Situation : So Basically I have Ec2 instance and to login to Ec2 instance, first I will login to jump server and then I login to my instance with private ip, and all my pem files are stored inside the jump server and in private instance(EC2 instance).
What I have Done : I have edited sshd-config file with "PasswordAuthentication No and change it to PasswordAuthentication Yes" and created password like "xyz123" now I able to login to my machine with,
ssh ubuntu#ipadrrs and psswd:xyz123
but this is not serving my open item.
what I am looking for : actually I used to share my .pem file to my team member to access instance, and if I enable password with ip they still can login with username and password and if they leave my org if they have my pem file handy still they can access my instance with pem file or password.
what is the best way to avoid this problem.
will Active directory will help here or LDAP will help here?if so how?
Please help me with quires.
The best solution now is to use AWS Systems Manager Session Manager. This requires no pem sharing. SSH access direct from the browser, I am using this and I did not find any issues. Also, entire sessions can be audited.
Otherwise, rotate your key pairs. But I am not sure if there is an AWS way to do it. Also, use the best practices by enabling security groups to open only to known ips instead of the entire whole.
Here you can convert your jump server to a SSH Bastion server. The same can be done using setting up iptables rules on this server. Below mentioned is the example of a rule which you can setup:
iptables -t nat -A PREROUTING -d xx.xx.xx.xx -p tcp --dport yyyy -j DNAT --to zz.zz.zz.zz:22
Here xx.xx.xx.xx is the private IP of the SSH bastion server. yyyy is the port which will be used for inbound access. zz.zz.zz.zz will be the private IP of the destination server. This rule simply means that you ssh into a machine using port yyyy, which will port forward the traffic to port 22 on zz.zz.zz.zz machine.
In this case you will only have to configure SSH public on the destination machine(zz.zz.zz.zz) only and the client machine will have the private key. Command to connect from the client machine will be ssh -i <path-to-private-key> username#BastionPublicIP -p yyyy
Below mentioned are the ports to be opened at security groups:
Bastion - Inbound - yyyy(from your IP)
Bastion - Inbound - 22(from your IP)
Destionation - Inbound - 22(from bastion machine)
I suggest, you use an Amazon Linux AMI for SSH Bastion server.
Related
Can DBeaver create two SSH tunnels and then connect to a database?
I have successfully created one SSH tunnel but not two.
I am trying to connect to an AWS RDS database via Bastion host. Bastion host only allows SSH access from my corporate IP range.
This means that when I am in the office I can connect to the RDS from DBeaver just fine:
My computer is in the allowed IP range
DBeaver creates an SSH tunnel to a Bastion host in my VPC inside the AWS cloud
DBeaver connects to the RDS database
The issue arises when I work from home.
I would have to add "zero" step to have an allowed IP address for the Bastion host connection:
0) Connect to the machine inside the office
I have not yet managed to achieve this. Has anyone got an idea of how to do this?
Kudos to #erik258 for pointing me in the right direction.
I have created an SSH tunnel between an office machine and the Bastion host. When in the office machine, when I access http://localhost:<local_port> I am in effect communicating with the <RDS_endpoint> on port <remote_port>.
Steps:
Create an SSH tunnel from the office machine to the Bastion host. Source
$ ssh -L <local_port>:<RDS_endpoint>:<remote_port> -i <path_to_ssh_key> ec2-user#<Bastion_host public IP>
<local_port> - random port
<remote_port> - port RDS endpoint listens to (5432 for PostgreSQL)
<RDS_endpoint> - endpoint specified on the AWS RDS page
Create DBeaver connection. In the "SSH" section specify your office machine. In "Main" section, set "Host" as localhost, and "Port" as <local_port>.
current my .ssg/config has
Host git-codecommit.*.amazonaws.com
User APKAS2GIPODK72AAAAAA
IdentityFile ~/.ssh/codecommit_rsa
Host github.com
User durrantm
IdentityFile ~/.ssh/id_rsa
I believe I can add an entry for a specific EC2 machine that I want to ssh into.
