-dns with your instance's public DNS, and instance-IPv4-address with your instance's IPv4 address.
9. Configure the values for Connection type and SSH based on your requirements. For Port, enter 22.
10. Under Category, expand Connection.
11. Choose SSH, and then select Auth.
12. Choose Allow agent forwarding.
13. Choose Open.
14. To connect to the instance, run the following command:

    ssh User@Private_instance_IP_address

    Note: Replace User with your username and Private_instance_IP_address with the IP address of your instance.