July Release Confetti
150+ Courses, Challenges, and Learning Activities
Launching in July!
Learn More

Use PuTTY to access EC2 Linux Instances via SSH from Windows

PART 1: SSH INTO AN EC2 INSTANCE FROM WINDOWS USING PUTTY
Video Walkthrough:

https://www.youtube.com/watch?v=bi7ow5NGC-U


DOWNLOAD & Install PuTTY

If you don’t have the PuTTY software installed on your system, you will need to download it from www.putty.org. Be sure to select the entire package as shown below, as it will include all the needed utilities such as puttygen and pageant.

user_30505_5915f13d65604.png


DOWNLOAD YOUR EC2 KEY PAIR FILE

If you have not already downloaded (or cannot locate) your key pair (i.e my_key_pair.pem) you will need to create a new EC2 instance and download a new one. A key pair consists of a public key that AWS stores and a private key file that you store (downloaded as PEM file). PEM stands for Privacy Enhanced Mail and is a widely used X.509 encoding format used for security certificates. Together, the two keys enable you to securely connect to your EC2 instance using SSH.

user_30505_5915f154c4918.png


CONVERT YOUR PEM FILE TO PPK FORMAT

PuTTY does not natively support the PEM format that AWS uses, so you need to first convert your PEM file to a PPK file (PPK = PuTTY Private Key). To do this, you use the PuTTYgen utility. To start the utility you can type puttygen in the Windows start dialog box:

user_30505_5915f17c37655.png


On the PuTTYgen dialog box, click the Load Button and then select the .pem file that you downloaded from AWS. Note: when browsing for your pem file be sure to select All Files in the dropdown list that is located to the right of the File name field. PuTTYgen will then load and convert your file.

user_30505_5915f2a25961d.png


As the message indicates, you then need to click on “Save private key”. You will receive a warning message asking if you want to save this key without a passphrase. Be sure to select Yes.

Provide a name for your ppk file and click save.

user_30505_5915f2f8f3d08.png


LAUNCH PuTTY

Now that you have converted the pem file to a ppk file, you are ready to use the PuTTY utility. In the Windows start dialog box, type in putty to start the utility.

ENTER HOST NAME

Enter your Host Name into the appropriate field. This will be in the format of: user_name@public_dns_name. Be sure to specify the appropriate user name for your AMI type. For example:

•For an Amazon Linux AMI, the user name is ec2-user.

•For a RHEL AMI, the user name is ec2-user or root.

•For an Ubuntu AMI, the user name is ubuntu or root.

•For a Centos AMI, the user name is centos.

•For a Fedora AMI, the user name is ec2-user.

•For SUSE, the user name is ec2-user or root.

•Otherwise, if ec2-user and root don't work, check with the AMI provider.

Here is an example for connecting to an Amazon Linux AMI:

user_30505_5915f325dfb0b.png


SELECT YOUR PPK FILE

Next, click on the + button next to the SSH field to expand this section. Then click on Auth (which stands for authenticate) and enter the name of your private key file (i.e. the ppk file) where it says Private key file for authentication (if you click on browse you can easily search for the directory where you have stored it).

user_30505_5915f3468460b.png


OPEN YOUR TERMINAL SESSION

Lastly, click on Open to start your SSH session.

Note: if this is the first time that you are logging into the instance, you will receive the following alert.

Click on Yes to continue.

user_30505_5915f369d3e07.png


If you did everything correctly, you will see a new window appear displaying your command line SSH session (troubleshooting hint: if the window appears but fails to connect, a common issue is that you likely have not created a rule to enable SSH inbound traffic on Port 22 in the Security Group that is attached to this instance…..so double check that first).

user_30505_5915f3845ad58.png


Part 2: Connecting to a Linux Instance that is Running in a Private Subnet

USE PuTTYGEN TO CREATE A PRIVATE PPK FILE

You will first need to use PuTTYGen to convert your PEM file into a private PPK file that has a password. So, in PuTTYGen, choose Conversions > Import Key and select your PEM-formatted private key. Enter a passphrase and then click Save private key, as shown in the following screenshot. Save the key as a .ppk file

user_30505_5915f3a76daac.png


OPEN THE PAGEANT UTILITY THAT IS PART OF THE PuTTY PACKAGE

Pageant is an SSH authentication agent and allows you to hold your private key in memory, so that it can in turn be forwarded by PuTTY. To start the utility you can type pageant in the Windows start dialog box:

