Lab3a : Connect to your Linux instance from Windows
You can use the following methods to connect to your Linux instance from a local machine that has a Windows operating system.
- OpenSSH
- PuTTY
- Windows Subsystem for Linux
1- Connect to your Linux instance from Windows with OpenSSH
The following procedures show you how to connect to your Linux instance from Windows using OpenSSH, an open source connectivity tool for remote login with the SSH protocol. OpenSSH is supported on Windows Server 2019 and later operating systems.
Prerequisites
- Verify that the instance is ready
- After you launch an instance, it can take a few minutes for the instance to be ready so that you can connect to it. Check that your instance has passed its status checks. You can view this information in the Status check column on the Instances page.
- Verify the general prerequisites for connecting to your instance
- To find the public DNS name or IP address of your instance and the username that you should use to connect to your instance, see Get information about your instance.
- Verify your Windows version
- To connect to your Linux instance from Windows using OpenSSH, the Windows version must be Windows Server 2019 and later.
- Verify PowerShell prerequisites
- To install OpenSSH on your Windows OS using PowerShell, you must be running PowerShell version 5.1 or later, and your account must be a member of the built-in Administrators group. Run
$PSVersionTable.PSVersion
from PowerShell to check your PowerShell version.To check whether you are a member of the built-in Administrators group, run the following PowerShell command
(New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)
If you are a member of the built-in Administrators group, the output is
True
.
Install OpenSSH for Windows using PowerShell
Add-WindowsCapability -Online -Name OpenSSH.Client~~~~0.0.1.0
Expected output:
Path :
Online : True
RestartNeeded : False
Connect to your Linux instance from Windows using OpenSSH
To connect to your instance using OpenSSH
- In PowerShell or the Command Prompt, use the ssh command to connect to the instance. You specify the path and file name of the private key (
.pem
), the username for your instance, and the public DNS name or IPv6 address for your instance. For more information about how to find the private key, the username for your instance, and the DNS name or IPv6 address for an instance, see Locate the private key and set permissions and Get information about your instance. To connect to your instance, use one of the following commands.- (Public DNS) To connect using your instance’s public DNS name, enter the following command.
ssh -i
/path/key-pair-name
.peminstance-user-name
@instance-public-dns-name
- (IPv6) Alternatively, if your instance has an IPv6 address, to connect using your instance’s IPv6 address, enter the following command.
ssh -i
/path/key-pair-name
.peminstance-user-name
@instance-IPv6-address
You see a response like the following:
The authenticity of host 'ec2-198-51-100-1.compute-1.amazonaws.com (198-51-100-1)' can't be established. ECDSA key fingerprint is l4UB/neBad9tvkgJf1QZWxheQmR59WgrgzEimCG6kZY. Are you sure you want to continue connecting (yes/no/[fingerprint])?
- (Public DNS) To connect using your instance’s public DNS name, enter the following command.
- (Optional) Verify that the fingerprint in the security alert matches the fingerprint that you previously obtained in (Optional) Get the instance fingerprint. If these fingerprints don’t match, someone might be attempting a man-in-the-middle attack. If they match, continue to the next step.
- Enter
yes
.You see a response like the following:Warning: Permanently added 'ec2-198-51-100-1.compute-1.amazonaws.com' (ECDSA) to the list of known hosts.
Uninstall OpenSSH from Windows using PowerShell
Remove-WindowsCapability -Online -Name OpenSSH.Client~~~~0.0.1.0
Expected output:
Path :
Online : True
RestartNeeded : True
2- Connect to your Linux instance from Windows with Putty:
Prerequisites
- Verify that the instance is ready
- After you launch an instance, it can take a few minutes for the instance to be ready so that you can connect to it. Check that your instance has passed its status checks. You can view this information in the Status check column on the Instances page.
- Verify the general prerequisites for connecting to your instance
- To find the public DNS name or IP address of your instance and the username that you should use to connect to your instance, see Get information about your instance.
- Install PuTTY on your local computer
- Download and install PuTTY from the PuTTY download page. If you already have an earlier version of PuTTY installed, we recommend that you download the latest version. Be sure to install the entire suite.
