I'm using autossh -M 20000 -fN -R 19999:localhost:22 -i mycert.pem [email protected] to establish a reverse tunnel to my aws machine. Now, when I try to access the machine from aws, I got the following:
$ ssh ron@localhost -P 19999
Permission denied (publickey).
Why would this be? The verbose option shows:
$ ssh ron@localhost -v -P 19999
OpenSSH_7.2p2 Ubuntu-4ubuntu2.4, OpenSSL 1.0.2g 1 Mar 2016
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to localhost [127.0.0.1] port 22.
debug1: Connection established.
debug1: key_load_public: No such file or directory
debug1: identity file /home/ubuntu/.ssh/id_rsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/ubuntu/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/ubuntu/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/ubuntu/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/ubuntu/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/ubuntu/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/ubuntu/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/ubuntu/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.4
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.2p2 Ubuntu-4ubuntu2.4
debug1: match: OpenSSH_7.2p2 Ubuntu-4ubuntu2.4 pat OpenSSH* compat 0x04000000
debug1: Authenticating to localhost:22 as 'ron'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: [email protected]
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: [email protected] MAC: <implicit> compression: none
debug1: kex: client->server cipher: [email protected] MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:kT8pM3YwDEYqE+CFzyWQDiSVCLhgMjPLWBJXYPl1BZs
debug1: Host 'localhost' is known and matches the ECDSA host key.
debug1: Found key in /home/ubuntu/.ssh/known_hosts:5
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<rsa-sha2-256,rsa-sha2-512>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /home/ubuntu/.ssh/id_rsa
debug1: Trying private key: /home/ubuntu/.ssh/id_dsa
debug1: Trying private key: /home/ubuntu/.ssh/id_ecdsa
debug1: Trying private key: /home/ubuntu/.ssh/id_ed25519
debug1: No more authentication methods to try.
Permission denied (publickey).
What's happening here? Why would it not let me connect?
EDIT1
I foud out that when I use autossh -M 20000 -R 19999:localhost:22 -i mycert.pem, I can actually establish a connection just fine but the target machine then will remain logged in which is not quite what I want! Why would -fN cause this notto work?
I have been struggling with this for awhile too. My answer was probably pretty basic and a typical beginner mistake, and may not be your answer, but I will post this here just in case someone else is having trouble and this helps them:
The public key of the machine you are trying to reverse ssh from to needs to exist on the authorized_keys file on your local machine.
Reverse SSH connects to a local port, which is in reality your own local machine, so it will be looking for a public key on your local machines authorized_keys file that does not exist. It is easy to get confused with this because you are using "localhost" as the address, but just imagine it that you are opening a portal into a remote location at some random port, and then acting as that remote user to connect from that location to the port you made. When it connects to the port, it will still need ask for permission through the port to send commands down. Since it is a portal into your home, it will look there for the key. If there is no key at the other end of the port, it wont work.
ELI5 style:
You want another world to send you stuff but they can't because you are in a secret location, so you make a red port and a blue port into the other world.
You jump through red port, but the people at the other end don't know where blue port is, so you have to tell them where the blue port is. They attempt to go through the port but cant get in because you have not yet authorized them to come over and security isn't having it today.
So you have them make a key card there and you bring it back to your own world and tell your own security "this key card is good, let them in".
Now you can go back over again, and tell them to knock. This time the security sees that these are friends and they get let in.
So:
localuser@localmachine:~$ ssh -r <remote port>:localhost:localport remoteuser@remoteaddress
remoteuser@remoteaddress:~$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/$USER/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/$USER/.ssh/id_rsa.
Your public key has been saved in /home/$USER/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:sadfhjkljashdlkfjahw039ufrg094ut remoteuser@remotemachine
The key's randomart image is:
+---[RSA 2048]----+
|=+ +. ..+ o . |
|o ofake art. . |
|asdfghjk |
|+ . .o. . + . |
|.+R . fx s ++ o |
|B + .. . . |
|=+ +.. . . |
|..o .. 0. 0. |
| + o ++ ==o|
+----[SHA256]-----+
remoteuser@remoteaddress:~$ clip ./ssh/id_rsa.pub (or copy it however you can)
remoteuser@remoteaddress:~$ exit
localuser@localmachine:~$ nano/vi/whatever .ssh/authorized_keys (paste the public key there)
localuser@localmachine:~$ ssh -r <remote port>:localhost:localport remoteuser@remoteaddress
remoteuser@remoteaddress:~$ ssh localhost -p <remote port>
Again, this is mostly for those that are new with reverse ssh and are running into "public key" errors. I hope I helped!