How do I troubleshoot accessing my EC2 instance using an SSH connection through a bastion host?

Last updated: 2021-10-14

I'm having trouble connecting to my Amazon Elastic Compute Cloud (Amazon EC2) instance using an SSH connection through a bastion host. How can I troubleshoot this?

Short description

To troubleshoot connecting to an EC2 instance through SSH using a bastion host, do the following:

  1. Set up SSH agent forwarding to log into the bastion host from your local machine.
  2. Connect to your EC2 instance from the bastion host with verbose messaging on.
  3. Use the output messages from the SSH client to identify and troubleshoot issues. Start by troubleshooting the connection from your local machine to the bastion host. Then troubleshoot the connection from the bastion host to the EC2 instance.

Resolution

Set up SSH agent forwarding to log into the bastion host from your local machine

1.    Add one or more private keys of your EC2 instance and bastion host to ssh-agent on your local machine. In the following example command, replace private-key.pem with the name of your private key.

$ ssh-add private-key.pem

    Run the following command to verify that the keys are available to ssh-agent:

$ ssh-add -L

2.    Run the following command to connect to the bastion host using the -A option with verbose messaging on. In the following example command, replace ec2-user with your user name. Replace 192.0.2.0 with the appropriate public IP address for your bastion host. You can also use the public DNS entry instead of the public IP address.

$ ssh -v –A ec2-user@192.0.2.0

Important: The -A option enables ssh-agent forwarding. Agent forwarding should be used for troubleshooting only. Forwarding enables the local ssh-agent to respond to the public-key challenge, including when you connect from your bastion host to your EC2 instance. When you set up agent forwarding, a socket file is created on the bastion host. The socket file acts as the mechanism that forwards the key to your EC2 instance. Another user on the bastion host with the ability to modify files could use this key to authenticate as you. When connecting to your instance using a bastion host regularly (outside of troubleshooting), use ProxyCommand or a similar method.

Connect to your EC2 instance from the bastion host, with verbose messaging on

After connecting to the bastion host, run the following command to connect to your EC2 instance using SSH with verbose messaging on. In the following example command, replace ec2-user with your use rname. Replace 192.0.2.0 with the appropriate public IP address for your bastion host. You can also use the public DNS entry instead of the public IP address.

$ ssh -v ec2-user@192.0.2.0

Note: You don't need to explicitly provide a key in the preceding two commands. The ssh-agent sequentially tries all the keys that are loaded in the agent until one succeeds. Instances terminate the connection after five failed connection attempts. Therefore, make sure that the agent has five or fewer keys. Each administrator should have one key, so this is rarely a problem for most deployments. For details on how to manage the keys in ssh-agent, run the command man ssh-agent.

Troubleshoot the connection from your local machine to the bastion host

If you have problems connecting to the bastion host from your local machine, do the following:

  • Verify that you added the private key of the bastion host to the SSH agent on your local machine correctly. This procedure is shown in step 1.
  • Verify that ssh-add -L returns five or fewer keys.
  • If you still can't connect to the bastion host, then use the output messages obtained from the SSH client verbose messaging to identify the error message. Based on the error message received, refer to step 2. in "How do I troubleshoot problems connecting to my Amazon EC2 Linux instance using SSH?" to troubleshoot the issue.

Troubleshoot the connection from the bastion host to your EC2 instance

If you have problems connecting to your EC2 instance from the bastion host, do the following:

  • Verify that you correctly added the private key of your EC2 instance to the SSH agent on your local machine. You might need to check this if the key is different than the private key of your bastion host.
  • Verify that ssh-add -L returns five or fewer keys.
  • If you still can't connect to the bastion host, then use the output messages obtained from the SSH client verbose messaging to identify the error message. Based on the error message received, refer to step 2. in "How do I troubleshoot problems connecting to my Amazon EC2 Linux instance using SSH?" to troubleshoot the issue.

Did this article help?


Do you need billing or technical support?