- Convert your private .pem key to .ppk using PuTTYgen
- For the key pair that you specified when you launched the instance, if you chose to create the private key in the .pem format, you must convert it to a .ppk file for use with PuTTY. Locate the private .pem file, and then follow the steps in the next section.
Convert your private key using PuTTYgen
PuTTY does not natively support the PEM format for SSH keys. PuTTY provides a tool named PuTTYgen, which converts PEM keys to the required PPK format for PuTTY. You must convert your private key (.pem file) into this format (.ppk file) as follows in order to connect to your instance using PuTTY.
To convert your private .pem key to .ppk
- From the Start menu, choose All Programs, PuTTY, PuTTYgen.
- Under Type of key to generate, choose RSA. If your version of PuTTYgen does not include this option, choose SSH-2 RSA.
- Choose Load. By default, PuTTYgen displays only files with the extension
.ppk
. To locate your.pem
file, choose the option to display files of all types. - Select your
.pem
file for the key pair that you specified when you launched your instance and choose Open. PuTTYgen displays a notice that the.pem
file was successfully imported. Choose OK. - To save the key in the format that PuTTY can use, choose Save private key. PuTTYgen displays a warning about saving the key without a passphrase. Choose Yes.
Note
A passphrase on a private key is an extra layer of protection. Even if your private key is discovered, it can’t be used without the passphrase. The downside to using a passphrase is that it makes automation harder because human intervention is needed to log on to an instance, or to copy files to an instance.
- Specify the same name for the key that you used for the key pair (for example,
key-pair-name
) and choose Save. PuTTY automatically adds the.ppk
file extension.
Your private key is now in the correct format for use with PuTTY. You can now connect to your instance using PuTTY’s SSH client.
Connect to your Linux instance
.ppk
file that you created for your private key. For more information, see Convert your private key using PuTTYgen in the preceding section. If you receive an error while attempting to connect to your instance, see Troubleshoot connecting to your instance.Last tested version of PuTTY: .78
To connect to your instance using PuTTY
- Start PuTTY (from the Start menu, search for PuTTY and then choose Open).
- In the Category pane, choose Session and complete the following fields:
- In the Host Name box, do one of the following:
- (Public DNS) To connect using your instance’s public DNS name, enter
instance-user-name
@instance-public-dns-name
. - (IPv6) Alternatively, if your instance has an IPv6 address, to connect using your instance’s IPv6 address, enter
instance-user-name
@instance-IPv6-address
.
For information about how to get the username for your instance, and the public DNS name or IPv6 address of your instance, see Get information about your instance.
- (Public DNS) To connect using your instance’s public DNS name, enter
- Ensure that the Port value is 22.
- Under Connection type, select SSH.
- In the Host Name box, do one of the following:
- (Optional) You can configure PuTTY to automatically send ‘keepalive’ data at regular intervals to keep the session active. This is useful to avoid disconnecting from your instance due to session inactivity. In the Category pane, choose Connection, and then enter the required interval in Seconds between keepalives. For example, if your session disconnects after 10 minutes of inactivity, enter 180 to configure PuTTY to send keepalive data every 3 minutes.
- In the Category pane, expand Connection, SSH, and Auth. Choose Credentials.
- Next to Private key file for authentication, choose Browse. In the Select private key file dialog box, select the
.ppk
file that you generated for your key pair. You can either double-click the file or choose Open in the Select private key file dialog box. - (Optional) If you plan to connect to this instance again after this session, you can save the session information for future use. In the Category pane, choose Session. Enter a name for the session in Saved Sessions, and then choose Save.
- To connect to the instance, choose Open.
- If this is the first time you have connected to this instance, PuTTY displays a security alert dialog box that asks whether you trust the host to which you are connecting.
- (Optional) Verify that the fingerprint in the security alert dialog box matches the fingerprint that you previously obtained in (Optional) Get the instance fingerprint. If these fingerprints don’t match, someone might be attempting a « man-in-the-middle » attack. If they match, continue to the next step.
