I want to connect to a Linux Database Server on a private subnet through a Linux SSH Bastion Server situated on a public subnet. I also want to create a tunnel to port 3306.
When I attempt to create the SSH connection from the Bastion server, I receive "Permission Denied (publickey)." message.
ssh -L 10.0.0.10:22:10.0.1.10:22 [email protected]
Here's the debug output where it fails:
> debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /root/.ssh/identity
debug1: Trying private key: /root/.ssh/id_rsa
debug1: Trying private key: /root/.ssh/id_dsa
debug1: No more authentication methods to try.
Permission denied (publickey).
The correct Public key is already on DB Server, so I think I need to enter the private RSA key somewhere. Where do I enter the private key? Also are there any sshd config changes required to create the tunnel on 3306?
So, try this:
and then you can connect to the DB server by executing:
The default is
~/.ssh/
, but you can put anywhere you want and specify with-i
option.Make sure that the line
AllowTcpForwarding
is commented out or set toyes
.The primary cause seems to be related to the ssh keys on the bastion host. If you're not logging in to the bastion host as root (and you shouldn't be), then perhaps the user you are logging in there as doesn't have a home directory and is trying to use root's home directory? If you are logging in to the bastion host as root, you probably shouldn't be doing that.
Are you using a ssh-agent on your originating host? Take a look at the /etc/ssh/sshd_config on the bastion host. If AllowAgentForwarding is "no", try changing it to "yes" and restarting sshd. If you're not using an ssh-agent on your originating host, you may want to consider doing so as this will hold your key and allow forwarding it to remote ssh connections (such as on the bastion host).
Another option would be to enable password authentication on the DB machine so it doesn't fail when it can't do the public key authentication. Check /etc/ssh/sshd_config on the DB machine for PasswordAuthentication and make sure it is either not set (the default is "yes") or it is set to "yes".
When you run ssh, you can pass multiple -v arguments to it to increase the debugging level. Sometimes this helps show exactly where the problem is.