I stumbled while studying ssh connection from a bastion server to a private server using EC2, so I will post it for the first time as an example. [Reference article](https://qiita.com/fgem28/items/2c068eab3b34336147fb#%E5%8F%82%E8%80%83%E3%81%AB%E3%81%95%E3 % 81% 9B% E3% 81% A6% E3% 81% 84% E3% 81% 9F% E3% 81% A0% E3% 81% 84% E3% 81% 9F% E8% A8% 98% E4% BA As I wrote in% 8B), there are many other articles on Qiita, so please refer to that as well.
I want to create EC2 in each of the public subnet and private subnet created in the same AZ, and configure the connection to the private server to use the public server as a stepping stone.
--Public IP of bastion server: 3. *. *. * --Private IP of private server: 192.168.1.39 --Key pair name created on AWS: practice.pem
Set default and ssh permission security groups for bastion server in Public subnet Set a security group that allows all communication in the vpc that copied default on the server of Private subnet
Normal ssh connection to bastion server ok Ping from the bastion server to the private server to confirm that you are alive
ping 192.168.1.39
Currently, the bastion server does not have a private key, so ssh connection from the bastion server to the private server is not possible. There are two main patterns to connect --Upload the private key to the bastion server and use that key --Set the ProxyCommand option of ssh so that it can be accessed at once from the outside via the bastion server.
It is not so good to put the private key on the bastion server, so try the method of accessing from the outside at once with the ProxyCommand option
Create a new ~ / .ssh / config and write as follows,
~/.ssh/config
Host test-private
HostName 192.168.1.39 #private server private IP
User ec2-user
IdentityFile ~/.ssh/practice.pem
ProxyCommand ssh 3.*.*.* -W %h:%p #Public IP of bastion server
I tried ssh connection, but I couldn't connect
$ ssh test-private
Mac username@3.*.*.*: Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
ssh_exchange_identification: Connection closed by remote host
I tried it with reference to various articles.
I set the permissions of ~ / .ssh / config, but it doesn't change
chmod 600 ~/.ssh/config
Even if I set the permission of the private key, it does not change
chmod 600 ~/.ssh/practice.pem
Even if I try to add sudo, the following error
$ sudo ssh test-private
Password:
ssh: Could not resolve hostname test-private: nodename nor servname provided, or not known
Deleted lines starting with the same IP address in ~ / .ssh / known_hosts but no change
Try a one-line command, but no
$ ssh -o ProxyCommand='ssh -i ~/.ssh/practice.pem ec2-user@3.*.*.* -W 192.168.1.39' -i ~/.ssh/practice.pem [email protected]
Bad stdio forwarding specification ‘192.168.1.39’ #Private server IP
ssh_exchange_identification: Connection closed by remote host
I set the security group to allow ssh connection to the private server, but it didn't work.
At times like this, ** sleeping is the best **.
When I woke up and looked back, there was something strange.
$ ssh test-private
Mac username@3.*.*.*: Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
ssh_exchange_identification: Connection closed by remote host
I overlooked it, but for some reason this error statement shows my Mac user name. Originally it should be ec2-user (if the default settings are left).
After modifying ~ / .ssh / config as follows,
~/.ssh/config
###Add the following
Host test-bastion
Hostname 3.*.*.*
User ec2-user
IdentityFile ~/.ssh/practice.pem
###Add up to here
Host test-private
Hostname 192.168.1.39
User ec2-user
IdentityFile ~/.ssh/practice.pem
ProxyCommand ssh test-bastion -W %h:%p ###Test that it was a private server IP-Change to bastion
Successful connection! !!
$ ssh test-private
The authenticity of host '192.168.1.39 (<no hostip for proxy command>)' can't be established.
ECDSA key fingerprint is SHA256:l98F1hMEnkNJR+9ON6GWpq/UQfpm34B62g11byAP15c.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.1.39' (ECDSA) to the list of known hosts.
__| __|_ )
_| ( / Amazon Linux 2 AMI
___|\___|___|
https://aws.amazon.com/amazon-linux-2/
[ec2-user@ip-192-168-1-39 ~]$
It seems that the way to write ~ / .ssh / config was bad. I wrote only one setting to connect the step, so I think I have to write both and create a flow of "step → private". And ** giving up and going to sleep ** is also an effective measure.
Basic knowledge of SSH that you want to keep even if you are not an infrastructure engineer
Multi-stage SSH method via bastion server
AWS Study Group (1) / Creating a Step Server and Network
Recommended Posts