user_30505_5915f3bcc827b.png


ADD YOUR PPK KEY FILE INTO PAGEANT

Find the Pageant icon in your Windows task bar (generally found at the bottom of your screen…look for computer terminal with a black hat on top of it). Double click on this icon then select Add Key and in the pop up dialog window navigate to the folder that contains your PPK file and select it, followed by clicking on Open. When you select the PPK file, you’re prompted to enter the passphrase you chose when you converted the key. You can then close the Pageant Key List window after your key has been added:

user_30505_5915f8e29397d.png


user_30505_5915f8f594695.png


OPEN UP THE MAIN PuTTY UTILITY

On the main screen (Session) enter the Host Name information for your instance as was described earlier in this guide (i.e. user_name@public_dns_name). Then click on SSH and select the Auth tab. Click on Allow agent forwarding and leave the Private key file for authentication empty as shown here:

user_30505_5915f902840d9.png


Then click on Open and it should connect you to your publically accessible EC2 instance (in this scenario, this instance would be referred to as the Bastion host or a jump box).

CONNECTING TO THE PRIVATE INSTANCE
Once you are logged into the Bastion host you can then “jump” to the private instance by using the private IP address of the instance. This is done by issuing an SSH command in your terminal session:
ssh user_name@private_IP_address (i.e., something like this: ssh ec2-user@10.0.3.25).
You should then see a second log-in occur within your PuTTY session. If you did everything correctly you will now be logged into the private instance via SSH.

user_30505_5915f91b2100a.png_800.jpg



  • post-author-pic
    Derek M
    05-15-2017

    It's great to have some Windows Putty love in here! 

  • post-author-pic
    Shahan K
    05-16-2017

    Putty is a powerful tool! Great job!

  • post-author-pic
    Jacek Z
    05-16-2017

    Nice tutorial Thanks, 

  • post-author-pic
    Jeremy B
    05-28-2017

    Thanks so much for taking the time to write this up! I was stuck trying to get past the bastion ec2. Will now be able to complete the lab properly.

  • post-author-pic
    Vick S
    06-09-2017

    Awesome!!!! thanks a bunch!

  • post-author-pic
    Derryl P
    07-05-2017

    Yesssssssss!

  • post-author-pic
    Ford B
    08-11-2017

    Excellent guide!

  • post-author-pic
    Udaychowdary P
    08-20-2017

    Tq so much for the detailed explanation....i was struggling with this error....

  • post-author-pic
    Shea B
    08-31-2017

    What an awesome guide! Saved my turkey bacon!


  • post-author-pic
    Pawan P
    08-31-2017

    Clear and Crisp

  • post-author-pic
    Krishna G
    09-04-2017

    What a guide. you made my day!!! 

  • post-author-pic
    Vinay S
    09-15-2017

    am getting error as 'permission denied (prublickey)' while I telnet from 1 VPC to another while doing VPC peering session. Can someone help me with the fix here pls. Thanks!

  • post-author-pic
    Lloyd L
    09-20-2017

    Fantastic explanation/tutorial, this worked for me. Can anyone suggest the next step? how to become pro efficient in this SSH language? Thanks!

  • post-author-pic
    Eric G
    09-28-2017

    should this really make sense.....it doesn't. I get to the putty session and it says server refused our key? Disconnected: No supported authentication methods available )server sent: publickey)

  • post-author-pic
    Broadus P
    10-17-2017

    hey eric, did you ever find out what went wrong? I'm getting the same error too

  • post-author-pic
    Ramkumar V
    10-20-2017

    I got a question in AWS challenge.. not sure how to do this. 


    SSH into the instance, this time with the user: "yunowork"

    This user does not have a password set, and must be authenticated using an SSH keypair.

    Use the following key to authenticate this user:

    challenge-tmp.key

  • post-author-pic
    Mohan Kumar V
    10-24-2017

    I was able to solve the issue of logging into the EC2 instance, in the private subnet from the bastion host via Putty, by following the above guide. Only change was using the same *.ppk file created initially from Puttygen to login into the EC2 instance in the private subnet as the instances were created with the same key pair, but following the process to add the *.ppk to the Pageant as described above.


    Also had issues [error code below] starting the httpd service, after researching found advice on enabling the "Set DNS Hostnames" at the VPC level. This solved the issue for starting the httpd service and i am able to serve the apache page from the ELB with the EC2 instance in the private subnet via the Nat gateway.

