SSH connection to a private server using a bastion server on EC2

I stumbled while studying ssh connection from a bastion server to a private server using EC2, so I will post it for the first time as an example. [Reference article](https://qiita.com/fgem28/items/2c068eab3b34336147fb#%E5%8F%82%E8%80%83%E3%81%AB%E3%81%95%E3 % 81% 9B% E3% 81% A6% E3% 81% 84% E3% 81% 9F% E3% 81% A0% E3% 81% 84% E3% 81% 9F% E8% A8% 98% E4% BA As I wrote in% 8B), there are many other articles on Qiita, so please refer to that as well.

What you want to do

I want to create EC2 in each of the public subnet and private subnet created in the same AZ, and configure the connection to the private server to use the public server as a stepping stone.

--Public IP of bastion server: 3. *. *. * --Private IP of private server: 192.168.1.39 --Key pair name created on AWS: practice.pem

What went

Set default and ssh permission security groups for bastion server in Public subnet Set a security group that allows all communication in the vpc that copied default on the server of Private subnet

What you can confirm

Normal ssh connection to bastion server ok Ping from the bastion server to the private server to confirm that you are alive

ping 192.168.1.39

Error occurred

Currently, the bastion server does not have a private key, so ssh connection from the bastion server to the private server is not possible. There are two main patterns to connect --Upload the private key to the bastion server and use that key --Set the ProxyCommand option of ssh so that it can be accessed at once from the outside via the bastion server.

It is not so good to put the private key on the bastion server, so try the method of accessing from the outside at once with the ProxyCommand option

Create a new ~ / .ssh / config and write as follows,

~/.ssh/config


Host test-private
  HostName 192.168.1.39 #private server private IP
  User ec2-user
  IdentityFile ~/.ssh/practice.pem
  ProxyCommand ssh 3.*.*.* -W %h:%p #Public IP of bastion server

I tried ssh connection, but I couldn't connect

$ ssh test-private
Mac username@3.*.*.*: Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
ssh_exchange_identification: Connection closed by remote host

What I tried

I tried it with reference to various articles.

I set the permissions of ~ / .ssh / config, but it doesn't change

chmod 600 ~/.ssh/config

Even if I set the permission of the private key, it does not change

chmod 600 ~/.ssh/practice.pem

Even if I try to add sudo, the following error

$ sudo ssh test-private
Password:
ssh: Could not resolve hostname test-private: nodename nor servname provided, or not known

Deleted lines starting with the same IP address in ~ / .ssh / known_hosts but no change

Try a one-line command, but no

$ ssh -o ProxyCommand='ssh -i ~/.ssh/practice.pem ec2-user@3.*.*.* -W 192.168.1.39' -i ~/.ssh/practice.pem [email protected]
Bad stdio forwarding specification ‘192.168.1.39’ #Private server IP
ssh_exchange_identification: Connection closed by remote host

I set the security group to allow ssh connection to the private server, but it didn't work.

At times like this, ** sleeping is the best **.

Funny place

When I woke up and looked back, there was something strange.

$ ssh test-private
Mac username@3.*.*.*: Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
ssh_exchange_identification: Connection closed by remote host

I overlooked it, but for some reason this error statement shows my Mac user name. Originally it should be ec2-user (if the default settings are left).

Solution

After modifying ~ / .ssh / config as follows,

~/.ssh/config


###Add the following
Host test-bastion
  Hostname 3.*.*.*
  User ec2-user
  IdentityFile ~/.ssh/practice.pem
###Add up to here

Host test-private
  Hostname 192.168.1.39
  User ec2-user
  IdentityFile ~/.ssh/practice.pem
  ProxyCommand ssh test-bastion -W %h:%p ###Test that it was a private server IP-Change to bastion

Successful connection! !!

$ ssh test-private
The authenticity of host '192.168.1.39 (<no hostip for proxy command>)' can't be established.
ECDSA key fingerprint is SHA256:l98F1hMEnkNJR+9ON6GWpq/UQfpm34B62g11byAP15c.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.1.39' (ECDSA) to the list of known hosts.

       __|  __|_  )
       _|  (     /   Amazon Linux 2 AMI
      ___|\___|___|


https://aws.amazon.com/amazon-linux-2/
[ec2-user@ip-192-168-1-39 ~]$

It seems that the way to write ~ / .ssh / config was bad. I wrote only one setting to connect the step, so I think I have to write both and create a flow of "step → private". And ** giving up and going to sleep ** is also an effective measure.

Articles that I used as a reference

How to avoid SH connection error: 3 ways to remove / do not remove a specific host from .ssh / known_hosts

Basic knowledge of SSH that you want to keep even if you are not an infrastructure engineer

Multi-stage SSH method via bastion server

AWS Study Group (1) / Creating a Step Server and Network

Recommended Posts

SSH connection to a private server using a bastion server on EC2
A note on how to check the connection to the license server port
How to set up a jupyter notebook on ssh destination (AWS EC2)
Set up a file server on Ubuntu 20.04 using Samba
[Part 2] Let's build a web server on EC2 Linux
AWS EC2 2nd SSH connection to EC2 Instance (Amazon Linux2)
How to run Django on IIS on a Windows server
How to use GitHub on a multi-person server without a password
[Postgresql] SSH connection to the external DB server from the client
How to generate a public key from an SSH private key
[Introduction to AWS] A memorandum of building a web server on AWS
Connect to centos6 on virtualbox with ssh connection from Mac
Ssh connection using public key
I tried to create a server environment that runs on Windows 10
How to build a Python environment using Virtualenv on Ubuntu 18.04 LTS
Simple code to call a python program from Javascript on EC2
Set up a node to do MNIST on ROS using Tensorflow
How to continue processing after returning a response on aiohttp Server
What I stumbled upon when using CodeIgniter on a Linux server
Preparing to run Flask on EC2
Run a Linux server on GCP
Using a serial console on Ubuntu 20.04
Run TensorFlow2 on a VPS server
Add SSH connectable users to EC2
Notes on using matplotlib on the server
Try to infer using a linear regression model on android [PyTorch Mobile]
Edit the file of the SSH connection destination server on the server with VS Code
Verification of how to periodically execute a script on a Linux server on Windows
Build a proxy server with nginx on multiple remote servers using Ansible
I wanted to quickly create a mail server that can be used freely with postfix + dovecot on EC2
Build a Pypi cache server on QNAP
Easily build a DNS server using Twisted
How to draw a graph using Matplotlib
Build a simple WebDAV server on Linux
AWS EC2 instance launch and ssh connection
How to install a package using a repository
Set up a mail server using Twisted
Build a Samba server on Arch Linux
Build a web server on your Chromebook
How to test on a Django-authenticated page
Run Jupyter notebook on a remote server
[2015/11/19] How to register a service locally using the python SDK on naoqi os
A story about trying to install uwsgi on an EC2 instance and failing
How to quickly create a morphological analysis environment using Elasticsearch on macOS Sierra
SSH login to the target server from Windows with a click of a shortcut
I tried to make a translation BOT that works on Discord using googletrans
Try running a "newly infected number visualization app" using Streamlit on Amazon EC2
Install and configure PyFilter client to monitor SSH connection to Alibaba Cloud Ubuntu server