Run the following command to connect to the bastion host. Run the following command to verify that the keys are added to the ssh-agent: # ssh-add -lĤ. Run the following command to add the SSH key to the ssh-agent: # ssh-add '/path/to/key.pem'ģ. The ssh-agent stores your SSH keys in memory. Run the following command to start the ssh-agent in the background. Note: The openssh-clients package is installed by default on most Linux and macOS distributions and contains ssh-agent.ġ. Configure the bastion host's security group to allow SSH connections (TCP/22) from only known and trusted IP addresses.Ĭonfigure ssh-agent forwarding on a macOS or Linux client.Configure the private Linux instance's security group to accept SSH connections only from the bastion host.The bastion host must be present in the VPC's public subnet so that you can access the host over the internet.The ssh-agent allows an administrator to connect from the bastion to another instance without storing the private key on the bastion. To connect using a bastion host, use ssh-agent forwarding on the client. To maintain a secure environment, never store private keys on the bastion host. Key-pair files eliminate the need for SSH usernames and passwords. EC2 Linux instances use SSH key-pair files as the default authentication method.