Is there a way to make the pem file by a default for all my EC2 ssh connections (while I am using the awscli, configured for my account-user) so that I don't have to -i "abc.pem" for each ec2 connection?
Yes, you can if you connect to the instances via their public DNS.
Add this to your SSH config:
Host ec2-*.compute.amazonaws.com
IdentityFile abc.pem
This is identical to what you have with Host git-codecommit.*.amazonaws.com
Yes, you can start an ssh-agent on your EC2 instance and have it load your private key. Then whenever you try and SSH to any instance that offers public key authentication, the ssh-agent will attempt to authenticate you using the loaded private key. This article describes it nicely.
eval $(ssh-agent) && ssh-add ~/.ssh/*.pem
I understand that it is not recommended to ask multiple question in a single post but they are all tightly coupled hence asking them under one post.
I was trying to SSH to a private EC2 instance in a VPC from the internet using Bastion host. I came across 2 approaches.
NOTE When I launched my private EC2 instance and Bastion host I chose different Keys.(In both the approaches I saw the authors used same Keys for EC2 and the Bastion)
Approach 1: Configuring SSH ProxyCommand as illustrated in https://www.youtube.com/watch?v=EpFAHis4O4g
Approach 2: ssh-agent command with ssh -A option https://aws.amazon.com/blogs/security/securely-connect-to-linux-instances-running-in-a-private-amazon-vpc/
Question 1: In approach 2, I did
ssh-add ~/Downloads/Ec2.pem
ssh-add ~/Downloads/BastionKey.pem
Is my approach of adding both the keys to the ssh-agent correct? This way I was able ssh into Bastion as a first step and then as a second step I had to explicitly ssh into private EC2.
Question 2: Approach 1 is against the idea of (Approach 2) 2 step ssh process but proposes ProxyCommand so that end user should be able to directly ssh into the private EC2 in a single step. This way a system admin of Bastion host will not have control of ssh-ing to individual EC2 instances.In fact the author demonstrates that if you ssh into Bastion host (it will succeed) and then ssh to EC2 it fails. Is my understanding correct here?
Question 3: Approach 1 is not working for me. I used the same structure for ~/.ssh/config but with different Key file paths. I am unable to ssh to my private EC2 directly. I even tried the 2 step process but I can only login into Bastion host, I cannot ssh to EC2. All my Security groups, ACL, Internet gateway, NAT gateway and VPC settings are fine, otherwise Approach 2 wouldn't have worked. What could I be doing wrong?
cat ~/.ssh/config
HOST bastion
Hostname ec2-5x-xx-xx-xx.compute-1.amazonaws.com
User ec2-user
IdentityFile /Users/myname/Downloads/BastionKey.pem
HOST *.ec2.internal
User ec2-user
IdentityFile /Users/myname/Downloads/Ec2.pem
ProxyCommand ssh -q -W %h:%p bastion
Question 4: Which is the recommend approach among 1 & 2 and what additional steps must be followed when different keys are chosen for Bastion and EC2?
Error output:
ssh -v ip-10-0-1-12.ec2.internal
OpenSSH_7.8p1, LibreSSL 2.6.2
debug1: Reading configuration data /Users/myname/.ssh/config
debug1: /Users/myname/.ssh/config line 6: Applying options for *.ec2.internal
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 48: Applying options for *
debug1: Executing proxy command: exec ssh -q -W ip-10-0-1-12.ec2.internal:22 bastion
debug1: identity file /Users/myname/Downloads/Ec2.pem type -1
debug1: identity file /Users/myname/Downloads/Ec2.pem-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_7.8
/bin/false: No such file or directory
ssh_exchange_identification: Connection closed by remote host
HOST bastion
Hostname ec2-example-ip.compute-1.amazonaws.com
User ec2-user
IdentityFile /Users/myname/Downloads/BastionKey.pem
HOST *.ec2.internal
User ec2-user
IdentityFile /Users/myname/Downloads/Ec2/Ec2.pem
ProxyCommand ssh -q -W %h:%p bastion
Try using the bastions public DNS name in your ssh config, also use the internal ec2 DNS name for the one behind the VPC. (AWS DNS is sketchy at best sometimes)
Note: *.ec2.internal assums you will use the same ssh key for each ec2 you need to access proxying through your bastion. If this is not the case replace *.ec2.internal with whatever-internal-ip.ec2.internal and add an entry for each individual ec2.