- Choose Accept. A window opens and you are connected to your instance.
Note
If you specified a passphrase when you converted your private key to the PuTTY format, you must provide that passphrase when you log in to the instance.
If you receive an error while attempting to connect to your instance, see Troubleshoot connecting to your instance.
Transfer files to your Linux instance using the PuTTY Secure Copy client
To use PSCP, you need the private key you generated in Convert your private key using PuTTYgen. You also need the public DNS name of your Linux instance, or the IPv6 address if your instance has one.
The following example transfers the file Sample_file.txt
from the C: drive on a Windows computer to the instance-user-name
home directory on an Amazon Linux instance. To transfer a file, use one of the following commands.
- (Public DNS) To transfer a file using your instance’s public DNS name, enter the following command.
pscp -i C:
path
my-key-pair.ppk C:path
Sample_file.txtinstance-user-name
@instance-public-dns-name
:/home/instance-user-name
/Sample_file.txt - (IPv6) Alternatively, if your instance has an IPv6 address, to transfer a file using your instance’s IPv6 address, enter the following command. The IPv6 address must be enclosed in square brackets (
[ ]
).pscp -i C:
path
my-key-pair.ppk C:path
Sample_file.txtinstance-user-name
@[instance-IPv6-address
]:/home/instance-user-name
/Sample_file.txt
Transfer files to your Linux instance using WinSCP
Requirements
- You must have the private key that you generated in Convert your private key using PuTTYgen.
- You must have the public DNS name of your Linux instance.
- Your Linux instance must have
scp
installed. For some operating systems, you install theopenssh-clients
package. For others, such as the Amazon ECS-optimized AMI, you install thescp
package. Check the documentation for your Linux distribution.
To connect to your instance using WinSCP
- Download and install WinSCP from http://winscp.net/eng/download.php. For most users, the default installation options are OK.
- Start WinSCP.
- At the WinSCP login screen, for Host name, enter one of the following:
- (Public DNS or IPv4 address) To log in using your instance’s public DNS name or public IPv4 address, enter the public DNS name or public IPv4 address for your instance.
- (IPv6) Alternatively, if your instance has an IPv6 address, to log in using your instance’s IPv6 address, enter the IPv6 address for your instance.
- For User name, enter the default username for your AMI.
- For AL2023, Amazon Linux 2, or the Amazon Linux AMI, the user name is
ec2-user
. - For a CentOS AMI, the user name is
centos
orec2-user
. - For a Debian AMI, the user name is
admin
. - For a Fedora AMI, the user name is
fedora
orec2-user
. - For a RHEL AMI, the user name is
ec2-user
orroot
. - For a SUSE AMI, the user name is
ec2-user
orroot
. - For an Ubuntu AMI, the user name is
ubuntu
. - For an Oracle AMI, the user name is
ec2-user
. - For a Bitnami AMI, the user name is
bitnami
.
Note
To find the default user name for other Linux distributions, check with the AMI provider.
- For AL2023, Amazon Linux 2, or the Amazon Linux AMI, the user name is
- Specify the private key file for your instance.
- Choose the Advanced… button.
- Under SSH, choose Authentication.
- Specify the path for your private key file, or choose the … button to browse to the key pair file.
- Choose OK.
Here is a screenshot from WinSCP version 6.1:
WinSCP requires a PuTTY private key file (
.ppk
). You can convert a.pem
security key file to the.ppk
format using PuTTYgen. For more information, see Convert your private key using PuTTYgen. - (Optional) In the left panel, choose Directories. For Remote directory, enter the path for the directory to which to add files. To open the advanced site settings for newer versions of WinSCP, choose Advanced. To find the Remote directory setting, under Environment, choose Directories.
- Choose Login. To add the host fingerprint to the host cache, choose Yes.
- After the connection is established, in the connection window your Linux instance is on the right and your local machine is on the left. You can drag and drop files between the remote file system and your local machine. For more information on WinSCP, see the project documentation at http://winscp.net/eng/docs/start.If you receive an error that you cannot run SCP to start the transfer, verify that you installed scp on the Linux instance.
