Unable to setup ssh config remote forwarding from Local --> Bastion --> EC2

610 views Asked by At

Overview

I'm trying to configure ~/.ssh/config to connect my local VSCode to remote (EC2). I've done a lot of testing and can't understand why situation one is working and others are failing. I'm able to get RemoteCommand to work successfully for ssh'ing into EC2 instance after ssh'ing into BastionHost, however I'm unable to achieve the same with ProxyJump or ProxyCommand. VSCode doesn't list the EC2 filesystem when using the RemoteCommand example (just gets to BastionHost), so thinking I'll need to resolve to either ProxyJump/ProxyCommand based on most of the documentation.

I've tried to follow the instructions here exactly along with trying out different approaches from other articles to no avail.

##WORKS
Host dev-ec2
  HostName 10.248.000.206
  User meme1
  RemoteCommand ssh 10.248.000.201
  RequestTTY yes
  IdentityFile ~/.ssh/mykey

##WORKS
Host bastion-dev
  HostName 10.248.000.206
  User meme1
  IdentityFile ~/.ssh/mykey
  RequestTTY yes

##FAILS (times out)
Host dev-ec2-proxycommand
  HostName 10.248.000.201
  User meme1
  ProxyCommand ssh.exe bastion-dev -W %h:%p

##FAILS (Permission denied on public key, even though no issue in the RemoteCommand example)
Host ec2-dev-proxyjump
  HostName 10.248.000.201
  User meme1
  ProxyJump bastion-dev
  IdentityFile ~/.ssh/mykey

System Info

OS: Windows 10 Bastion OS: Linux (Amazon Linux AMI)

Disclaimer

I've been trolling StackOverflow and other forums for the past couple days to no avail, and although I've found similar questions none have provided viable answers for resolving.

1

There are 1 answers

0
Azize On

I suppose this one below is failing because you are using a command from Windows at your bastion, that is Linux.
Command ssh.exe will not work on Linux. Everything that you put on ProxyCommand will run inside your bastion host, in your case it is a Linux OS.

Also make sure your instance Security Group allow connection from bastion IP, not from your computer.

##FAILS (times out)
Host dev-ec2-proxycommand
  HostName 10.248.000.201
  User meme1
  ProxyCommand ssh.exe bastion-dev -W %h:%p

I have the config below on my ~/.ssh/config file and it works fine for me to connect on my instance behind bastion host.

Bastion IP: 172.31.4.238
Host IP (behind bastion): 172.31.11.98

Host 172.31.11.98
  HostName 172.31.11.98
  User ec2-user
  ProxyCommand ssh -W %h:%p [email protected]

See it below

$ ssh 172.31.11.98
The authenticity of host '172.31.11.98 (<no hostip for proxy command>)' can't be established.
ECDSA key fingerprint is SHA256:vy....
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '172.31.11.98' (ECDSA) to the list of known hosts.

       __|  __|_  )
       _|  (     /   Amazon Linux 2 AMI
      ___|\___|___|

https://aws.amazon.com/amazon-linux-2/
[ec2-user@ip-172-31-11-98 ~]$