Best
Basically, I've the next line of code :
ssh -i AWS-EC2.pem -o ProxyCommand='ssh -i Server-Key abc#52.00.00.00 nc %h %p' AWS-User#99.00.00.00
But, what I would like to have, (And not able to do (yet)) is, to create a connection from my windows 10 pc with the AWS-EC2 server via PuTTY.
In general, we have 1 server which you can only access with a key "Server-Key", and via this connection, we should be able to connect with the AWS-EC2-server via AWS-EC2.pem
Thus:
my_pc --- Server-key ---> Server --- AWS-EC2.pem ---> AWS-EC2-server
I already made 2 ppk files frome the Server-key & AWS-EC2.pem
kind regards
To solve this problem,
ssh -i AWS-EC2.pem -o ProxyCommand='ssh -i Server-Key abc#52.00.00.00 nc %h %p' AWS-User#99.00.00.00
whereby you've a two keys (AWS-EC2.pem and Server-key),
You've to configure your PuTTY as follows. + don't forget to generate 2 pkk files from the PuTTY generator
Related
I used to have an ssh reverse port forwarding from my local computer to a remote EC2 AWS server on port 9999. (9999 for both machines.)
It used to work, but I created a new instance, and now it doesn't anymore. (Half working.) I'm not sure what I did to make it work back then... (Or something was changed.)
I have a process running on my computer on port 9999 and I want it to listen to the port 9999 of my EC2.
On my computer, curl "127.0.0.1:9999" is working.
But I want the code curl "ec2-xx-xx-xx-xx-xx.compute.amazonaws.com:9999" to work, for now it doesn't, giving me the error curl: (7) Failed to connect to ec2-xx-xx-xx-xx-xx.compute.amazonaws.com port 9999 after 59 ms: Connection refused
EC2 Security group is set to open 9999 on TCP for 0.0.0.0/0.
I create the forwarded port with the command :
ssh -R 9999:localhost:9999 -i "/home/example/XXX.pem" ubuntu#ec2-xx-xx-xx-xx-xx.compute.amazonaws.com
The connection ssh is established without errors.
Inside this ssh session I can even do curl "127.0.0.1:9999" inside and IT IS WORKING. Reaching my local computer.
But the request from the web isn't... (curl "ec2-xx-xx-xx-xx-xx.compute.amazonaws.com:9999" doesn't work...)
The path is good, if I install apache2 on port 80 curl "ec2-xx-xx-xx-xx-xx.compute.amazonaws.com:80" is working. (port 80 is added the same way to the security group)
I did sudo ufw disable, same problem.
Do you have an idea what I'm missing ?
EDIT : On the ssh -R forward session on the EC2 :
ubuntu#awsserver:~$ php -S 0.0.0.0:9999 -t .
[Wed Dec 14 16:35:11 2022] Failed to listen on 0.0.0.0:9999 (reason: Address already in use)
BUT, if I open a normal ssh session, I can run php -S 0.0.0.0:9999 -t ., the code curl "ec2-xx-xx-xx-xx-xx.compute.amazonaws.com:9999" is working everywhere as expected.
So... it is telling me that the port is already used (By the ssh -R command), but is closed when I try to connect to it... I don't get it.
The answer wasn't EC2/AWS related.
It's a security feature from SSH that I had to disable : GatewayPorts yes
This is an odd scenario. Essentially, within a vpc, I am attempting to create an ssh tunnel from server A to server B in which server B hosts the api at port 9000, and server A wants to be able to reverse proxy to port say 5000 which should pass the query to server B's port 9000, and return data. I have been tearing my hair out. I currently have gotten this far:
ssh 3000:localhost3000 -vvv -N -i rsa.pem serverB#serverBIP
after which I have attempted to access the port 22 on server A using a curl request but I got a response -- curl: (1) Received HTTP/0.9 when not allowed
I also tried specifying a port
ssh -vvv -N -i rsa.pem serverB#serverBIP -p3000
which quits on me entirely with the response: ssh: connect to host serverBIp port 3000: No route to host
Finally, I tried
ssh -vvv -N -i workstation_pem.pem 3000:localhost:3000 serverBUser#serverBID
which results in Could not resolve hostname 3000:localhost:3000: Name or service not known
Please advise, I am not sure what I am doing wrong. I feel like this should be simple, but I am struggling to get it to work - a simple tunnel from one instance to another at a port to port on server B where serverB has a gunicorn server running
You would need to login to ServerA and then run this command:
ssh -i key.pem -N -L 5000:serverBIP:9000 serverBUser#serverBIP
This tells the computer on which it is run (which is ServerA) to listen on port 5000 and send any incoming requests to port 9000 on ServerB.
Detailed explanation: explainshell.com - ssh -i key.pem -N -L 5000:serverBIP:9000 serverBUser#serverBIP
See also: SSH/OpenSSH/PortForwarding - Community Help Wiki
Ansible is failing with a "connection closed" error when using an AWS .pem file. Yet I can connect OK via ssh using the same file. Does anyone know what the problem might be?
I have a couple of servers in AWS set-up with dynamic inventory (ignore the one without a public IP I know that won't work):
$ ansible-inventory -i aws_ec2.yaml --graph
#all:
|--#aws_ec2:
| |--ec2-34-244-225-4.eu-west-1.compute.amazonaws.com
| |--ip-10-128-1-129.eu-west-1.compute.internal
|--#ungrouped:
I can happily connect to the server with a public ip as follows:
$ ssh -i $HOME/.ssh/my-dev.pem openvpnas#ec2-34-244-225-4.eu-west-1.compute.amazonaws.com
Welcome to OpenVPN Access Server Appliance 2.8.5
System information as of Wed Aug 5 18:17:25 UTC 2020
etc.
