qoomon / aws-ssm-ec2-proxy-command Goto Github PK

Hello.

First I'd like to say thanks for this script it has helped me. Second, I'm aware I may actually be facing some configuration issues on my instance here, but wanted to ask the question in case you can shed light on something.

I wrote a script to generate the .ssh/config using our server names for easier location of the box. This is for easier tab-completion when figuring out which box you want to log in to. The entries look like this:

Host core-api-demo-application-server2
  ProxyCommand bash -c "/Users/jhirn/src/tflow/core_api/bin/aws/ssh_via_ssm.sh i-0..... %r %p ~/.ssh/id_rsa.pub"
  StrictHostKeyChecking no
  IdentityFile ~/.ssh/id_rsa
  User jhirn # or ssm-user, see below

I've added User so I log in as myself and this works just fine. However, we have some users that are not preconfigured on the machines and still need SSH, so I've switched this from jhirn to ssm-user which is the base account used when doing aws ssm start-session. Logging in as jhirn works, but only if I've previous logged into the machine directly with aws ssm start-session --target XXX) at least once. When I do this, I'm logged in as ssm-user. If I log into the machine as myself prior do doing so, I actually get No passwd entry for user 'ssm-user' if I try to sudo su - ssm-user. That kind of makes sense for why it's not working, but I'm just curious why AWS-StartSSHSession via command line logs in the ssm-user just fine, but not via ProxyCommand without a prior login. Also curious if there's a way to make the AWS-RunSHellScript script create the user when copying the key so the ProxyCommand script will just work. I could just create the ssm-user but want to make sure it's done in the same way aws ssm start-session would do it.

Happy to provide more details such as ssh -v output. I have a hunch the AWS-RunShellScript to copy the key may be failing, or that it could be enhanced to add the ssm-user if they don't already exist, but a bit stumped atm.

Thanks!

The SSM to push the authorized key was changed from cd ~${ssh_user}/.ssh to cd $_ but it needs to be escaped

Not really sure whether the words are correct.
But I found that if there's no sh -c wrap the session create command, it will expose the handshake process and cause error like: protocol mismatch

I have to use

sh -c "aws ssm start-session \
  --target "${ec2_instance_id}" \
  --document-name 'AWS-StartSSHSession' \
  --parameters "portNumber=${ssh_port}""

instead of

aws ssm start-session \
  --target "${ec2_instance_id}" \
  --document-name 'AWS-StartSSHSession' \
  --parameters "portNumber=${ssh_port}"

Recent changes suggest to create a ed25519 key. This type of key is not actually supported by ec2-instance-connect and make the script to fail with the following error:

Parameter validation failed:
Invalid length for parameter SSHPublicKey, value: 81, valid min length: 256
kex_exchange_identification: Connection closed by remote host

References from AWS docs and GitHub issues:

• https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-connect-methods.html#ec2-instance-connect-connecting-aws-cli
• aws/aws-sdk#37

@codesync-dev could you move your question to a separate issue?

Originally posted by @qoomon in #11 (comment)

Hello, I wasn't sure where to ask this question.

With this github repository, how are you replacing the requirement to use a private key (access_key.pem for example) when establishing an SSH connection with an EC2 host?
For instance, I typically have to run the command if I want to do a port forward from my local machine:
ssh ec2-user@i-xxx-NL 5000:redis.cache.amazonaws.com:6379 -i access_key.pem -v

I would run the above command after running something like:
aws ssm start-session --target i-xxx and I am able to do that because of the changes to my $HOME/.ssh/config file.

I'm looking to do away with requiring the use of a .pem file, if that is possible. I didn't see it in your ssh script, so just curious how that is being handled. Also, could you discuss why a public key is required to be uploaded?

Thanks for this script.
It works using the default id_rsa key pair.

However, if I use any other ssh private/public key pair than the default id_rsa, it doesn't seem to work:

Host i-* mi-*
  IdentityFile ~/.ssh/name-of-custom-key
  ProxyCommand ~/.ssh/aws-ssm-ec2-proxy-command.sh %h %r %p ~/.ssh/name-of-custom-key.pub
  StrictHostKeyChecking no

Could it be that somewhere in the bottom of the script the custom public key should be added as extra parameter to this command?

>/dev/stderr echo "Start ssm session to instance ${ec2_instance_id}"
aws ssm start-session \
  --target "${ec2_instance_id}" \
  --document-name 'AWS-StartSSHSession' \
  --parameters "portNumber=${ssh_port}" <-- somewhere here?

Hi, I first congrats a good job

I have a question it's possible run in github action ? I trying but received errors

cat: /home/runner/.ssh/id_rsa.pub: No such file or directory
kex_exchange_identification: Connection closed by remote host
Error: Process completed with exit code 255.

I need generate id_rsa.pub into the my actions ?

I exported id_rsa with

mkdir -p $HOME/.ssh
&& echo ***

$HOME/.ssh/id_rsa
&& sed -i -e "s#\\n#\n#g" $HOME/.ssh/id_rsa
&& chmod 600 $HOME/.ssh/id_rsa

When trying to ssh using the ps1 script, I received an error:

usage: aws [options] <command> <subcommand> [<subcommand> ...] [parameters]
To see help text, you can run:

  aws help
  aws <command> help
  aws <command> <subcommand> help

Unknown options: -p, &&, cd, ~ubuntu/.ssh, ||, exit, 1

And this is the error message from AWS run command:

sleep: invalid time interval ‘\r’

Try 'sleep --help' for more information.

mv: cannot stat '.authorized_keys': No such file or directory

failed to run commands: exit status 1

SSH config:

Host i-* mi-*
  IdentityFile ~/.ssh/id_rsa
  ProxyCommand powershell.exe ~/.ssh/aws-ssm-ec2-proxy-command.ps1 %h %r %p ~/.ssh/id_rsa.pub
  StrictHostKeyChecking no

For some reasons, a new empty not a tty file is created under my current directory after I've run ssh i-XXXXXXX via this proxy script.

I'm not sure what is causing this, and it's not from the echo ... >/dev/tty line 🤔

Hello, and thanks for this.
Would you consider applying a license or a public domain dedication to this repository?

I ask because, as a user in an academic environment, my projects come (as a matter of routine) under scrutiny for copyright compliance and plagiarism. Having a license or dedication is very useful when this happens.