Port forwarding to avoid the need for certificate

Question

I need to setup locally a tool that connects to the EC2 instance through SSH to perform profiling on the remote machine. The problem is the following: EC2 requires to use of a PEM certificate to connect, but the tool does not support certificates. Is there a way to do some port-forwarding so that the tool can connect to something like localhost:2222 without password (or at least without certificate) and then the traffic gets redirected to the EC2?

I don't know exactly what ports are used by the tool, but for sure it can tunnel all traffic through SSH.

If you need more info, the tool is the Nvidia Nsight Compute.

I tried sh -L 2222:localhost:22 -i mycertificate.pem <username_ec2>@<ip_ec2> but then ssh <username_ec2>@localhost:2222 returns ssh: Could not resolve hostname localhost:2222: nodename nor servname provided, or not known.

Answer 1

Fix your command to:

ssh -p 2222 <username_ec2>@localhost

but a certificate is still needed if you did the port forwarding like so:

ssh -L 2222:localhost:22 -i mycertificate.pem <username_ec2>@<ip_ec2>

I would try the following:

Run another ssh server which listens only on localhost, and doesn't require certificate on another port e.g 2222. See instructions

and then I would port forward to it like so:

ssh -L 2222:localhost:2222 -i mycertificate.pem <username_ec2>@<ip_ec2>

and ssh to it the same way:

ssh -p 2222 <username_ec2>@localhost

Answer 2

You can do this with a TCP reverse proxy. A reverse proxy is useful for other high level protocols as well, and can be shared and used by multiple servers/services as well. I make use of one personally as it helped me to consolidate my DMZ a bit. I've used HAProxy and NGINX for this sort of thing in the past. Since you're not using HTTP here you'll want to make sure the proxy is running in TCP mode for the specific frontend and backend that will be used for this connection. The proxy can forward traffic and apply or strip a certificate as you see fit.