Search code examples
sshopensshwindows-11

openSSH Client Connection to EC2 Instance Permission setting

I want to establish a SSH connection to EC2 Instances on AWS using the onboard OpenSSH client on windows 11.

The Client is installed and running (checked with Get-Service sshd).

I also created a .ssh\config in my $Home Folder.

I put the following the config file:

Host my_host
 HostName localhost
 User my-username
 IdentityFile .ssh\xxx.pem

Then I created a Keypair on AWS - keypair.pem. I moved it into the .ssh\ directory After that I added it to the config:

ssh-add xxx.pem

But i never showed up in the .ssh\config...

I checked the properties of the .pem file and made sure, I am the owner and have full control.

When I try to connect like this:

ssh [email protected]

I get the following error:

Permission denied (publickey,gssapi-keyex,gssapi-with-mic).

Question 1: where is the info stored, when I add the .pem file (ssh-add xxx.pem)? Question 2: How can I solve the permission error with the file, is there anything I'm missing?

Thanks in advance

A

Solution

  • ssh-add adds keys to the SSH agent, not the SSH config. The SSH agent stores keys securely in memory so that they're ready for use; it's a timesaver overall, especially if you use SSH often, and especially if you have a passphrase on your private key. You can use ssh-add -l to see a list of the fingerprints of the keys that ssh-agent already knows about. (You will not be able to see the keys themselves - that would defeat the purpose of a secure agent.)

    As for why the EC2 isn't working... well, there isn't really enough information here, but:

    • ec2-x-xxx-xxx-xxx.eu-west-1.compute.amazonaws.com doesn't match any Host stanzas in your SSH config, so the SSH config you defined won't do anything. If you want to use the my_host parameters (hostname, username, and key) then you need to ssh my_host.
    • your SSH config defines my_host as an alias for that set of parameters, but HostName localhost means that my_host will only point traffic back to your own system. If you want my_host to point to your EC2 instance then you'll need to set the HostName to ec2-x-xxx-xxx-xxx.eu-west-1.compute.amazonaws.com (and then you'll need to use it, as defined above).
    • your SSH config defines the IdentityFile as .ssh/xxx.pem, but that's a relative path and it needs to be an absolute path. I'm not sure how your formatting will need to be, but you can often put something like ~/.ssh/xxx.pem or $HOME/.ssh/xxx.pem instead (~ is shorthand for the current user's home directory).
    • You didn't mention whether you'd added the public key to the EC2 instance's ~/.ssh/authorized_keys, but you need to do that. (Only the public key in that file. Do not put a private key in there.)
    • You also didn't include the details leading up to the login failure. ssh -v [email protected] will provide that detail.