Hope this can fix your issue.
Assuming Machine A is target machine which I want to SSH into finally while Machine B is a bridge machine (bastion host). These two machines are accessible using the same PEM file.
The security group of Machine A allows SSH connections only from Machine B. So If I want to connect to Machine A, I need to connect through Machine B.
How can this be accomplished without placing the PEM file on the bastion host?
You can use ProxyCommand. I prefer defining the following in your ~/.ssh/config file.
host MachineB
HostName <MachineB-IP>
IdentityFile <Full Path of .pem file>
User username
host MachineA
HostName <MachineA-IP>
ProxyCommand ssh MachineB nc -w 120 %h %p
IdentityFile <Full Path of .pem file>
User username
Then access MachineA like:
$ ssh MachineA
To reach an EC2 instance in a private subnet via a bastion host in a public subnet, without placing your SSH private key on the bastion, you need to use SSH agent forwarding.
Specific instructions are provided here.
I am currently working on an AWS EC# LINUX AMI. I have a private IP. Is it possible to access that private IP with filezilla to transfer files. i am unable to do so.
For access an EC2 machine with private IP, you need to setup your own VPN server. If you already have VPN setup in your AWS cloud then you just need to install a VPN client and login with your credential and you will be able to access EC2 machine or transfer files using filezilla with private IP too. I am assuming that you haven't setup VPN server. you may use AMI of OPENVPN from AWS market place for setup VPN. Below is the good link for getting start.
https://docs.openvpn.net/how-to-tutorialsguides/virtual-platforms/amazon-ec2-appliance-ami-quick-start-guide/
After complete this you have to install OPENVPN in your machine and after Login with your credentials your will able to access your EC2 instance with private IP.
Below is the link for install OPENVPN in Ubuntu machine. For different operating system you can explore site.
https://docs.openvpn.net/getting-started/how-to-install-openvpn-as-software/
OPENVPN is one of the alternative, you can use other also as per your need.
Using 2 ways you can do this
Create a bastion host which will connect to the private instance
Using a port forwarding means tunnelling.
If you are using bastion host for connecting private ec2 instance then this steps will be useful
Using Filezilla to transfer files to a private ec2 instance through a bastion host:-
Note: Keep Pem file same of bastion host and private ec2 instance.
Open terminal or cmd(linux terminal i.e gitbash)
we are connecting to the AWS EC2 instance with one terminal command.
ssh -N -L 1234:<private_instance_ip or Private_DNS>:22 -i <Pem_File> #<Bastion_host_public_ip>
e.g.
ssh -N -L 1234: ip-171-12-21-208.us-east-1.compute.internal:22 -i app_prod.pem ubuntu#ec2-31-92-123-22.us-east-1.compute.amazonaws.com
Note: - For the first time when you enter this command it will ask for Are you sure you want to continue connecting - yes
3.Keep this terminal or cmd open.
If you close this session then the connection is broken
4.Open “FileZilla” application and on “Edit” section -> Click on “Settings”
5.On “Settings” page -> Click on “SFTP” and add PEM file of ec2 instance and click on “OK”
6.Add below entries:-
Host:- 127.0.0.1 or sftp://127.0.0.1
Username:- <your_user>
Password:- Keep empty
Port:- 1234
7.Click on Quick Connect.
Once the connection is established then you can easily transfer files from local to private instance.
See- scp-to-transfer-files-to-a-private-ec2-instance-through-a-bastion-host
https://www.davidbegin.com/using-scp-to-transfer-files-to-a-private-ec2-instance-through-a-bastion-host/