    Error reference below:
    Starting httpd: httpd: apr_sockaddr_info_get() failed for ip-10-0-3-111
    httpd: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1 for ServerName


  • post-author-pic
    Tim B
    10-31-2017

    I have looked at a lot of documents before finally locating this one with the Pageant reference. I've been working on this lab since 1:00 pm today, it's not 9:15 pm, trying to get through the Bastion server to my private server.  The building of the VPC, IGW, etc., was really good to build that experience, but I'm now satisfied that i have accomplished this part of the lab.  However... I would ask that Thomas put a link in the Lab Guide for those who aren't doing this on a Mac, to download both PuTTY and Pageant.  THANK YOU!

  • post-author-pic
    Jayashree K
    11-04-2017

    Thanks Thomas for this guide. It is very helpful. 

    Initially,I was able to successfully connect to my bastion host but was not able to ssh into my database host in private subnet. I tried all the steps mentioned in the aws documentation but was not able to figure out where I was going wrong.. I figured out that I was directly connecting from the putty with just the ip address( not as ec2-user@ip-address). After changing to ec2-user@ip-address, I am successfully able to ssh into my database in private subnet. 

  • post-author-pic
    Johnny S
    11-07-2017

    I ran into the same inability to ssh into one of my private instances from the bastion host using Putty. It was infuriating! I then read the document above and realized I skipped the "PAGEANT" step. Once I did this, it worked perfectly! I found this forum through a Google search so it may be helpful to amend the lab guide for the section "Hands-on Lab: Building a More Secure Application with a Bastion Host and NAT Gateway" (AWS Certified Solutions Architect - Associate course) with the PAGEANT information for Putty users.

  • post-author-pic
    Bikram A
    11-09-2017

    Thank You for your guide

  • post-author-pic
    Durga Prasad M
    11-26-2017

    Worked!!

  • post-author-pic
    Sumit K
    11-30-2017

    II followed your single steps, got connected with private instace and try to execute ssh ec2-user@hostname -i mykeypair.ppk, i am getting the error like Enter passphrase for key 'keypair.ppk':

    Permission denied (publickey). could you pls help me on that, why i am getting this error? and what is the resolution.

  • post-author-pic
    Jesus C
    12-02-2017

    thanks, simple and explanatory!!

  • post-author-pic
    Swetha R
    12-30-2017

    Error in using PuTTY to access EC2 Linux Instances via SSH from Windows.

    I have created an EC2 instance and trying to connect to EC2 Linux instance via SSH from Windows using Putty.I downloaded Putty and converted .pem key to .ppk .After launching PUTTY i have given hostname as ec2-user@"Public IP" and tried to connect using the generated key. I have checked the security group, rule to allow port 22 is enabled. I am unable to figure out my issue.  What could be the reason for this?  Thanks in Advance.

    user_268061_5a4813241cb62.PNG

  • post-author-pic
    Ram M
    04-21-2018

    Great instructions. Works perfectly

  • post-author-pic
    Kcg K
    05-09-2018

    Have been following the instructions exactly as stated. Receiving the same network error mesasage as Swetha. Would really appreciate a response. Thanks.

  • post-author-pic
    Derek M
    05-09-2018

    Check your security rules. You should allow TCP/22 inbound in your security group and NACL, then, at minimum, ports TCP/1024 - 65535 must be allowed outbound in your NACL. 

  • post-author-pic
    Deniz K
    05-26-2018

    Just great! Works perfect! What I don't understand is, why the login to the bastion host works, without providing the path to the .ppk key in the auth dialog in putty. I deleted the path as shown above. The login to the bastion worked. And from there the login to the EC2 in the private subnet was also successfull. But why does this work, when deleting or not providing the path to the PPK Key for the bastion host.

  • post-author-pic
    fernandez
    05-29-2018

    Any help with Mac?

  • post-author-pic
    fernandez
    05-29-2018

    [ec2-user@ip-10-0-1-xxx .ssh]$ ssh ec2user@10.0.3.xx

    Permission denied (publickey)


  • post-author-pic
    ooyinlade
    06-23-2018

    I have tried these steps repeatedly and I get a "Connection Error: Network Timed Out" erro message. I have tried gogling some things and it seems to me a firewall issue. I tired switching off my firewall and still no luck. Any ideas on how to get past this? 

Looking For Team Training?

Learn More