How do I use a bastion host to securely connect to my EC2 Linux instance in a private subnet?

Short description

EC2 Linux instances use SSH key-pair files as the default authentication method. Key-pair files eliminate the need for SSH usernames and passwords. To maintain a secure environment, never store private keys on the bastion host. To connect using a bastion host, use ssh-agent forwarding on the client. The ssh-agent allows an administrator to connect from the bastion to another instance without storing the private key on the bastion.

Resolution

Prerequisites

• The bastion host must be present in the VPC's public subnet so that you can access the host over the internet.
• Configure the private Linux instance's security group to accept SSH connections only from the bastion host.
• Configure the bastion host's security group to allow SSH connections (TCP/22) from only known and trusted IP addresses.

Configure ssh-agent forwarding on a macOS or Linux client

Note: The openssh-clients package is installed by default on most Linux and macOS distributions and contains ssh-agent.

1.    Run the following command to start the ssh-agent in the background. The ssh-agent stores your SSH keys in memory.

#  eval $(ssh-agent)

2.    Run the following command to add the SSH key to the ssh-agent:

# ssh-add "/path/to/key.pem"

3.    Run the following command to verify that the keys are added to the ssh-agent:

# ssh-add -l

4.    Run the following command to connect to the bastion host. In the following command, replace User and Bastion_Host_****IP_address with the correct values for your use case.

# ssh -A User@Bastion_Host_IP_Address

Note: Make sure that you include the -A flag in the preceding command. If you don't add the -A flag, then ssh-agent forwarding won't work because the keys aren't added to memory. After adding the SSH keys to memory, you don't have to specify the SSH key itself using the -i flag. This is because SSH automatically attempts to use all of the SSH keys that are saved in ssh-agent.

5.    After connecting to the bastion host, run the following command to connect to the private Linux instance. In the following command, replace User and Private_instance_IP_address with the correct values for your use case.

# ssh User@Private_instance_IP_address

If the matching private key for the private instance is loaded into ssh-agent, then the connection succeeds.

Configure ssh-agent forwarding on a Windows client

You can connect to Linux VPC instances from Windows using PuTTY (a free SSH client for Windows). To get SSH agent functionality, use Pageant (an SSH authentication agent). Pageant holds your private keys in memory. When Pageant is installed, you can use the agent forwarding option in PuTTY to connect to instances in private subnets.

1.    Download and install PuTTY and Pageant from the PuTTY download page.

2.    PuTTY doesn't natively support the PEM format for SSH keys. To connect to your instance using PuTTY, use PuTTYgen to convert your private key from the PEM format to the PuTTY format. PuTTYgen is available from the PuTTY download page. For more information, see Convert your private key using PuTTYgen.

3.    Open Pageant and add the private keys. To import the PuTTY-formatted key into Pageant, launch the Pageant application from the Start menu. By default, Pageant opens minimized in the system tray.

Note: If the Pageant icon isn't visible in the system tray, then use the taskbar settings to add it. For more information, see Customize the taskbar notification area on the support.microsoft.com website

4.    To add your SSH keys, right-click on the Pageant icon in the system tray, and then choose Add Key. To view the added key, right-click on the Pageant icon in the system tray, and then choose View Keys.

5.    Complete the following steps to start a PuTTY SSH session and turn on Allow agent forwarding:

• From the Start menu, choose All Programs, PuTTY, PuTTY.
• In the Category pane, choose Session.
• In the Host Name field, do one of the following:
  To connect using your instance's public DNS name, enter user-name@instance-public-dns.
  To connect using your instance's IPv4 address, enter user-name@instance-IPv4-address.
• Select Connection type, SSH, and make sure that the Port value is 22.
• In the Category pane, expand Connection, SSH, and then select Auth.
• Choose Allow agent forwarding.
• Choose Open.

6.    You can connect from the bastion to any instance in the VPC without having the SSH private key on the bastion. Use the following command to connect to other instances. In the following command, replace User and Private_instance_IP_address with the correct values for your use case.

# ssh User@Private_instance_IP_address

If the matching private key for the private instance is loaded into Pageant, then the connection succeeds.