But when I try to use Ansible with the same .pem file it fails with a connection closed error, and I don't know why.
$ ansible all -i aws_ec2.yaml -a ‘uptime’ \
--private-key=$HOME/.ssh/my-dev.pem \
--become-user=openvpnas
.
.
.
ec2-34-244-225-4.eu-west-1.compute.amazonaws.com | UNREACHABLE! => {
"changed": false,
"msg": "Failed to connect to the host via ssh: Connection closed by 34.244.225.4 port 22",
"unreachable": true
}
Is this a .pem file funny, or something to do with dynamic inventory. Any ideas?
--become-user is to run operation as that user. Try with --user openvpnas in the command or you can set it ansible.cfg file as remote_user = openvpnas
I have a running instance on host2 on port p2. I want to access through localhost:p2.
I can ssh to host1 with h1.pem and from host1 i can ssh to host2 with h2.pem.
I believe you are describing a situation where you have access from localhost (host h0) to host h1 (IP address a.a.a.a), and host h1 has access to host h2 (IP address b.b.b.b), but h0 does not have connectivity to host h2.
You want to connect from h0 to h2 via h1, and establish a TCP tunnel from a port on h0 to a destination port on h2.
I will teach you how to catch this fish, rather than just catching one for you.
First, assuming for a moment that you did have direct access from h0 to h2, how would you make an SSH connection?
You would connect like this:
ssh -i h2.pem h2user#b.b.b.b
...and you could establish a tunnel like this...
ssh -i h2.pem h2user#b.b.b.b -L 31337:127.0.0.1:3306
This would accept connections on h0 port 31337 and connect it to h2's loopback adapter 127.0.0.1 on port 3306.
I believe is what you want.
But, you don't have direct access to h2, so you need to proxy the SSH connection via h1.
From h0, we can connect to h1 like this:
ssh -i h1.pem h1user#a.a.a.a
So we take that info, and tell SSH that we want to use it to create a ProxyConnection to h1, where we'll run the nc command, which establishes a remote connection and ties its payload back to stdin and stdout. SSH will pass the hostname and SSH port of h2 to nc running on h1, which will pass back to us on the SSH connection to h1, which we will use to speak SSH to h2. We pass this as ProxyCommand to our ssh attempt from h0 to h2.
'-o ProxyCommand=ssh -i h1.pem h1user#a.a.a.a nc %h %p'
Putting it all together (line breaks for clarity):
ssh '-o ProxyCommand=ssh -i h1.pem h1user#a.a.a.a nc %h %p' \
-i h2.pem \
h2user#b.b.b.b \
-L 31337:127.0.0.1:3306
And there you have it.
Under the hood, h0 makes an ssh connection to h1, where it runs nc b.b.b.b 22. SSH on h0 uses these streams to create a second ssh session to h2 via the connection it already has to h1. The tunnel is negotiated directly with h2 over this connection.
Note that in this scenario, both of the keys h1.pem and h2.pem are on your local machine. The h2.pem key does not need to be present on h1 at all.
Note also that this has nothing to do with AWS. It's just standard SSH usage.
You can add the -N option to the end of the command if you just want to allow the tunnels but you don't want or need to start a shell on h2.
Or if you want a spiffy little monitor showing that your tunnel is still up, you can add this to the very end of the complete ssh command shown above. Be sure to include all of the ' exactly as shown.
'perl -MPOSIX -e '\''$|=1; while(sleep(1)){ print "\e[0GConnected " . POSIX::strftime("%Y-%m-%d %H:%M:%S",gmtime)}'\'''
This will show a continuously updating message on the console of h0 "Connected YYYY-mm-dd HH:MM:SS" message confirming that your connection is still established end to end.
I am trying to connect to my ec2 instance from my chromebook using the secure shell extension but I keep getting the following error:
Loading NaCl plugin... done.
ssh: connect to host (public DNS) port 22: Connection refused
NaCl plugin exited with status code 255.
I have been following the steps on this site but with 0 success.
http://www.mattburns.co.uk/blog/2012/11/15/connecting-to-ec2-from-chromes-secure-shell-using-only-a-pem-file/
Help please.
If you're doing this on your chromebook, you should have developer mode enabled so that you can enter the console and execute Linux commands. Once developer mode is enabled, enter the console with ctrl+alt+t and then type in shell.
First you'll want to change the permissions of your .pem key. The ssh keygen won't run if the permissions aren't restricted enough.
sudo chmod 400 myKeyPair.pem
Next you'll want to generate your own public key with ssh-keygen like mentioned in the other links.
ssh-keygen -y -f myKeyPair.pem > myKeyPair.pub
After this, you'll want to create a file with no extension and the private key pair inside.
touch myKeyPair
After this, copy the contents of the .pem file to the file with no extension, myKeyPair.
sudo cat myKeyPair.pem > myKeyPair
Next you'll want to open up the secure shell extension, which can be found here.
Enter your connection information for your machine and don't forget to specify the port number. When it comes to importing the key pair, select both the myKeyPair.pub and the myKeyPair files using ctrl.
That's it, you should be connected!