SSH Proxy Server
Todd Murchison edited this page Sep 22, 2015
·
5 revisions
Steps to setup a SSH Proxy/bastion server
- Launch an AWS linux instance in a publicly accessible subnet within your VPC
- Associate an EIP (or public IP) with the new instance
- Assign the instance to a strict IAM Role policy
- The instance security group should only permit SSH from your location
- Perform a yum update and harden the OS { turn off unneeded services, enable selinux, etc. }
Setting up your local SSH config
ProxyCommand ssh -i <proxy_pem_key> -W %h:%p ec2-user@<proxy_public_EIP_address>
Example ~/.ssh/config file:
# Proxy for my private subnets: vpc-9871c123 10.10.0.0/16
Host 10.10.*
ProxyCommand ssh -i ~/aws/keys/bastion.pem -W %h:%p ec2-user@54.174.198.212
#
Logging into an instance located in a private subnet
ssh -l ec2-user -i <private_instance_pem_key> <private_instance_ip_address>
Example:
ssh -l ec2-user -i ~/aws/keys/my-keys.pem 10.10.245.42
Last login: Tue Jan 13 20:25:51 2015 from ip-10-10-244-4.ec2.internal
__| __|_ )
_| ( / Amazon Linux AMI
___|\___|___|
...
[ec2-user@ip-10-10-245-42 ~]$
Adding a pem key to your keychain (Mac OS)
ssh-add ~/aws/keys/my-keys.pem
Identity added: /Users/Dude/aws/keys/my-keys.pem (/Users/Dude/aws/keys/my-keys.pem)
Listing the keys in your keychain
ssh-add -l
2048 65:6d:9d:38:7d:7d:d8:bd:33:25:59:86:b7:c6:53:17 /Users/Dude/.ssh/id_rsa (RSA)
2048 40:e8:90:bd:c5:46:d4:08:b4:91:6f:5e:13:e0:c7:5a /Users/Dude/aws/keys/my-keys.pem (RSA)
Logging back into your private instance
Example:
ssh -l ec2-user 10.10.245.42
Last login: Tue Jan 13 20:54:26 2015 from ip-10-10-244-4.ec2.internal
__| __|_ )
_| ( / Amazon Linux AMI
___|\___|___|
...
[ec2-user@ip-10-10-245-42 ~]$
Removing a pem key from your keychain
Note: The public key is required to remove it from the keychain.
ssh-add -d ~/aws/keys/my-keys.pub
Identity removed: /Users/Dude/aws/keys/my-keys.pub (my-keys)
Other notes:
Specify the proxy via the "-o" ssh option
ssh -l ec2-user -i <private_instance_pem_key> <private_instance_ip_address> -o ProxyCommand="ssh -i ~/aws/keys/bastion.pem -W %h:%p ec2-user@<proxy_ip_adress>"