Assuming Machine A is target machine which I want to SSH into finally while Machine B is a bridge machine (bastion host). These two machines are accessible using the same PEM file.
The security group of Machine A allows SSH connections only from Machine B. So If I want to connect to Machine A, I need to connect through Machine B.
How can this be accomplished without placing the PEM file on the bastion host?
You can use ProxyCommand. I prefer defining the following in your ~/.ssh/config file.
host MachineB
HostName <MachineB-IP>
IdentityFile <Full Path of .pem file>
User username
host MachineA
HostName <MachineA-IP>
ProxyCommand ssh MachineB nc -w 120 %h %p
IdentityFile <Full Path of .pem file>
User username
Then access MachineA like:
$ ssh MachineA
To reach an EC2 instance in a private subnet via a bastion host in a public subnet, without placing your SSH private key on the bastion, you need to use SSH agent forwarding.
Specific instructions are provided here.
Related
I have a bastion server on AWS which I connect to through the following configuration:
host bastion
Hostname <bastion_public_ip>
IdentityFile ~/.ssh/id_rsa
User ubuntu
Now, I have setup an instance where this bastion is used as a jump server. However, the instance is created with a separate key mykey.pem and not the SSH key used to connect to the bastion. Earlier, when I was using the same key, I could connect with the following config:
host test-ec2
hostname <ec2_private_ip>
IdentityFile .ssh/id_rsa
User ec2-user
ProxyCommand ssh -W %h:%p bastion
However, now when I change the identity file to ~/mykey.pem, this does not work anymore. I wonder how I can set this up to use different keys and pass that through this SSH proxy command.
Generate a public key for the key you want to use. You can do this by using tools like PuTTYgen.
Copy the public key and ssh into your jump host (using mykey.pem (new key) )
run the following command vi .ssh/authorized_keys hit "i" to edit file and paste the public key you have copied (don't delete the existing public key in that file if you still need to access the jump host using new pem file) now hit escape and :wq and hit enter to save the file.
Now exit the jump host and try to ssh again with your old key which you have created public key.
current my .ssg/config has
Host git-codecommit.*.amazonaws.com
User APKAS2GIPODK72AAAAAA
IdentityFile ~/.ssh/codecommit_rsa
Host github.com
User durrantm
IdentityFile ~/.ssh/id_rsa
I believe I can add an entry for a specific EC2 machine that I want to ssh into.
Is there a way to make the pem file by a default for all my EC2 ssh connections (while I am using the awscli, configured for my account-user) so that I don't have to -i "abc.pem" for each ec2 connection?
Yes, you can if you connect to the instances via their public DNS.
Add this to your SSH config:
Host ec2-*.compute.amazonaws.com
IdentityFile abc.pem
This is identical to what you have with Host git-codecommit.*.amazonaws.com
Yes, you can start an ssh-agent on your EC2 instance and have it load your private key. Then whenever you try and SSH to any instance that offers public key authentication, the ssh-agent will attempt to authenticate you using the loaded private key. This article describes it nicely.
eval $(ssh-agent) && ssh-add ~/.ssh/*.pem
I have my NAT and Bastion set up to login with SSH forwarding:
ssh-add -K keyfile.pem
ssh -A ec2-user#bastionhost
ssh ec2-user#privateSubnetServer
What's the best method for handling ssh and users at this point between hosts in the private subnet?
I get:
Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
When trying to do it the traditional linux way. I can get to them if I use the AWS created key pairs.
I can't set up or connect to a directory service at this point.
There can be two reasons, either the key is invalid or the proxy command not working as you expecting.
Before that, you set you proxy command like this
host bastion
HostName bastion_Adress
User centos|whatever
identityFile /mykeys/ec2.pem
Now try to ssh to bastion
ssh bastion
If the above then bastion working fine, we can set proxy command now.
host private_server
Hostname 10.0.5.45
user centos
IgnoreUnknown UseKeychain
AddKeysToAgent yes
ProxyCommand ssh bastion -W %h:%p
Now you can ssh to private server
ssh private_server
Normally these are necessary but just in case of mac happen sometime
IgnoreUnknown UseKeychain
AddKeysToAgent yes
.ssh/config: "Bad configuration option: UseKeychain" on Mac OS Sierra 10.12.6
You can debug the issue using this flow
ssh to bastion
copy your private server ssh key to the bastion
ssh to private instance
If the above worked it mean bastion ssh config is not valid
If the above does not work then the key is not valid.
Host bastion.ip.address
User ec2-user
IdentityFile ~/.ssh/bastionkey.pem
CheckHostIP no
Host private.subnet.ip
User ec2-user
IdentityFile ~/.ssh/bastionkey.pem
ProxyCommand ssh ec2-user#bastion.host.ip -W %h:%p
Situation : So Basically I have Ec2 instance and to login to Ec2 instance, first I will login to jump server and then I login to my instance with private ip, and all my pem files are stored inside the jump server and in private instance(EC2 instance).
