SSH setting for mac to create an alias - macos

ssh address I want to alias is
ssh -o StrictHostKeyChecking=no username#hostipaddress#jumpServerAdress.com
I am populating in the MAC ~/.ssh/config as
Host prod
HostName hostipaddress
User usrname
ServerAliveInterval 100
ProxyJump jumpServerAdress.com
StrictHostKeyChecking no
GlobalKnownHostsFile /dev/null
UserKnownHostsFile /dev/null
When I do ssh prod..
it is not letting me inside the host
It signals me:
channel 0: open failed: connect failed: open failed
stdio forwarding failed
ssh_exchange_identification: Connection closed by remote host
Is there any mistake in the config I am doing please let me know ?

I tried this config which worked
Host jump
HostName jumpServerAdress.com
User jumpuser
Host prod
HostName hostipaddress
User usrname
ServerAliveInterval 100
ProxyJump jump
StrictHostKeyChecking no
GlobalKnownHostsFile /dev/null
UserKnownHostsFile /dev/null
assuming you have setup ssh keys correctly.

Related

SSH shows the wrong IP address when SSH with port forward

My use case is I have to access AWS ec2 instances through a jumpbox.
Here is my SSH config.
Host awsjumpbox
User sshuser
HostName jumpboxhostname
IdentityFile /Users/myusername/.ssh/id_rsa
LocalForward 8022 10.0.168.43:22
It works when I do SCP command to copy files to the EC2 instance.
myusername % scp -r -i ~/aws/aws-keypair.pem -P 8022 * ec2-user#localhost:testdir
The authenticity of host '[localhost]:8022 ([::1]:8022)' can't be established.
ECDSA key fingerprint is SHA256:rrwr62yjP2cgUTT9SowdlrIwGi4jMMwt5x4Aj6E4Y3Y.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[localhost]:8022' (ECDSA) to the list of known hosts.
/etc/profile.d/lang.sh: line 19: warning: setlocale: LC_CTYPE: cannot change locale (UTF-8): No such file or directory
README.md 100% 1064 24.3KB/s 00:00
However, when I executed SSH command. It returns a strange IP address.
myusername % ssh -i ~/aws/aws-keypair.pem -P 8022 ec2-user#localhost
ssh: connect to host 0.0.31.86 port 22: No route to host
What is the cause of this issue? How do I fix it?
Thank you.
Don't use LocalForward and reverse the flow.
Use ProxyCommand or ProxyJump. This will allow SSH to open a session to your bastion server transparently.
E.g. your configuration should be something in the line of
Host 10.0.168.43
User root
ProxyCommand ssh -W %h:%p sshuser#awsjumpbox
...
or
Host 10.0.168.43
User root
ProxyJump sshuser#awsjumpbox
...

Complex SSH tunnel

I have a complex SSH tunnel problem I'm trying to solve and can't seem to get it quite right.
Simply put:
ME -> Bastion:22 -> Instance:8500
Bastion uses a different username and key than instance. I would like to be able to access port 1234 on instance from localhost:1234
Right now I have the following:
Host bastion
HostName bastion.example.com
ForwardAgent yes
IdentityFile ~/.ssh/id_ecdsa
User spanky
Host internal
ForwardAgent yes
HostName consul.internal
IdentityFile ~/.ssh/aws.pem
ProxyJump bastion
User ec2-user
Port 8500
But I don't think I've got it.
The following two commands work, but I'm trying to distill them into a working config:
ssh -L 2222:10.0.0.42:22 bastion.example.com -N -i ~/.ssh/id_ecdsa
ssh -L 8500:localhost:8500 ec2-user#localhost -N -i ~/.ssh/aws.pem -p 2222
With a current version of ssh, you should be able to use:
ssh -L1234:localhost:1234 -J spanky#bastion.example.com ec2-user#consul.internal
From man ssh:
-J destination
Connect to the target host by first making a ssh
connection to the jump host described by destination and then
establishing a TCP forwarding to the ultimate destination from there.
Multiple jump hops may be specified separated by comma characters.
This is a shortcut to specify a ProxyJump configuration directive.

