ssh between amazon EC2 instances with X11 forwarding - ssh

I have two EC2 instances in a VPC - a bastion and dev machine.
I can ssh into the bastion and run X11 apps. However when I ssh from the bastion to the dev machine, X forwarding fails:
> ssh -vX -i ~/.ssh/my_key.pem ec2-user#X.X.X.X
…
debug1: Requesting X11 forwarding with authentication spoofing.
debug1: Sending environment.
debug1: Sending env LANG = en_US.UTF-8
debug1: Remote: Can't get IP address for X11 DISPLAY.
X11 forwarding request failed on channel 0
The full log is below.
The remote instance (ie. the dev machine) has the xauth package installed, and the /etc/ssh/sshd_config file (on the dev machine) has the following entries:
X11Forwarding yes
X11UseLocalhost no
Does anyone know what the problem could be?
cheers
steve
OpenSSH_6.6.1, OpenSSL 1.0.1e-fips 11 Feb 2013
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 56: Applying options for *
debug1: Connecting to X.X.X.X [X.X.X.X] port 22.
debug1: Connection established.
debug1: identity file /home/ec2-user/.ssh/my_key.pem type -1
debug1: identity file /home/ec2-user/.ssh/my_key.pem-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.6.1
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.6.1
debug1: match: OpenSSH_6.6.1 pat OpenSSH_6.6.1* compat 0x04000000
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5-etm#openssh.com none
debug1: kex: client->server aes128-ctr hmac-md5-etm#openssh.com none
debug1: kex: curve25519-sha256#libssh.org need=16 dh_need=16
debug1: kex: curve25519-sha256#libssh.org need=16 dh_need=16
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ECDSA Y:Y:Y:Y:Y:Y:Y:Y:Y
debug1: Host 'X.X.X.X' is known and matches the ECDSA host key.
debug1: Found key in /home/ec2-user/.ssh/known_hosts:1
debug1: ssh_ecdsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /home/ec2-user/.ssh/my_key.pem
debug1: key_parse_private2: missing begin marker
debug1: read PEM private key done: type RSA
debug1: Authentication succeeded (publickey).
Authenticated to X.X.X.X ([X.X.X.X]:22).
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions#openssh.com
debug1: Entering interactive session.
debug1: Requesting X11 forwarding with authentication spoofing.
debug1: Sending environment.
debug1: Sending env LANG = en_US.UTF-8
debug1: Remote: Can't get IP address for X11 DISPLAY.
X11 forwarding request failed on channel 0

The solution was to set X11UseLocalhost to "yes".

Related

Cannot ssh to compute engine after suggested reboot

The last time I ssh into my compute engine instance, it suggested a system reboot. I rebooted it. After the reboot, I can no longer ssh into it. The instance is still running, the web server is still working. I can even get authentication succeeded. It than it close the connection. The log is a below.
ssh -v -i "privatekey" username#hostname
OpenSSH_7.2p2 Ubuntu-4ubuntu2.4, OpenSSL 1.0.2g 1 Mar 2016
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to hostname [ip] port 22.
debug1: Connection established.
debug1: key_load_public: No such file or directory
debug1: identity file [key location] type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/keyfile-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.4
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.2p2 Ubuntu-4ubuntu2.4
debug1: match: OpenSSH_7.2p2 Ubuntu-4ubuntu2.4 pat OpenSSH* compat 0x04000000
debug1: Authenticating to hostname:22 as 'username'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256#libssh.org
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305#openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305#openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: Server host key
debug1: Host 'hostname' is known and matches the ECDSA host key.
debug1: Found key in /home/username/.ssh/known_hosts:2
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<rsa-sha2-256,rsa-sha2-512>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Trying private key: privatekeyfile
Enter passphrase for key 'privatekeyfile':
debug1: Authentication succeeded (publickey).
Authenticated to hostname ([ip]:22).
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions#openssh.com
debug1: Entering interactive session.
debug1: pledge: network
debug1: channel 0: free: client-session, nchannels 1
**Connection to hostname closed by remote host.**
**Connection to hostname closed.**
Transferred: sent 2256, received 1380 bytes, in 0.0 seconds
Bytes per second: sent 155684.5, received 95232.6
debug1: Exit status -1
Based on the debug output you have provided, I have found two resolved issues with similar output. Here are the two links found 1st link and 2nd link. They were essentially resolved by changing the ~/.ssh permissions.

