To connect to your Linux/UNIX instance from a Windows machine, use an SSH client. The following instructions explain how to use PuTTY, a free SSH client for Windows machines.
Converting Your Private Key
PuTTY does not natively support the private key format generated by Amazon EC2. Fortunately, PuTTY has a tool called PuTTYgen, which can convert keys to the required PuTTY format.
- Start PuTTYgen (e.g., from the Start menu, click All Programs > PuTTY > PuTTYgen).
- Click Load and browse to the location of the private key file that you want to convert (e.g.,
GSG_Keypair.pem). By default, PuTTYgen displays only files with extension
.ppk; you’ll need to change that to display files of all types in order to see your
.pemkey file. The private key file must end with a newline character or PuTTYgen cannot load it correctly.
- Select your
.pemkey file and click Open.
PuTTYgen displays the following message.
When you click OK, PuTTYgen displays a dialog box with information about the key you loaded, such as the public key and the fingerprint. The keys that Amazon EC2 generates are 1024-bit SSH-2 RSA keys.
- Click Save private key to save the key in PuTTY’s format.
PuTTYgen asks if you want to save the key without a passphrase.
- Click Yes.
Note A passphrase on a private key is an extra layer of protection, so even if your private key is discovered, it will not be usable without the passphrase. The downside to using a passphrase is that it makes automation harder because human intervention is needed to log on to an instance, or copy files to an instance. For this exercise, we’re not using a passphrase.
- Name the key with the same name you used for the key pair (e.g., GSG_Keypair). PuTTY automatically adds the
Your private key is now in the correct format for use with PuTTY. You can now connect to your instance using PuTTY’s SSH client.
Connecting Using PuTTY SSH
You’ll connect by starting a PuTTY SSH session.
- If you’ve launched a public AMI that you have not rebundled, run the
ec2-get-console-outputcommand on your local system (not on the instance), and locate the
SSH HOST KEY FINGERPRINTSsection. For more information, go to
ec2-get-console-outputin the Amazon Elastic Compute Cloud Command Line Reference.
... ec2: -----BEGIN SSH HOST KEY FINGERPRINTS----- ec2: 2048 bc:89:29:c6:45:4b:b3:e2:c1:41:81:22:cb:3c:77:54 /etc/ssh/ssh_host_key.pub ec2: 2048 fc:8d:0c:eb:0e:a6:4a:6a:61:50:00:c4:d2:51:78:66 /etc/ssh/ssh_host_rsa_key.pub ec2: 1024 b5:cd:88:6a:18:7f:83:9d:1f:3b:80:03:10:17:7b:f5 /etc/ssh/ssh_host_dsa_key.pub ec2: -----END SSH HOST KEY FINGERPRINTS-----...
Note the fingerprints so that you can compare them to the fingerprints of the instance.
- Start PuTTY (e.g., from the Start menu, click All Programs > PuTTY > PuTTY).
A dialog box opens with a Category menu on the left side. On the right side, the basic options for your PuTTY session are displayed.
- In the Host Name field, enter the public DNS name of your instance (available through the AWS Management Console or the
ec2-describe-instancescommand). You can optionally prefix the DNS name with
ec2-user@to automatically log in with superuser privileges when the session opens.
- In the Category menu, under Connection, click SSH, and then Auth.
The options controlling SSH authentication are displayed.
- Click Browse and navigate to the PuTTY private key file you generated in the preceding section.
- Click Open.
An SSH session window opens and PuTTY displays a security alert asking if you trust the host you’re connecting to.
Important If you’ve launched a public AMI, verify that the fingerprint in the security alert matches the fingerprint from the output of the
ec2-get-console-outputcommand. If it doesn’t, someone might be attempting a “man-in-the-middle” attack.
- Click Yes.
- In the SSH session window, log in as root (or ec2-user) if you didn’t as part of starting the SSH session.
Note Some AMIs let you log in as root, but some require you to log in with the username ec2-user. For log in information for your chosen AMI, contact your AMI provider directly or go to Amazon Machine Images(AMIs) page, then locate and click your AMI on the list.
If you specified a passphrase when you converted your private key to PuTTY's format, you must provide that passphrase when you log in to the instance.