Unable to ssh using ProxyJump but it works with ssh -J
My question is: How do I set up a bastion host for ssh on AWS using an ubuntu instance?
I can do the following with success:
root@e183d80cdabc# ssh -J [email protected] [email protected]
Last login: Sat Sep 4 13:14:17 2021 from 10.240.0.30
==> SUCCESS! ==> ubuntu@ip-10-240-0-20:~$
But it fails when I try the ~/.ssh/config file approach. Commands used:
# ssh 10.240.0.20
# ssh [email protected]
# ssh -i ~/.ssh/id_rsa [email protected]
ssh: connect to host 10.240.0.20 port 22: Connection refused
My ~/.ssh/config looks like this:
root@e183d80cdabc# cat $HOME/.ssh/config
Host bastion
HostName 54.170.186.144
Host remote
HostName 10.240.0.20
ProxyJump bastion
I am running ubuntu on AWS as follows:
ubuntu@ip-10-240-0-30:~$ cat /etc/os-release
NAME="Ubuntu"
VERSION="20.04.2 LTS (Focal Fossa)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 20.04.2 LTS"
VERSION_ID="20.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=focal
UBUNTU_CODENAME=focal
I have tried adding the User ubuntu field but this does not help.
My /etc/ssh/ssh_config on the server looks like this:
Host *
ForwardX11Trusted yes
IdentityFile ~/.ssh/id_rsa
Port 22
SendEnv LANG LC_*
HashKnownHosts yes
GSSAPIAuthentication yes
UPDATE I am now using the verbose option i.e.
root@e183d80cdabc# ssh -vvv 10.240.0.20
OpenSSH_8.2p1 Ubuntu-4ubuntu0.3, OpenSSL 1.1.1f 31 Mar 2020
debug1: Reading configuration data /root/.ssh/config
debug1: /root/.ssh/config line 2: Applying options for *
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/*.conf matched no files
debug1: /etc/ssh/ssh_config line 21: Applying options for *
debug2: resolve_canonicalize: hostname 10.240.0.20 is address
debug2: ssh_connect_direct
debug1: Connecting to 10.240.0.20 [10.240.0.20] port 22.
debug1: connect to address 10.240.0.20 port 22: Connection refused
ssh: connect to host 10.240.0.20 port 22: Connection refused
It appears not to be using any jump host (i.e. it skips the bastion) and is going directly, and FAILS.
Any ideas greatly appreciated! Thank You
=========================================================
UPDATE: 2021-09-04-15-44 - with SOLUTION Thanks all, I have marked as answer, below.
The correct config does not use HostName, as the matching is done on Host. I was also able to include a wildcard on the ip address, which is what I was really after.
ssh config
root@e183d80cdabc# cat $HOME/.ssh/config
Host bastion
HostName 63.33.206.201
User ubuntu
Host 10.240.0.*
ProxyJump bastion
User ubuntu
And voila!
# ssh 10.240.0.20
...
ubuntu@ip-10-240-0-20:~$
The matching is done on Host stanza, not on HostName.
Try:
ssh ubuntu@remote
The difference between your command line
ssh -J [email protected] [email protected]
and what I recommend you do to reference your configuration
ssh remote
is that the latter has neither IPs nor the user to login to on both machines in the command line - you have to edit your ssh configuration to include all the information you are no longer passing on the command line:
# $HOME/.ssh/config
### The Bastion Host
Host bastion
HostName 54.170.186.144
User ubuntu
### The Remote Host
Host remote
HostName 10.240.0.20
User ubuntu
ProxyJump bastion
Update: While yes, in theory you can configure your Host stanzas to match IP addresses, I recommend against doing so.
If a host is not directly reached with a certain IP address, then it should be referred to by name - just imagine what happens when you have the same (private) IP space assigned to multiple hosts, you could not possibly assign the correct ProxyJump configuration for each.
Another reason where using addresses to refer to hosts is unfavourable is hosts reachable via multiple address families: If a host is reachable through IPv4 and IPv6, you probably want your ssh connection remain protocol-agnostic and only add a flag when you really mean to limit (automatic) choices.