How to correctly graphically ssh -X into docker container?

I'm trying to ssh into a running container with
ssh -X user#IP
ssh -Y user#IP
I've launched with
docker run -it image:latest /bin/bash -c 'sudo service ssh stop;sudo service ssh start;/bin/bash'
I'm able to ssh into the container, but I can't run a GUI application. When I use echo $DISPLAY, I get localhost:10.0
I've tried dozens of solutions of ForwardX11, X11Forwarding, ForwardX11Trusted, etc.
I get this warning on login:
Warning: No xauth data; using fake authentication data for X11 forwarding.
I read the because it's a warning, it can be ignored. When trying to run a GUI application, I get
Invalid MIT-MAGIC-COOKIE-1 keyCan't open display: localhost:10.0
I've tried so many things but none have worked thus far. What can I do?
Thanks.
Just in case, here's a verbose output:
j#laptop:~/Documents/tmp/Docker/docker-system> ssh -vY moos#192.168.1.100
OpenSSH_6.6, OpenSSL 0.9.8zc 15 Oct 2014
debug1: Reading configuration data /home/j/.ssh/config
debug1: /home/j/.ssh/config line 1: Applying options for *
debug1: Reading configuration data /etc/centrifydc/ssh/ssh_config
debug1: /etc/centrifydc/ssh/ssh_config line 49: Applying options for *
debug1: Connecting to - [-] port 22.
debug1: Connection established.
debug1: identity file /home/j/.ssh/id_rsa type 1
debug1: identity file /home/j/.ssh/id_rsa-cert type -1
debug1: identity file /home/j/.ssh/id_dsa type -1
debug1: identity file /home/j/.ssh/id_dsa-cert type -1
debug1: identity file /home/j/.ssh/id_ecdsa type -1
debug1: identity file /home/j/.ssh/id_ecdsa-cert type -1
debug1: identity file /home/j/.ssh/id_ed25519 type -1
debug1: identity file /home/j/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.6
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.7
debug1: match: OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.7 pat OpenSSH* compat 0x04000000
debug1: An invalid name was supplied
Cannot determine realm for numeric host address
debug1: An invalid name was supplied
Cannot determine realm for numeric host address
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5-etm#openssh.com none
debug1: kex: client->server aes128-ctr hmac-md5-etm#openssh.com none
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ECDSA 9b:dc:35:c2:f3:5f:86:54:58:91:fa:87:cd:58:d9:bb
debug1: Host '-' is known and matches the ECDSA host key.
debug1: Found key in /home/j/.ssh/known_hosts:11
debug1: ssh_ecdsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentication succeeded (none).
Authenticated to - ([-]:22).
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions#openssh.com
debug1: Entering interactive session.
debug1: No xauth program.
Warning: No xauth data; using fake authentication data for X11 forwarding.
debug1: Requesting X11 forwarding with authentication spoofing.
debug1: Requesting authentication agent forwarding.
Last login: Thu May 19 15:15:45 2016 from -
j#3ce2104c8e2d:~$ gedit
debug1: client_input_channel_open: ctype x11 rchan 4 win 65536 max 16384
debug1: client_request_x11: request from ::1 39148
debug1: channel 1: new [x11]
debug1: confirm x11
debug1: channel 1: free: x11, nchannels 2
Invalid MIT-MAGIC-COOKIE-1 keyCan't open display: localhost:10.0

