Why can't I ssh to an instance, given that SG and NACL are open?

0

I created an instance but cannot ssh to it. This happens with the command exactly as taken from the console, but also with IP address. (I added a verbosity flag See (1) below .) Strangely, debug output shows an attempt to connect to 0.0.0.1.

The key file has permissions (following chmod 400) of -r-------- .

The Security Group is wide open (2) , as is the NACL (3).

(Note: Potentially-identifying IP addresses etc. have been slightly altered for security.) (1)

% ssh -v 1 -i  "/Users/user1/dev/intercloud/server-inter-cloud-us-east-2.pem" ec2-user@ec2-3-134-169-55.us-east-2.compute.amazonaws.com 
OpenSSH_8.1p1, LibreSSL 2.7.3
debug1: Reading configuration data /Users/user1/.ssh/config
debug1: /Users/user1/.ssh/config line 1: Applying options for *
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 47: Applying options for *
debug1: Connecting to 0.0.0.1 [0.0.0.1] port 22.
debug1: connect to address 0.0.0.1 port 22: No route to host
ssh: connect to host 0.0.0.1 port 22: No route to host

(2)

Inbound Rules
Security group rule ID
sgr-0582e1d030c525c32	22	TCP	0.0.0.0/0	intercloud-sg
sgr-0f72f746d5e765465	5001	TCP	0.0.0.0/0	intercloud-sg
sgr-0cbe2cf01b08f84ba	0 - 65535	TCP	0.0.0.0/0	intercloud-sg
Outbound rules
Security group rule ID
sgr-037e39d86b69f12a8	All	All	0.0.0.0/0	intercloud-sg

(3)

 
Inbound rules
100	All traffic	All	All	0.0.0.0/0	 Allow
*	All traffic	All	All	0.0.0.0/0	 Deny
 Outbound rules
 100	All traffic	All	All	0.0.0.0/0	 Allow
*	All traffic	All	All	0.0.0.0/0	 Deny
asked 2 years ago550 views
9 Answers
1
Accepted Answer

It is because you specified -v 1 option. -v option doesn't have a value. You can try ssh -v -i "/Users/user1/dev/intercloud/server-inter-cloud-us-east-2.pem" ec2-user@ec2-3-134-169-55.us-east-2.compute.amazonaws.com.

You can change verbose level by choosing between -v, -vv, -vvv.

profile picture
EXPERT
answered 2 years ago
profile picture
EXPERT
reviewed 4 months ago
1

What is the content for ~/.ssh/config? Is the instance located in public subnet with public ip?

profile picture
EXPERT
answered 2 years ago
1

Here I can see connection problem, not handshaking or authentication or something that comes later. As I can see you practically don't reach AWS. Is it possible your computer has some wrong DNS settings? what you get when you do

nslookup ec2-3-134-169-55.us-east-2.compute.amazonaws.com

IP definitely shouldn't be 0.0.0.1. Are you pointing to correct DNS server? maybe you have some old entries in /etc/hosts file?

Ognjen
answered 2 years ago
1

This is becoming really intriguing. I got the same answer

W:\>ssh -v 1 -i  "/Users/user1/dev/intercloud/server-inter-cloud-us-east-2.pem" ec2-user@ec2-3-134-169-55.us-east-2.compute.amazonaws.com
Warning: Identity file /Users/user1/dev/intercloud/server-inter-cloud-us-east-2.pem not accessible: No such file or directory.
OpenSSH_for_Windows_7.7p1, LibreSSL 2.6.5
debug1: Connecting to 0.0.0.1 [0.0.0.1] port 22.
debug1: connect to address 0.0.0.1 port 22: Unknown error
ssh: connect to host 0.0.0.1 port 22: Unknown error

Ognjen
answered 2 years ago
0

So you get the same issue (replacing values with your own, of course)?

The previous instances were created from the CLi. I created a new instance, with default settings, from the Console.

I got the same output in trying to connect to it.

answered 2 years ago
  • No I just copied you line and executed it. Thing is that I can't connect even with telnet to that IP and port. Also, any other tentative to closed port finish with same error message. For me it means your EC2 port 22 is not reachable.

0

Is the instance ... public ip?

Yes. The Console shows a public IP and DNS ec2-3-134-169-55.us-east-2.compute.amazonaws.com

Is the instance .. located in public subnet

Yes, the Routes shows (2) that traffic is routed to an Internet Gateway.

What is the content for ~/.ssh/config?

