How do I troubleshoot accessing my EC2 instance using an SSH connection through a bastion host?

Last updated: 2021-01-04

I'm having trouble connecting to my Amazon Elastic Compute Cloud (Amazon EC2) instance using an SSH connection through a bastion host. How can I troubleshoot this?

Short description

To troubleshoot connecting through SSH using a bastion host, do the following:

  1. Set up agent forwarding for troubleshooting purposes to separately troubleshoot the SSH connection between the following:
    Your local machine and the bastion host.
    The bastion host and your EC2 instance.
  2. Follow the steps in How do I troubleshoot problems connecting to my Amazon EC2 Linux instance using SSH? to troubleshoot the SSH connection between your local machine and the bastion host, and between the bastion host and your EC2 instance.

Resolution

1.    Add one or more private keys of your EC2 instance and bastion host to ssh-agent on your local machine. In the following example command, replace private-key.pem with the name of your private key.

ssh-add private-key.pem

Run the following command to verify that the keys are available to ssh-agent:

ssh-add -L

2.    Run the following command to connect to the bastion host using the -A option with verbose messaging on. In the following example command, replace ec2-user with your username. Replace 192.0.2.0 with the appropriate public IP address for your bastion host. You can also use the public DNS entry instead of the public IP address.

ssh -v –A ec2-user@192.0.2.0

Important: The -A option enables ssh-agent forwarding. Agent forwarding should be used for troubleshooting only. Forwarding enables the local ssh-agent to respond to the public-key challenge, including when you connect from your bastion host to your EC2 instance. When you set up agent forwarding, a socket file is created on the bastion host. The socket file acts as the mechanism that forwards the key to your EC2 instance. Another user on the bastion host with the ability to modify files could use this key to authenticate as you. When connecting to your instance using a bastion host regularly (outside of troubleshooting), use ProxyCommand or a similar method.

3.    After connecting to the bastion host, run the following command to connect to your EC2 instance using SSH with verbose messaging on. In the following example command, replace ec2-user with your username. Replace 192.0.2.0 with the appropriate public IP address for your bastion host. You can also use the public DNS entry instead of the public IP address.

ssh -v ec2-user@192.0.2.0

Note: You don't need to explicitly provide a key in the preceding two commands. The ssh-agent sequentially tries all the keys that are loaded in the agent until one succeeds. Instances terminate the connection after five failed connection attempts. Therefore, make sure that the agent has five or fewer keys. Each administrator should have one key, so this is rarely a problem for most deployments. For details on how to manage the keys in ssh-agent, run the command man ssh-agent.

Troubleshooting the connection from your local machine to the bastion host

If you have problems connecting to the bastion host from your local machine (step 2), do the following:

  • Verify that you added the private key of the bastion host to the SSH agent on your local machine correctly. This procedure is shown in step 1.
  • Verify that ssh-add -L returns five or fewer keys.

If you still can't connect to the bastion host, see step 2. in How do I troubleshoot problems connecting to my Amazon EC2 Linux instance using SSH?

Troubleshooting the connection from the bastion host to your EC2 instance

If you have problems connecting to your EC2 instance from the bastion host (step 3), do the following:

  • Verify that you correctly added the private key of your EC2 instance to the SSH agent on your local machine. You might need to check this if the key is different than the private key of your bastion host.
  • Verify that ssh-add -L returns five or fewer keys.

If you still can't connect to your EC2 instance from the bastion host, use the output messages from the SSH client to troubleshoot. For more information, see step 2. in How do I troubleshoot problems connecting to my Amazon EC2 Linux instance using SSH?


Did this article help?


Do you need billing or technical support?