SSH Proxy Server

Todd Murchison edited this page Sep 22, 2015 · 5 revisions

Steps to setup a SSH Proxy/bastion server

  1. Launch an AWS linux instance in a publicly accessible subnet within your VPC
  2. Associate an EIP (or public IP) with the new instance
  3. Assign the instance to a strict IAM Role policy
  4. The instance security group should only permit SSH from your location
  5. Perform a yum update and harden the OS { turn off unneeded services, enable selinux, etc. }

Setting up your local SSH config


ProxyCommand ssh -i <proxy_pem_key> -W %h:%p ec2-user@<proxy_public_EIP_address>

Example ~/.ssh/config file:


# Proxy for my private subnets: vpc-9871c123 10.10.0.0/16
Host 10.10.*
    ProxyCommand ssh -i ~/aws/keys/bastion.pem -W %h:%p ec2-user@54.174.198.212
#

Logging into an instance located in a private subnet


ssh -l ec2-user -i <private_instance_pem_key> <private_instance_ip_address>

Example:


ssh -l ec2-user -i ~/aws/keys/my-keys.pem 10.10.245.42
Last login: Tue Jan 13 20:25:51 2015 from ip-10-10-244-4.ec2.internal

       __|  __|_  )
       _|  (     /   Amazon Linux AMI
      ___|\___|___|
...
[ec2-user@ip-10-10-245-42 ~]$ 

Adding a pem key to your keychain (Mac OS)


ssh-add ~/aws/keys/my-keys.pem
Identity added: /Users/Dude/aws/keys/my-keys.pem (/Users/Dude/aws/keys/my-keys.pem)

Listing the keys in your keychain


ssh-add -l
2048 65:6d:9d:38:7d:7d:d8:bd:33:25:59:86:b7:c6:53:17 /Users/Dude/.ssh/id_rsa (RSA)
2048 40:e8:90:bd:c5:46:d4:08:b4:91:6f:5e:13:e0:c7:5a /Users/Dude/aws/keys/my-keys.pem (RSA)

Logging back into your private instance
Example:


ssh -l ec2-user 10.10.245.42
Last login: Tue Jan 13 20:54:26 2015 from ip-10-10-244-4.ec2.internal

       __|  __|_  )
       _|  (     /   Amazon Linux AMI
      ___|\___|___|
...
[ec2-user@ip-10-10-245-42 ~]$ 

Removing a pem key from your keychain
Note: The public key is required to remove it from the keychain.


ssh-add -d ~/aws/keys/my-keys.pub
Identity removed: /Users/Dude/aws/keys/my-keys.pub (my-keys)

Other notes:

Specify the proxy via the "-o" ssh option


ssh -l ec2-user -i <private_instance_pem_key> <private_instance_ip_address> -o ProxyCommand="ssh -i ~/aws/keys/bastion.pem -W %h:%p ec2-user@<proxy_ip_adress>"