3-Connect to your Linux instance from Windows with Windows Subsystem for Linux (WSL)
After you launch your instance, you can connect to it and use it the way that you’d use a computer sitting in front of you.
The following instructions explain how to connect to your instance with a Linux distribution on the Windows Subsystem for Linux (WSL). WSL is a free download and enables you to run native Linux command line tools directly on Windows, alongside your traditional Windows desktop, without the overhead of a virtual machine.
By installing WSL, you can use a native Linux environment to connect to your Linux EC2 instances instead of using PuTTY or PuTTYgen. The Linux environment makes it easier to connect to your Linux instances because it comes with a native SSH client that you can use to connect to your Linux instances and change the permissions of the .pem key file. The Amazon EC2 console provides the SSH command for connecting to the Linux instance, and you can get verbose output from the SSH command for troubleshooting. For more information, see the Windows Subsystem for Linux Documentation.
Note
After you’ve installed the WSL, all the prerequisites and steps are the same as those described in Connect to your Linux instance from Linux or macOS using SSH, and the experience is just like using native Linux.
Prerequisites
- Verify that the instance is ready
- After you launch an instance, it can take a few minutes for the instance to be ready so that you can connect to it. Check that your instance has passed its status checks. You can view this information in the Status check column on the Instances page.
- Verify the general prerequisites for connecting to your instance
- To find the public DNS name or IP address of your instance and the user name that you should use to connect to your instance, see Get information about your instance.
- Install the Windows Subsystem for Linux (WSL) and a Linux distribution on your local computer
- Install the WSL and a Linux distribution using the instructions in the Windows 10 Installation Guide. The example in the instructions installs the Ubuntu distribution of Linux, but you can install any distribution. You are prompted to restart your computer for the changes to take effect.
- Copy the private key from Windows to WSL
- In a WSL terminal window, copy the
.pem
file (for the key pair that you specified when you launched the instance) from Windows to WSL. Note the fully-qualified path to the.pem
file on WSL to use when connecting to your instance. For information about how to specify the path to your Windows hard drive, see How do I access my C drive?. For more information about key pairs and Windows instances, see Amazon EC2 key pairs and Windows instances.cp /mnt/
<Windows drive letter>/path/my-key-pair
.pem ~/WSL-path/my-key-pair
.pem
Connect to your Linux instance using WSL
To connect to your instance using SSH
- In a terminal window, use the ssh command to connect to the instance. You specify the path and file name of the private key (
.pem
), the user name for your instance, and the public DNS name or IPv6 address for your instance. For more information about how to find the private key, the user name for your instance, and the DNS name or IPv6 address for an instance, see Locate the private key and set permissions and Get information about your instance. To connect to your instance, use one of the following commands.- (Public DNS) To connect using your instance’s public DNS name, enter the following command.
ssh -i
/path/key-pair-name
.peminstance-user-name
@my-instance-public-dns-name
- (IPv6) Alternatively, if your instance has an IPv6 address, you can connect to the instance using its IPv6 address. Specify the ssh command with the path to the private key (.pem) file, the appropriate user name, and the IPv6 address.
ssh -i
/path/key-pair-name
.peminstance-user-name
@my-instance-IPv6-address
You see a response like the following:
The authenticity of host 'ec2-198-51-100-1.compute-1.amazonaws.com (10.254.142.33)' can't be established. RSA key fingerprint is 1f:51:ae:28:bf:89:e9:d8:1f:25:5d:37:2d:7d:b8:ca:9f:f5:f1:6f. Are you sure you want to continue connecting (yes/no)?
- (Public DNS) To connect using your instance’s public DNS name, enter the following command.
- (Optional) Verify that the fingerprint in the security alert matches the fingerprint that you previously obtained in (Optional) Get the instance fingerprint. If these fingerprints don’t match, someone might be attempting a « man-in-the-middle » attack. If they match, continue to the next step.
- Enter
yes
.You see a response like the following:Warning: Permanently added 'ec2-198-51-100-1.compute-1.amazonaws.com' (RSA) to the list of known hosts.