Launched new instance on EC2 with same keypair, can't ssh

This is on AWS. I tried to launch a new Ubuntu instance (#2) with the same keypair that is associated with another Ubuntu instance (#1).
AWS instances are associated with keypairs at the time they are launched and cannot be changed once launched.
I can connect to instance #1 but can't connect to instance #2 using the same ssh command. I've checked my permissions and everything seems to be ok.
The key is in ~/AMI.pem.
I have chmod 600 on my home directory and chmod 400 on ~/AMI.pem, so it's only readable/writeable by me.
The instances are nearly identical, with the same security groups and keypairs, same version of Ubuntu, etc. Instance #1 has some additional packages installed. I verified both are associated with the same keypair called "AMI".
Connecting to #2:
USAU9900:ScrapeEdgar reedn$ ssh -i ~/AMI.pem -v ubuntu#54.67.18.96
OpenSSH_6.2p2, OSSLShim 0.9.8r 8 Dec 2011
debug1: Reading configuration data /Users/reedn/.ssh/config
debug1: Reading configuration data /etc/ssh_config
debug1: /etc/ssh_config line 20: Applying options for *
debug1: Connecting to 54.67.18.96 [54.67.18.96] port 22.
debug1: Connection established.
debug1: identity file /Users/reedn/AMI.pem type -1
debug1: identity file /Users/reedn/AMI.pem-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.2
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.2
debug1: match: OpenSSH_6.2 pat OpenSSH*
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5-etm#openssh.com none
debug1: kex: client->server aes128-ctr hmac-md5-etm#openssh.com none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Server host key: RSA 36:69:f6:95:b4:3c:f0:77:02:ab:02:01:af:c7:cc:6a
debug1: Host '54.67.18.96' is known and matches the RSA host key.
debug1: Found key in /Users/reedn/.ssh/known_hosts:1
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /Users/reedn/AMI.pem
debug1: read PEM private key done: type RSA
debug1: Authentications that can continue: publickey
debug1: No more authentication methods to try.
*Permission denied (publickey).*
Connecting to instance #1:
USAU9900:ScrapeEdgar reedn$ ssh -i ~/AMI.pem -v ubuntu#54.183.77.100
OpenSSH_6.2p2, OSSLShim 0.9.8r 8 Dec 2011
debug1: Reading configuration data /Users/reedn/.ssh/config
debug1: Reading configuration data /etc/ssh_config
debug1: /etc/ssh_config line 20: Applying options for *
debug1: Connecting to 54.183.77.100 [54.183.77.100] port 22.
debug1: Connection established.
debug1: identity file /Users/reedn/AMI.pem type -1
debug1: identity file /Users/reedn/AMI.pem-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.2
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.6.1p1 Ubuntu-2ubuntu2
debug1: match: OpenSSH_6.6.1p1 Ubuntu-2ubuntu2 pat OpenSSH*
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5-etm#openssh.com none
debug1: kex: client->server aes128-ctr hmac-md5-etm#openssh.com none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Server host key: RSA a6:53:a0:99:b8:61:ef:fe:05:d3:fe:47:90:ea:de:b6
The authenticity of host '54.183.77.100 (54.183.77.100)' can't be established.
RSA key fingerprint is a6:53:a0:99:b8:61:ef:fe:05:d3:fe:47:90:ea:de:b6.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '54.183.77.100' (RSA) to the list of known hosts.
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /Users/reedn/AMI.pem
debug1: read PEM private key done: type RSA
debug1: Authentication succeeded (publickey).
Authenticated to 54.183.77.100 ([54.183.77.100]:22)
First you need make sure the keypair has been applied to instance #2. Something like below in aws console on this instance:
Key pair name: AMI (should be same as instance #1)
Then try below steps:
If this ec2 instance is not in VPC, could you stop and start the instance to refresh with new public IP address and try again?
clean content in .ssh/known_hosts in your local machine, and try again.
One of them should work for you.

