Few days ago we were trying to setup SSH Agent Forwarding in Ubuntu for connecting private AWS EC2 instances hosted under the NAT instance or Bastion Instance. It is never recommended to store private access keys on BASTION or NAT instance. SSH Agent forwarding allow administrators to securely connect to private Linux instances in private Amazon VPC subnets using access keys stored in local computer.
SSH Agent forwarding in Ubuntu
Allow Agent Forwarding to your server
Use any text editor like vim, nano, sublime to open ~/ssh/.config. If this file does not exist then create file. Most of times .config file need to be created. You can create by using touch command
in terminal. Now add the following text to this newly created file replacing example.com with NAT or Bastion instance IP.
Host example.com ForwardAgent yes
Add all required private access keys in you local computer
You need to add private access keys locally by using ssh-add command with -k option and pem file like this
ssh-add -k ~/home/pem/myprivatekey.pem. If passphrase is added to pem file, a prompt will come up asking passphrase after hitting enter button. Enter correct passphrase for successfully adding private key. This steps needs to be done for all the required keys like key of bastion, key of app server, key of web server etc.
ssh-add -K myPrivateKey.pem Enter passphrase for myPrivateKey.pem: Passphrase stored in keychain: myPrivateKey.pem Identity added: myPrivateKey.pem (myPrivateKey.pem)
Verification of added private keys
Added keys can be verified using ssh-add command with -L option, ssh-add -L command will display the keys it has stored as shown below
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQDHEXAMPLErl25NOrbhgIGQzyO+TYyqbbYEueiEL cXtOQHgEFpMAb1Nb8SSnlxMxiCXwTKd5/lVnmgcbDwBpe7ayQ6idzjHfvoxPsFrI3QSJVQgyN cx0RylX9IjcvJOyw== myPrivateKey.pem
If no keys are added to your SSH then following message will appear
ssh-add -L The agent has no identities.
SSH Agent forwarding in Mac
For configuring SSH-Agent-Forwarding, you would have to almost repeat similar steps as described above for Ubuntu. you have to add private keys ( .pem ) file using ssh-add command.
Logging in to private ec2 instances through Bastion or Nat
After adding private keys locally, you are ready to log in your private instances hosted under Bastion or Nat instances in AWS. Use SSH with -A option, this option will allow agent forwarding and will respond with locally save .pem file when Bastion server ask for authentication.
ssh -A [email protected] or public-dns for example: ssh -A [email protected] of- bastion-instance-or-nat-instance
After connecting successfully to bastion you can connect to private instances like app server or database server using ssh command without any key