What I have Done : I have edited sshd-config file with "PasswordAuthentication No and change it to PasswordAuthentication Yes" and created password like "xyz123" now I able to login to my machine with,
ssh ubuntu#ipadrrs and psswd:xyz123
but this is not serving my open item.
what I am looking for : actually I used to share my .pem file to my team member to access instance, and if I enable password with ip they still can login with username and password and if they leave my org if they have my pem file handy still they can access my instance with pem file or password.
what is the best way to avoid this problem.
will Active directory will help here or LDAP will help here?if so how?
Please help me with quires.
The best solution now is to use AWS Systems Manager Session Manager. This requires no pem sharing. SSH access direct from the browser, I am using this and I did not find any issues. Also, entire sessions can be audited.
Otherwise, rotate your key pairs. But I am not sure if there is an AWS way to do it. Also, use the best practices by enabling security groups to open only to known ips instead of the entire whole.
Here you can convert your jump server to a SSH Bastion server. The same can be done using setting up iptables rules on this server. Below mentioned is the example of a rule which you can setup:
iptables -t nat -A PREROUTING -d xx.xx.xx.xx -p tcp --dport yyyy -j DNAT --to zz.zz.zz.zz:22
Here xx.xx.xx.xx is the private IP of the SSH bastion server. yyyy is the port which will be used for inbound access. zz.zz.zz.zz will be the private IP of the destination server. This rule simply means that you ssh into a machine using port yyyy, which will port forward the traffic to port 22 on zz.zz.zz.zz machine.
In this case you will only have to configure SSH public on the destination machine(zz.zz.zz.zz) only and the client machine will have the private key. Command to connect from the client machine will be ssh -i <path-to-private-key> username#BastionPublicIP -p yyyy
Below mentioned are the ports to be opened at security groups:
Bastion - Inbound - yyyy(from your IP)
Bastion - Inbound - 22(from your IP)
Destionation - Inbound - 22(from bastion machine)
I suggest, you use an Amazon Linux AMI for SSH Bastion server.
I am currently working on an AWS EC# LINUX AMI. I have a private IP. Is it possible to access that private IP with filezilla to transfer files. i am unable to do so.
For access an EC2 machine with private IP, you need to setup your own VPN server. If you already have VPN setup in your AWS cloud then you just need to install a VPN client and login with your credential and you will be able to access EC2 machine or transfer files using filezilla with private IP too. I am assuming that you haven't setup VPN server. you may use AMI of OPENVPN from AWS market place for setup VPN. Below is the good link for getting start.
https://docs.openvpn.net/how-to-tutorialsguides/virtual-platforms/amazon-ec2-appliance-ami-quick-start-guide/
After complete this you have to install OPENVPN in your machine and after Login with your credentials your will able to access your EC2 instance with private IP.
Below is the link for install OPENVPN in Ubuntu machine. For different operating system you can explore site.
https://docs.openvpn.net/getting-started/how-to-install-openvpn-as-software/
OPENVPN is one of the alternative, you can use other also as per your need.
Using 2 ways you can do this
Create a bastion host which will connect to the private instance
Using a port forwarding means tunnelling.
If you are using bastion host for connecting private ec2 instance then this steps will be useful
Using Filezilla to transfer files to a private ec2 instance through a bastion host:-
Note: Keep Pem file same of bastion host and private ec2 instance.
Open terminal or cmd(linux terminal i.e gitbash)
we are connecting to the AWS EC2 instance with one terminal command.
ssh -N -L 1234:<private_instance_ip or Private_DNS>:22 -i <Pem_File> #<Bastion_host_public_ip>
e.g.
ssh -N -L 1234: ip-171-12-21-208.us-east-1.compute.internal:22 -i app_prod.pem ubuntu#ec2-31-92-123-22.us-east-1.compute.amazonaws.com
Note: - For the first time when you enter this command it will ask for Are you sure you want to continue connecting - yes
3.Keep this terminal or cmd open.
If you close this session then the connection is broken
4.Open “FileZilla” application and on “Edit” section -> Click on “Settings”
5.On “Settings” page -> Click on “SFTP” and add PEM file of ec2 instance and click on “OK”
6.Add below entries:-
Host:- 127.0.0.1 or sftp://127.0.0.1
Username:- <your_user>
Password:- Keep empty
Port:- 1234
7.Click on Quick Connect.
Once the connection is established then you can easily transfer files from local to private instance.
See- scp-to-transfer-files-to-a-private-ec2-instance-through-a-bastion-host
https://www.davidbegin.com/using-scp-to-transfer-files-to-a-private-ec2-instance-through-a-bastion-host/