Boundary connect ssh permission denied

Hi, I’m following the terraform boundary example in https://github.com/hashicorp/boundary-reference-architecture/tree/main/deployment/aws#deploy .

Logging in with the code below is successful.

BOUNDARY_ADDR='https://boundary-test-controller-<random_name>-<some sha>.elb.us-east-1.amazonaws.com:9200' \
  boundary authenticate password \
  -login-name=jim \
  -password foofoofoo \
  -auth-method-id=ampw_<some ID>

However, connecting the target instance with the code below is unsuccessful.

boundary connect ssh --username ubuntu -target-id ttcp_jDSpPLkudz

The target id above is from the target below.

The error I receive is unauthorized error.

ubuntu@127.0.0.1: Permission denied (publickey).

I followed hashicorp’s official example. Is there anything I should check to successfully authorize myself?

Hi, I’m a bit confused. I thought Boundary worker starts the session with the pem key. Does it start the authentication with the password?

By the way, my target instance’s option has Passwordauthentication turned off.

I can’t quite understand how turning this option will solve the problem. Any more detailed explanation will be grateful. Thanks.

Plus, changing the sshd_config seems unnatural to me.

Think of Boundary (at the current time) as an authorization and transit layer. The fact that you got refused by public key means that you successfully authenticated to Boundary and connected to the worker, which connected you to the endpoint so that SSH communication could begin.

What seems to be failing here is that you aren’t presenting the right credentials to log into that node. This is a matter of your SSH config -or- command line options. The solution to this current problem will be to change your SSH command line in whatever way would be necessary if you had direct connectivity to the endpoint and Boundary didn’t exist.

Enabling verbose output from SSH client will help you solve this:

boundary connect ssh --username ubuntu -target-id ttcp_jDSpPLkudz -- -vv

…anything after the -- is passed through to the ssh comand.

1 Like