2

I have a number of AWS EC2 instances, one of them has a public IP address, the rest do not have public IP addresses.

I have set up SSH access to the public machine using a private/public key pair. I now need to access the rest of the network through this public instance.

I have been told that if I create a .pem file from my key pair, and install it on the public instance, I will be able to first SSH into the public instance and from there, SSH to the others.

This does not feel right. Copying my private keys over to another instance does not feel secure. Is it possible to set up a tunnel (whatever it is, I am not a sysadmin) from my local machine that has the key pair to the destination instances?

Improve this question

2 Answers 2

Reset to default
2

If you have access to private hosts from public host you can setup your local ssh config ~/.ssh/config to use your public host as ssh proxy:

Host PublicServer Hostname PUBLIC_DNS_OR_IP_HERE User USERNAME_HERE # Default ~/.ssh/id_rsa IdentityFile /path/to/your/private/ssh/key Host PrivateHost2 Hostname 192.168.168.2 Host PrivateHost3 Hostname 192.168.168.3 Host PrivateHost* 192.168.168.* Hostname %h User PRIVATE_HOSTS_USERNAME #Compression yes #ForwardX11 no #IdentityFile ~/.ssh/id_rsa ProxyCommand ssh -W %h:%p PublicServer

Then you can just run ssh PrivateHost3 to connect to private host through PublicServer, or even ssh 192.168.168.3, in this case you don't need to create PrivateHostN entries. No need to put your private key to PublicServer, all works transparently.

Improve this answer
0

Are you using VPCs or EC2 Classic? Are these instances all on the same subnet - or at least all within the same VPC?

If you have instances in the same VPC/subnet, then here is what I would do:

  • For the Public IP/instance, configure security group to allow Inbound SSH from your WAN or work IP block.

  • Verify you can SSH into the Public instance after making this change - if good, proceed to next step.

  • Create a security group that allows Inbound access to the Private instances ONLY from the Public instance. You could use the IP address/32 to specify the Public instance as the expected IP inbound to the Private instances SSH ports. Or you could be lazy and use the internal subnet range - up to you.

    -Now SSH into the Public instance using the Public IP. Then try to connect to the Private instances using just the internal or Private IP addresses assigned to the instances - you should now be able to connect.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.