Connection impossible to Amazon EC2 : Permission denied (public key)

I'm a bit lost with Amazon EC2. I just created an instance and generaited a pair of keys. I saved it on my win7 HDD.
I started a ssh connection through the terminal :
$ ssh -v -i EC2.pem instance_id#ec2-xx-xx-xx-xx.eu-west-1.compute.amazonaws.com
OpenSSH_4.6p1, OpenSSL 0.9.8e 23 Feb 2007
debug1: Connecting to ec2-xx-xx-xx-xx.eu-west-1.compute.amazonaws.com [54.76.160.55] port 22.
debug1: Connection established.
debug1: identity file EC2.pem type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.6p1 Ubuntu-2ubuntu1
debug1: match: OpenSSH_6.6p1 Ubuntu-2ubuntu1 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_4.6
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'ec2-xx-xx-xx-xx.eu-west-1.compute.amazonaws.com' is known and matches the RSA host key.
debug1: Found key in /c/Users/FLE/.ssh/known_hosts:1
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Trying private key: EC2.pem
debug1: read PEM private key done: type RSA
debug1: Authentications that can continue: publickey
debug1: No more authentication methods to try.
Permission denied (publickey).
Doesn't seem to want to let me in.
When I try via putty, it answers Disconnected: No supported authentication methods available.
What is this ?
Thanks for helping.
Don't know the exact instance type you are trying to ssh into but the format should be "userid#ec2host.com" - you appear to be using instance id instead. Should look something like this:
ssh -i my-key-pair.pem ec2-user#ec2-198-51-100-1.compute-1.amazonaws.com
ec2-user is the default user for Amazon Linux, ubuntu is the default for all the ubuntu instance typers.
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AccessingInstancesLinux.html

Trouble connecting to Amazon EC2 over SSH

I'm trying to connect to my EC2 Instances on Amazon. When you connect an error - Permission denied (publickey). Installing cmhod 400 myPem.pem file does not help.
Connection log:
OpenSSH_6.2p2, OSSLShim 0.9.8r 8 Dec 2011 debug1: Reading
configuration data /etc/ssh_config debug1: /etc/ssh_config line 20:
Applying options for * debug1: Connecting to 54.214.31.168
[54.214.31.168] port 22. debug1: Connection established. debug1:
identity file wenglePemNew.pem type -1 debug1: identity file
wenglePemNew.pem-cert type -1 debug1: Enabling compatibility mode for
protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_6.2 debug1:
Remote protocol version 2.0, remote software version OpenSSH_5.9p1
Debian-5ubuntu1 debug1: match: OpenSSH_5.9p1 Debian-5ubuntu1 pat
OpenSSH_5* debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT
received debug1: kex: server->client aes128-ctr hmac-md5 none debug1:
kex: client->server aes128-ctr hmac-md5 none debug1:
SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent debug1: expecting
SSH2_MSG_KEX_DH_GEX_GROUP debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug1: Server host key:
RSA (code) The authenticity of host '54.214.31.168 (54.214.31.168)'
can't be established. RSA key fingerprint is (code). Are you sure you
want to continue connecting (yes/no)? yes Failed to add the host to
the list of known hosts (/Users/oktolab/.ssh/known_hosts). debug1:
ssh_rsa_verify: signature correct debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server debug1: SSH2_MSG_SERVICE_REQUEST
sent debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications
that can continue: publickey debug1: Next authentication method:
publickey debug1: Trying private key: wenglePemNew.pem debug1: read
PEM private key done: type RSA debug1: Authentications that can
continue: publickey debug1: No more authentication methods to try.
Permission denied (publickey).
AMI creation and deployment of a new instance with a new pem file did not help.
What's need to do to connect to the server?
Failed to add the host to the list of known hosts (/Users/oktolab/.ssh/known_hosts)
What are the permission for /Users/oktolab/.ssh/known_hosts ?
Run below command to fix the permission:
chmod 0600 /Users/oktolab/.ssh/known_hosts
Also, could you provide the exact SSH command that you are running because:
read PEM private key done: type RSA debug1: Authentications that can continue: publickey debug1: No more authentication methods to try. Permission denied (publickey).
A lot of time above error appears if you use ec2-user instead of ubuntu as username and vice-versa. In your case, this seems to be ubuntu image so it should be ubuntu. These things will be clarified once you provide the exact ssh command you are running