Need to reach phpMyAdmin on an EC2 instance behind a bastion/jumpserver from local laptop.
Looking to reduce these steps into using .shh/config. The question seeks to solve the right configurations.
When connecting to EC2 without public bastion server to jump through, this is the normal way documented which does not work in my case because our deployment uses a public facing bastion:
https://docs.bitnami.com/aws/faq/get-started/access-phpmyadmin/
When you need to jump through a public facing bastion e.g.:
Local/Laptop ------> bastion/jumpserver -----> ec2
This above reference link does not follow the same workflow and documentation is sparse.
Setting up inbound/outbound rules for this capability is also sparse.
The preference is to use .ssh/config which is setup like this:
Host bastionHostTunnel
Hostname <publicBastionIp>
User <bastionusername>
ForwardAgent yes
IdentityFile <local path to .pem file>
Host ec2Host
Hostname <privateEC2IP>
User <ec2 username>
ForwardAgent yes
IdentityFile <local path to .pem file>
# -A Enable forwarding of the Authentication agent connection
# -W used on older machines instead of -J to bounce through
# %h the remote hostname
# On Windows 10(only?) seems must call ssh.exe instead of only ssh
ProxyCommand ssh.exe -A -W %h:22 bastionHostTunnel
I obviously left out vars in <> above - but I have them and have verified similar configuration is working for enabling SFTP as above with FileZilla.
Then in shell call this to bind port localhost:8888 (http://127.0.0.1:8888):
ssh ec2Host -D 8888
Then ought to be able to open browser and go to the following to access phpMyAdmin:
http://127.0.0.1:8888/phpmyadmin
Current issue is that this process is hanging and possibly refusing the connection. This points to either bad configuration above or incorrect inbound/outbound rules for either/both bastion and ec2 instance.
Has anyone here had similar issue and was able to solve and could share further, much appreciated. Plus any extra clues as far as debugging the overall process would help in the answer.
I'm most curious if it works if you specific everything on the command line...once you determine that works, you can start refactoring to put some aspects in to .ssh/config. It's usually easier for me to find errors with my configuration if everything is on the command line, plus I don't know that I see the correct forwarding options all listed there.
Unless I'm very mistaken, you don't need any reference to the ec2 host in your SSH config file because you're using the jump machine to redirect localhost traffic there, you wouldn't directly be able to reach the ec2 host machine from your local machine using an SSH tunnel.
There are many ways to do a tunnel, but when I do this, I use a command like ssh -L 8080:destination:80 -i <keyfile> me#jumpbox . destination must be reachable from jumpbox, which I can verify by first using ssh -i <keyfile> jumpbox then, once on that machine, ssh destination. If there's a problem along the way, it's easier to debug these little steps (for instance, if I can't connect by manual ssh to jumpbox then I know the tunnel will never work).
Related
I am trying to ssh a bastion using pycharm PyCharm 2018.1 on a Windows 7 machine using putty.
I found some documentation to ssh a server and this work without any issues:
https://www.jetbrains.com/help/pycharm/tutorial-using-the-product-built-in-ssh-terminal-and-remote-ssh-external-tools.html
For the bastion server, it seems that pycharm doesn't allow such conection (in the config I only see login and server name as parameters). I tried to put in the putty configuration to the bastion server a tunnel to a localhost. On my window machine I see the port of my localhost.
The issue is that I don't manage to connect pycharm to the localhost. It expect a login and a pwd while I just have the localhost name.
I see in a post from last year that "if you are using a bastion host (also referred to as a jump host), you’ll be very happy to know that PyCharm 2017.3 supports SSH config files. Even on Windows."
https://blog.jetbrains.com/pycharm/2017/10/pycharm-2017-3-eap-5/
Any idea how to have it working either with the localhoast of using OpenSSH and SSH config file ?
The issue was the localhost.Using plink directly is working with no problem using same commands than regular ssh: plink.exe -L 9009:server:22 user#bastion. With Putty it doesn't work (first the IP was 0.0.0.0:port instead of 127.0.0.1:port even with the right port pycharm failed to connect with it work when I use plink directly).
This thread was helping: https://serverfault.com/questions/387772/ssh-reverse-port-forwarding-with-putty-how-to-specify-bind-address
I´ve got a Server behind a firewall and the firewall only allows traffic through port 22. This server has both public and private addresses.
I´ve got also about 1K clients that I need to reverse shell to this server, and be able to choose one of them by id when I want that ssh reversed tunnel.
My goal is to make the clients connect to ssh server via port 22, and each one of this connections should be forwarded to localhost on port with the same id.
When I connect to the server with my laptop also via ssh, I would then ssh to localhost on the correct id and get the client shell.
Can someone provide me the good path to achieve this behaviour using bash, ssh and linux tools?
Note - I don´t want to use client.py and server.py cause most of my clients are android based and it could easily become a nightmare to install python on all of them.
The problem - it was solved using remote port forwarding:
ssh -R 21:localhost:8888 user#server
In this command the 8888 represents the terminal id. In order for this to work, had to add this line to my ssh conf:
GatewayPorts yes
The server that I need to deploy to is in a private network (without a public IP). I can access the server from outside that network through VPN, but with difficulties, and deployment with capistrano breaks every time.
I have access to another computer in that private network that has a public IP.
Is it possible to set up the capistrano deployment scripts so that the deployment goes through that "proxy" server?