See (2) below. Nothing unusual from what I can see.


(1)

172.31.0.0/16	local
0.0.0.0/0	igw-8557c9ed

(2)

% cat ~/.ssh/config                                                                                                                                                                             
Host *
 ServerAliveInterval 30
 ServerAliveCountMax 5
 AddKeysToAgent yes
 IdentityFile ~/.ssh/id_ed25519


# Google Compute Engine Section
#
# The following has been auto-generated by "gcloud compute config-ssh"
# to make accessing your Google Compute Engine virtual machines easier.
#
# To remove this blob, run:
#
#   gcloud compute config-ssh --remove
#
# You can also manually remove this blob by deleting everything from
# here until the comment that contains the string "End of Google Compute
# Engine Section".
#
# You should not hand-edit this section, unless you are deleting it.
#
Host instance-1.us-west1-a.user1-proj
   HostName 34.105.77.134
   IdentityFile /Users/user1/.ssh/google_compute_engine
   UserKnownHostsFile=/Users/user1/.ssh/google_compute_known_hosts
   HostKeyAlias=compute.4640298531968040167
   IdentitiesOnly=yes
   CheckHostIP=no

# End of Google Compute Engine Section

answered 2 years ago
0

what you get when you do... nslookup

See (1), which seems be be what we expect.

maybe you have some old entries in /etc/hosts file?

/etc/hosts is quite ordinary (see (2).

I went to a VM in Google Cloud, uploaded the pem file, and ran the same ssh command. I got the similar output with 0.0.0.1. However, this time the error message contains "invalid argument". See (3).

Also, EC2 Connect fails to connect.

some wrong DNS settings I have never changed my DNS settings and overall DNS works fine from this computer. The above tests seem to suggest that DNS is not the issue.

(1)

Server:		192.168.1.1
Address:	192.168.1.1#53

Non-authoritative answer:
Name:	ec2-3-134-169-55.us-east-2.compute.amazonaws.com
Address: 3.134.169.55

(2)

% cat /etc/hosts
##
# Host Database
#
# localhost is used to configure the loopback interface
# when the system is booting.  Do not change this entry.
##
127.0.0.1	localhost
255.255.255.255	broadcasthost
::1             localhost
# Added by Docker Desktop
# To allow the same kube context to work on the host and the container:
127.0.0.1 kubernetes.docker.internal
# End of section
$  ssh -v 1 -i "/home/user1/server-inter-cloud-us-east-2.pem" ec2-userec2-3-134-169-55.us-east-2.comp
ute.amazonaws.com  
OpenSSH_7.9p1 Debian-10+deb10u2, OpenSSL 1.1.1d  10 Sep 2019
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to 0.0.0.1 [0.0.0.1] port 22.
debug1: connect to address 0.0.0.1 port 22: Invalid argument
answered 2 years ago
0

So you also get that (changing the values to your own, of course)?

The earlier EC2 instances had been launched with the CLI,

So, I launched an EC instance from the Console. Same result, including the 0.0.0.1.

answered 2 years ago
0

Good catch! Without the verbosity flag, we get a similar error (1). With maximum verbosity as you described, -vvv, we get a longer error message (2).

(1)

 % ssh -i "/Users/user1/dev/intercloud/server-inter-cloud-us-east-2.pem" ec2-user@ec2-3-134-169-55.us-east-2.compute.amazonaws.com
kex_exchange_identification: read: Connection reset by peer

(2)

% ssh -vvv -i "/Users/user1/dev/intercloud/server-inter-cloud-us-east-2.pem" ec2-user@ec2-3-134-169-55.us-east-2.compute.amazonaws.com
OpenSSH_8.1p1, LibreSSL 2.7.3
debug1: Reading configuration data /Users/user1/.ssh/config
debug1: /Users/user1/.ssh/config line 1: Applying options for *
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 47: Applying options for *
debug1: Connecting to ec2-3-134-169-55.us-east-2.compute.amazonaws.com port 22.
debug1: Connection established.
debug1: identity file /Users/user1/dev/intercloud/server-inter-cloud-us-east-2.pem type -1
debug1: identity file /Users/user1/dev/intercloud/server-inter-cloud-us-east-2.pem-cert type -1
debug1: identity file /Users/user1/.ssh/id_ed25519 type 3
debug1: identity file /Users/user1/.ssh/id_ed25519-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.1
kex_exchange_identification: read: Connection reset by peer
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions