qoomon / aws-ssm-ec2-proxy-command Goto Github PK

View Code? Open in Web Editor NEW

213.0 10.0 73.0 98 KB

AWS SSM EC2 SSH Proxy Command

License: MIT License

Shell 58.17% PowerShell 41.83%

ssh aws-cli aws-ssm ssh-proxy-command ec2 aws security

aws-ssm-ec2-proxy-command's Introduction

aws-ssm-ec2-proxy-command

Open an SSH connection to your ec2 instances via AWS SSM without the need to open any ssh port in you security groups.

ⓘ Prefer ec2-instance-connect implementation if possible

ⓘ Windows users please refere to README.windows.md

Prerequisits

Local Setup
- Install AWS CLI
  - MacOS brew install awscli
- Install AWS CLI Session Manager Plugin
  - MacOS brew install session-manager-plugin
Ensure Your IAM Permissions
- IAM Policy Example
- ssm:StartSession for DocumentName: AWS-StartSSHSession and Target Instance
  - AWS Documentation
- ssm:SendCommand for DocumentName: AWS-RunShellScript and Target Instance
  - AWS Documentation
Target Instance Setup
- Ensure SSM Permissions fo Target Instance Profile
- Ensure SSM Agent is installed (preinstalled on all AWS Linux AMIs already)
  - Install SSM Agent on Linux Instances
    - yum install -y https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/linux_amd64/amazon-ssm-agent.rpm & service amazon-ssm-agent restart
  - SSM Agent on Windows Instances

Install SSH Proxy Command

Move proxy command script aws-ssm-ec2-proxy-command.sh to ~/.ssh/aws-ssm-ec2-proxy-command.sh
Ensure it is executable (chmod +x ~/.ssh/aws-ssm-ec2-proxy-command.sh)

Setup SSH Config [optional]

Add ssh config entry for aws ec2 instances to your ~/.ssh/config. Adjust key file path if needed.

host i-* mi-*
  IdentityFile ~/.ssh/id_rsa
  ProxyCommand ~/.ssh/aws-ssm-ec2-proxy-command.sh %h %r %p ~/.ssh/id_rsa.pub
  StrictHostKeyChecking no

Open SSH Connection

Ensure AWS CLI environemnt variables are set properly e.g.
- export AWS_PROFILE=default or AWS_PROFILE=default ssh ... <INSTACEC_USER>@<INSTANCE_ID>
If default region does not match instance region you need to provide it
- e.g. <INSTACEC_USER>@<INSTANCE_ID>--<INSTANCE_REGION>

SSH Command with SSH Config Setup

ssh <INSTACEC_USER>@<INSTANCE_ID>

e.g. ssh ec2-user@i-1234567890

SSH Command with ProxyCommand CLI Option

ssh <INSTACEC_USER>@<INSTANCE_ID> \
  -i "~/.ssh/id_rsa" \
  -o ProxyCommand="~/.ssh/aws-ssm-ec2-proxy-command.sh %h %r %p ~/.ssh/id_rsa.pub"

Recommended Usage of `ec2-instance-connect:SendSSHPublicKey`

The advantage from a security perspective is that you don't need to grant ssm:SendCommand to users and there by the permission to execute everything as root. Instead you only grant ec2-instance-connect:SendSSHPublicKey permission to a specific instance user e.g. ec2-user.

Ensure Prerequisits
Follow Install Guide
- Use this aws-ssm-ec2-proxy-command.sh proxy command script instead
- Use this IAM Policy Example instead
  - ssm:StartSession for DocumentName: AWS-StartSSHSession and Target Instance
    - AWS Documentation
  - ec2-instance-connect:SendSSHPublicKey
    - AWS Documentation
    - You may need to adjust ec2:osuser to match your needs. Default is ec2-user

aws-ssm-ec2-proxy-command's People

Contributors

Stargazers

Watchers

aws-ssm-ec2-proxy-command's Issues

Powershell script does not work

When trying to ssh using the ps1 script, I received an error:

usage: aws [options] <command> <subcommand> [<subcommand> ...] [parameters]
To see help text, you can run:

  aws help
  aws <command> help
  aws <command> <subcommand> help

Unknown options: -p, &&, cd, ~ubuntu/.ssh, ||, exit, 1

And this is the error message from AWS run command:

sleep: invalid time interval ‘\r’

Try 'sleep --help' for more information.

mv: cannot stat '.authorized_keys': No such file or directory

failed to run commands: exit status 1

SSH config:

Host i-* mi-*
  IdentityFile ~/.ssh/id_rsa
  ProxyCommand powershell.exe ~/.ssh/aws-ssm-ec2-proxy-command.ps1 %h %r %p ~/.ssh/id_rsa.pub
  StrictHostKeyChecking no

ec2-instance-connect does not support ed25519

Recent changes suggest to create a ed25519 key. This type of key is not actually supported by ec2-instance-connect and make the script to fail with the following error:

Parameter validation failed:
Invalid length for parameter SSHPublicKey, value: 81, valid min length: 256
kex_exchange_identification: Connection closed by remote host

References from AWS docs and GitHub issues:

@codesync-dev could you move your question to a separate issue?

Originally posted by @qoomon in #11 (comment)

Hello, I wasn't sure where to ask this question.

With this github repository, how are you replacing the requirement to use a private key (access_key.pem for example) when establishing an SSH connection with an EC2 host?
For instance, I typically have to run the command if I want to do a port forward from my local machine:
ssh ec2-user@i-xxx-NL 5000:redis.cache.amazonaws.com:6379 -i access_key.pem -v

I would run the above command after running something like:
aws ssm start-session --target i-xxx and I am able to do that because of the changes to my $HOME/.ssh/config file.

I'm looking to do away with requiring the use of a .pem file, if that is possible. I didn't see it in your ssh script, so just curious how that is being handled. Also, could you discuss why a public key is required to be uploaded?

Consider applying a license

Hello, and thanks for this.
Would you consider applying a license or a public domain dedication to this repository?

I ask because, as a user in an academic environment, my projects come (as a matter of routine) under scrutiny for copyright compliance and plagiarism. Having a license or dedication is very useful when this happens.

No longer pushes authorized key after change on 5/11/2021

The SSM to push the authorized key was changed from cd ~${ssh_user}/.ssh to cd $_ but it needs to be escaped

ProxyCommand doesn't work without prior direct log in via (aws ssm start-session --target i-instance)

Hello.

First I'd like to say thanks for this script it has helped me. Second, I'm aware I may actually be facing some configuration issues on my instance here, but wanted to ask the question in case you can shed light on something.

I wrote a script to generate the .ssh/config using our server names for easier location of the box. This is for easier tab-completion when figuring out which box you want to log in to. The entries look like this:

Host core-api-demo-application-server2
  ProxyCommand bash -c "/Users/jhirn/src/tflow/core_api/bin/aws/ssh_via_ssm.sh i-0..... %r %p ~/.ssh/id_rsa.pub"
  StrictHostKeyChecking no
  IdentityFile ~/.ssh/id_rsa
  User jhirn # or ssm-user, see below

I've added User so I log in as myself and this works just fine. However, we have some users that are not preconfigured on the machines and still need SSH, so I've switched this from jhirn to ssm-user which is the base account used when doing aws ssm start-session. Logging in as jhirn works, but only if I've previous logged into the machine directly with aws ssm start-session --target XXX) at least once. When I do this, I'm logged in as ssm-user. If I log into the machine as myself prior do doing so, I actually get No passwd entry for user 'ssm-user' if I try to sudo su - ssm-user. That kind of makes sense for why it's not working, but I'm just curious why AWS-StartSSHSession via command line logs in the ssm-user just fine, but not via ProxyCommand without a prior login. Also curious if there's a way to make the AWS-RunSHellScript script create the user when copying the key so the ProxyCommand script will just work. I could just create the ssm-user but want to make sure it's done in the same way aws ssm start-session would do it.

Happy to provide more details such as ssh -v output. I have a hunch the AWS-RunShellScript to copy the key may be failing, or that it could be enhanced to add the ssm-user if they don't already exist, but a bit stumped atm.

Thanks!

support for custom ssh'key pair doesn't seem to work

Thanks for this script.
It works using the default id_rsa key pair.

However, if I use any other ssh private/public key pair than the default id_rsa, it doesn't seem to work:

Host i-* mi-*
  IdentityFile ~/.ssh/name-of-custom-key
  ProxyCommand ~/.ssh/aws-ssm-ec2-proxy-command.sh %h %r %p ~/.ssh/name-of-custom-key.pub
  StrictHostKeyChecking no

Could it be that somewhere in the bottom of the script the custom public key should be added as extra parameter to this command?

>/dev/stderr echo "Start ssm session to instance ${ec2_instance_id}"
aws ssm start-session \
  --target "${ec2_instance_id}" \
  --document-name 'AWS-StartSSHSession' \
  --parameters "portNumber=${ssh_port}" <-- somewhere here?

ssh handshake expose on mac

Not really sure whether the words are correct.
But I found that if there's no sh -c wrap the session create command, it will expose the handshake process and cause error like: protocol mismatch

I have to use

sh -c "aws ssm start-session \
  --target "${ec2_instance_id}" \
  --document-name 'AWS-StartSSHSession' \
  --parameters "portNumber=${ssh_port}""

instead of

aws ssm start-session \
  --target "${ec2_instance_id}" \
  --document-name 'AWS-StartSSHSession' \
  --parameters "portNumber=${ssh_port}"

A 'not a tty' file generated from the proxy command

For some reasons, a new empty not a tty file is created under my current directory after I've run ssh i-XXXXXXX via this proxy script.

I'm not sure what is causing this, and it's not from the echo ... >/dev/tty line 🤔

run github actions

Hi, I first congrats a good job

I have a question it's possible run in github action ? I trying but received errors

cat: /home/runner/.ssh/id_rsa.pub: No such file or directory
kex_exchange_identification: Connection closed by remote host
Error: Process completed with exit code 255.

I need generate id_rsa.pub into the my actions ?

I exported id_rsa with

mkdir -p $HOME/.ssh
&& echo ***

$HOME/.ssh/id_rsa
&& sed -i -e "s#\\n#\n#g" $HOME/.ssh/id_rsa
&& chmod 600 $HOME/.ssh/id_rsa