I set up a reverse SSH tunnel to access a node, node1, behind a NAT. I have set up an EC2 instance, myEC2, to act as the intermediary. From my laptop, when I want to access node1, I have to SSH into the EC2 in order to then SSH into the node.
The workflow is like this:
- In
node1, make sure to run:ssh -i key.pem -R 3000:localhost:22 ubuntu@myEC2. This is always running in a service. - From my
laptop, SSH into the EC2:ssh ubuntu@myEC2 - Once inside the EC2:
ssh xavier@localhost -p 3000 - I'm in
node1!
What I'm looking for is a way of expressing that workflow in a SSH config that I can use to login directly into node1 from my laptop. This will help me access node1 via Visual Studio Code's Remote SSH extension.
I tried something like this:
Host node1
Hostname myEC2
User ubuntu
Port 3000
IdentityFile key.pem
But that does not work, I assume it is because Port should be 22 rather than 3000. I just really don't know how to express the workflow. I have looked into ProxyJump but I'm not sure if that is what I'm looking for and to be honest I haven't had success with that either.
Any suggestions are welcomed! =D
Edit #1: After following Stéphane's suggestions I ended up with an ssh_config file that looks like this:
Host myEC2
Hostname <myEC2_IP>
User ubuntu
Port 22
IdentityFile ec2_key.pem
Host node1
Hostname localhost
User xavier
Port 3000
IdentityFile /path/to/node1-id_rsa
ProxyJump ubuntu@myEC2
While I can SSH into myEC2 with no issues, I can't go into node1. My understanding is that this is supposed to be equivalent to ssh -p 3000 -J ubuntu@myEC2 xavier@localhost. Any help is greatly appreciated! This is what I get by adding the -v flag to SSH.
xaviermerino@Xaviers-MBP .ssh % ssh doc
debug1: Executing proxy command: exec ssh -l ubuntu -W '[localhost]:3000' myEC2
debug1: identity file node1-id_rsa type -1
debug1: identity file node1-id_rsa-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.1
debug1: Connecting to myEC2 [myEC2_IP_ADDRESS] port 22.
debug1: Connection established.
debug1: identity file ec2_key.pem type -1
debug1: identity file ec2_key.pem-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.1
debug1: Remote protocol version 2.0, remote software version OpenSSH_8.2p1 Ubuntu-4ubuntu0.2
debug1: match: OpenSSH_8.2p1 Ubuntu-4ubuntu0.2 pat OpenSSH* compat 0x04000000
debug1: Authenticating to myEC2_IP_ADDRESS:22 as 'ubuntu'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: [email protected] MAC: <implicit> compression: none
debug1: kex: client->server cipher: [email protected] MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:/U4HE+zUBFNZJgxDM6lWDW7FX8GSHXWYc/fMEyOvMlw
debug1: Host 'myEC2_IP_ADDRESS' is known and matches the ECDSA host key.
debug1: Found key in /Users/xaviermerino/.ssh/known_hosts:226
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 134217728 blocks
debug1: Will attempt key: ec2_key.pem explicit
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,[email protected],ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected]>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Trying private key: ec2_key.pem
debug1: Authentication succeeded (publickey).
Authenticated to myEC2 ([IP_Address_Goes_Here]:22).
debug1: channel_connect_stdio_fwd localhost:3000
debug1: channel 0: new [stdio-forward]
debug1: getpeername failed: Bad file descriptor
debug1: Requesting [email protected]
debug1: Entering interactive session.
debug1: pledge: network
debug1: client_input_global_request: rtype [email protected] want_reply 0
debug1: Remote: /home/ubuntu/.ssh/authorized_keys:1: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding
channel 0: open failed: connect failed: Connection refused
stdio forwarding failed
kex_exchange_identification: Connection closed by remote host
I'm not sure what this means Does it have to do with the settings at sshd_config in the EC2?. This is what I have in there:
#AllowAgentForwarding yes
#AllowTcpForwarding yes
GatewayPorts yes
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
PrintMotd no
#PrintLastLog yes
#TCPKeepAlive yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS no
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none
Edit #2: Someone had turned off the computers. It now works! To summarize it for whoever is looking into this. To solve this, I needed:
Host myEC2
Hostname <myEC2_IP>
User ubuntu
Port 22
IdentityFile ec2_key.pem
Host node1
Hostname localhost
User xavier
Port 3000
IdentityFile /path/to/node1-id_rsa
ProxyJump ubuntu@myEC2
And that was it! Thanks @StephaneChazelas