Can you perhaps suggest some other solutions for my situation other than working out the problem with the VPN, which is out of my hands.
Setting up a github hook which would trigger a script on the server that would then pull the branch comes to my mind, but that is much less then what capistrano does: no migrations, revisions, bundle update, server restart, etc...
Capistrano communicates to the target server over SSH - if you setup the SSH connection to proxy through your 'bastion' server and land on the appropriate final host(s), then Capistrano - over that connection - will do the same.
One of the easiest ways of setting this up, is with a ~/.ssh/config block, describing where you want to end up, and the proxy to be able to reach it.
Exactly how that is configured, depends on how you have setup the network.
Here's an (edited for hostnames) .ssh/config file I've just created to SSH from: home via public and then on to final:
Host internalvia
HostName final.hostname.com
User secretdeployuser
IdentityFile ~/.ssh/id_rsa
ProxyCommand ssh public-server.com -W %h:%p
I could then ssh internalvia, and land on the machine called final.hostname.com, but I went through public-server.com (logging in first, as myself, and then,of final as 'secretdeployuser'. Both public and final have my usual id_rsa key allowed to login, and the standard forwarding allows me to login to both, even via one another.
When this was working for you to be able to ssh in to the final location from the command line, you can put the internalvia as the host in the Capistrano setup.
role :app, %w{ secretdeployuser#internalvia }
I want to clone a bunch of private git repositories while provisioning a vagrant box. According to this article this should be possible using config.ssh.forward_agent = true. However, when trying to connect to github via something like ssh -T git#github.com -o StrictHostKeyChecking=no it fails with the following error:
Warning: Permanently added 'github.com,192.30.252.130' (RSA) to the list of known hosts.
Permission denied (publickey).
I cut my configuration down to the simplest possible configuration. You can find it here: https://gist.github.com/TomTasche/31f7c45fcffc2997d43a
When I do "vagrant ssh" and try the same again, a similar error occurs:
Cloning into 'private-repositories'...
Warning: Permanently added the RSA host key for IP address '192.30.252.130' to the list of known hosts.
Permission denied (publickey).
fatal: The remote end hung up unexpectedly
Edit: the configuration linked above does work on a host running Ubuntu, but does neither work on a Mac host, nor on a Windows host. My goal is to have a configuration that works on all these three hosts.
Please check whether your host system has ssh-agent forwarding enabled. You can do so for example by adding this block to your ~/.ssh/config file:
Host *
ForwardAgent yes
If this is enabled vagrant ssh (and also vagrant provision) should be able to forward your key to the guest machine.
You also might want to check using ssh-add -l whether your ssh-agent does know about your SSH-key. If it is in the list and you have agent-forwarding activated you should have a success. Otherwise you can add the key to your ssh-agent by running ssh-add <path to your key file>.
It sounds like you may be hitting this particular bug:
https://github.com/mitchellh/vagrant/issues/1735
(Despite it being "closed" it's actually not fixed)
On Windows, SSH Forwarding in Vagrant does not work properly by default (because of a bug in net-ssh).
However, there is a workaround or simple hack. You can auto-copy your local SSH key to the Vagrant VM via a simple provisioning script in your VagrantFile. Here's an example:
https://github.com/mitchellh/vagrant/issues/1735#issuecomment-25640783
Tom,
What you're doing is fairly generic in nature and I don't think is Vagrant specific.
Try some of the following to track down the issue:
edit your /etc/ssh/sshd_config
Set LogLevel debug
Restart the sshd service sudo service sshd restart or /etc/init.d/sshd restart
tail -f /var/log/authlog -- note, the file may be something else like /var/log/authd.log or /var/log/secure or something.
Watch what happens when you connect. It should give you some indication of why it's failing.
Again sorry, I'm not that familiar with Vagrant but I'm wondering if the provisioning script is running as another user, in which case the agent forwarding may not work as expected?
I'm deploying a site to an server, but the port 22 is blocked at my office. I can now use corkscrew with the ssh_config ProxyCommand directive, and everything works fine, just connect using $ ssh my_server_alias_in_sshconfig.
Now I need to use Fabric to ease deployment, but even when setting env.use_ssh_config=True it doesn't work, it just looked up the IP address of the server and tried to connect directly, ignoring ProxyCommand and everything else. The Fabric docs says it leverages some of the config settings available, but without using ProxyCommand, Fabric seems useless here.
Any help?
I got this gist, but I don't think it solves the ProxyCommand requirement.
Regards
For the moment, I set up a LocalForward directive like:
Host my_server_using_corkscrew
ProxyCommand ...
...
LocalForward 1122 localhost:22
And below:
Host my_server_using_corkscrew.localtunnel
Hostname localhost
Port 1122
And then, run Fabric with:
$ fab my_deploy_command --hosts=my_server_using_corkscrew.localtunnel
This has two inconveniences:
I need to start the "tunnel" first with $ ssh my_server_using_corkscrew and leave it open.
Inside the fabfile, the hostname is always localhost, so it can be a problem when deploying to multiple servers at once.
I'm using this for the time, but, can this be improved?
A better workaround but still not perfect:
Host somebox
ControlMaster auto
ControlPath ~/.ssh/socket/%r#%h:%p
Then $ ssh somebox first and leave it open, then $ fab -H somebox deploy and the traffic will go through the sock and so it'll respect the ProxyCommand.