Automate a ssh response

I have a bash script running on a host with IP1. The script does a ssh to a remote host with IP2
ssh ubuntu#IP2 "ls -l ~"
The ssh replies with a
The authenticity of host 'IP2 (IP2)' can't be established.
ECDSA key fingerprint is SHA256:S9ESYzoNs9dv/i/6T0aqXQoSXHM.
Are you sure you want to continue connecting (yes/no)?
I want to automate the response "yes" to the above ssh command. How can I do that from the bash script ?
IP2 is a random IP so I cannot add it to the known hosts list on host IP1.
If you don't want to verify/check the fingerprint you could use something like:
ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no ubuntu#IP2 "ls -l ~"
This is how it works:
-o UserKnownHostsFile=/dev/null
The UserKnownHostsFile parameter specifies the database file to use for storing the user host keys (default is ~/.ssh/known_hosts).
By configuring the null device file as the host key database, SSH is fooled into thinking that the SSH client has never connected to any SSH server before, and so will never run into a mismatched host key.
-o StrictHostKeyChecking=no
The parameter StrictHostKeyChecking specifies if SSH will automatically add new host keys to the host key database file. By setting it to no, the host key is automatically added, without user confirmation, for all first-time connection.
For more details: How to disable SSH host key checking
Have you tested "StrictHostKeyChecking" option:
ssh -o "StrictHostKeyChecking no" root#10.x.x.x

ssh specify default directory to check

Instead of ssh "~/.ssh/somekey.pem" ubuntu#somehost, is there a way to make ssh auto check the ~/.ssh directory for keys so that I can simply do ssh "somekey.pem" ubuntu#somehost (i.e. omitting ~/.ssh)?
If you're using the same host then try updating your ~/.ssh/config file with the host info
Host dev
IdentityFile ~/.ssh/github.key
HostName dev.example.com
Port 22000
User fooey
then just type ssh dev to ssh in!

How do configure Coda to work for my Amazon EC2 instance?

I can not connect to my EC2 instane. I have opened port 21 in the AWS Console. I think there is no way of input my SSH Key pair in Coda. Is there a way of connecting Coda to my EC2 instance?
Coda should pick up settings from your ssh config so you can configure this fairly easily.
If you've saved your EC2 ssh keypair in ~/.ssh/ec2_rsa then simply edit ~/.ssh/config to look like:
IdentityFile ~/.ssh/ec2_rsa
You can also restrict the IdentityFile directive to just your AWS resource with:
Host somehost.amazonaws.com
IdentityFile ~/.ssh/ec2_rsa
If everything's configured properly then you should be able to, from the command line, run ssh username#awshost and get a login prompt
If you continue to have problems you can always enable password authentication on your instance by editing /etc/ssh/sshd_config and adding the line PasswordAuthentication yes to the end of the file, then setting a password for your user with passwd
I use the following settings in my .ssh/config to automatically apply my EC2 keypairs for EC2 resources:
# EC2 Northern Virginia
Host *.compute-1.amazonaws.com
IdentityFile ~/.keys/ssh/ec2/us_east_1.key
StrictHostKeyChecking no
UserKnownHostsFile /dev/null
IdentitiesOnly yes
ForwardAgent no
# EC2 Northern California:
Host *.us-west-1.compute.amazonaws.com
IdentityFile ~/.keys/ssh/ec2/us_west_1.key
StrictHostKeyChecking no
UserKnownHostsFile /dev/null
IdentitiesOnly yes
ForwardAgent no
# EC2 Ireland:
Host *.eu-west-1.compute.amazonaws.com
IdentityFile ~/.keys/ssh/ec2/eu_west_1.key
StrictHostKeyChecking no
UserKnownHostsFile /dev/null
IdentitiesOnly yes
ForwardAgent no
# EC2 Singapore:
Host *.ap-southeast-1.compute.amazonaws.com
IdentityFile ~/.keys/ssh/ec2/ap_southeast_1.key
StrictHostKeyChecking no
UserKnownHostsFile /dev/null
IdentitiesOnly yes
ForwardAgent no
# EC2 Tokyo:
Host *.ap-northeast-1.compute.amazonaws.com
IdentityFile ~/.keys/ssh/ec2/ap_northeast_1.key
StrictHostKeyChecking no
UserKnownHostsFile /dev/null
IdentitiesOnly yes
ForwardAgent no
I struggled with this for some time, so sharing important steps for me:
Configure an alias in /.ssh/config
Make sure permissions of my_key.pem makes sense, eg. do > chmod 644 my_key.pem
Simply put your alias in Server field when creating SSH or SFTP session, and nothing else.
That worked for me.
In the new version of Coda, there's a small icon of a key which shows up inside the password box on the right. If you click this, you can browse to the PEM file and choose that as your password.
The icon disappears once you click the password box, and as far as I can tell you can't get it back without making a new project.

Resources