Page 2 of 3 FirstFirst 123 LastLast
Results 11 to 20 of 29

Thread: seamless ssh through intermediate host?

  1. #11
    Join Date
    Jan 2008
    Location
    Malmö
    Beans
    133
    Distro
    Ubuntu 15.10 Wily Werewolf

    Re: seamless ssh through intermediate host?

    Either way is great with me, though I need to be off for pizza and football for a few hours so can't do real-time chat just now. But I'll look in again later, and try to set up that account. Can take it from there I think, whichever way you prefer it.

    Thanks again for all your help.

  2. #12
    Join Date
    Apr 2008
    Location
    Far, far away
    Beans
    2,148
    Distro
    Ubuntu 11.04 Natty Narwhal

    Re: seamless ssh through intermediate host?

    I'll lay out the basic steps here for when you get back, and for others who want to try it out...

    1. You need an AWS Account. That's easy, sign up at their web site using a credit card.

    2. Login into your account and check the "Account Activity" section. It should all be fresh starting at zero fees. Click the "Security Credentials" section. You should see a tab called "Access Keys". Later you'll want to copy and paste some values from here so you can use the linux command line tools.

    3. Now up at top, click the Management Console link. It takes a few seconds to load up. This is where you config and control things. It's more user friendly than linux commands but it's also slower to login in and do things than working at the cmd line.

    4. Click the EC2 tab. Bottom left, click "Key Pairs". We'll create an SSH key pair to use for logging into your instances (servers). Click create key pair. Give it a name - I usually just use my own name but whatever you like. Click Create. It will generate a new key for you and prompt to save it locally on your system. Save it.

    5. Once it's saved, move it over to your home .ssh directory and set the permissions on it (chmod 400 key.pem). Now it can be used for logins.

    6. Back on the console, above Key Pairs, click "Security Groups". This is the AWS name for Firewall - where you set the open ports on your server. There should be a default security group. Click that line. In the scroll box below click "Custom" and choose SSH. This will enter some values, port 22 etc. Click "Save" over on the right. Now you have port 22 open for SSH access. Other ports can be managed here too. That's is all for now though.

    7. Now over on the left menu, click "Spot Instances". An instance is an "up and running server at your command". There are many types based on CPU and memory resources allocated. Faster, higher memory instances cost more. We're going to use a "micro" size "spot" instance because that's the very cheapest for learning on, and is also good for low intensity tasks. "Spot" means we put a "bid" on an instance and as long as the current "market price" doesn't go over that bid, we can keep using our instance. The advantage is that it's much cheaper than a regular price instance. You are also charged for data transferred, but it's cheap too. So let's go...

    8. Click the "Request Spot Instances" button. Then choose "Community Instances". These are pre-built public machine images ready to run. In the entry field next to Images, type ami-1234de7b and press enter. This is an Ubuntu 10.4 32 bit image, located in the East US data center. You should see a description show up in the list. (For other handy ready to use Ubuntu images see, Alestic.com. They're one of the main builders of ready-to-use Ubuntu images.) Click the "Select" button to the right of the description.

    9. Here's where we choose what type of instance to run and how much we'll pay. In the upper middle click the "Instance Type" dropdown box and choose "Micro". Then below enter a Max Price of 0.01 (that's 1 cent/hour). Usually Micro runs at 0.007 but by allowing up to 0.01 we have a bit of breathing room for market variations. Next, click "Continue", bottom center.

    10. Now you can choose different kernel and ramdisk settings - we don't need to change these. Click "Continue". Next you should see your default "key pair" show in the list. Good. That's the one we just created. Click "Continue". The default "security group" should be selected. Good. That's our default firewall config we just setup. Click "Continue".

    11. Here's the details summary. Check it over. Make sure only 1 instance at the 0.01 price will be started for you. This will put in a request to start ONE super cheap Micro server for you at a MAX cost of 1 cent per hour. Ok with that? Click "Submit".

    12. Close the info page that pops up, and you should see your pending request in the list. It's waiting to be started usually within a minute or two. You can click the "Refresh" button to update the status. When it changes to "Active" you can click on the "Instances" menu button on the far left, and you should see your running instance listed there. (If not shown then click "Refresh"). Yay!

    13. Click the instance line. On the lower panel you will find the details of your instance. The main item of interest is the Public DNS value. Mark and copy that URL (or just remember the IP value). This is the address where you can login into your hot new server...

    14. Open a terminal on your desktop. We're going to login with SSH and the key you saved earlier. Type,

    ssh -i .ssh/yourkey.pem ubuntu@paste-the-public-DNS-here

    It should do the normal thing, tell you it hasn't seen this host key before, and give you a prompt on your server. Great. Type a few commands. Install some Ubuntu packages like "htop" with apt-get. Enjoy. This is your server for now.

    15. When you're done. Either poweroff (sudo poweroff), or logout, and return to the Amazon Console, select your instance line, click "Instance Actions", and "Terminate". Click "Refresh" until you see the status change to "Terminated". Make sure you do this or you will continue to be charged per hour that it runs. At this rate that is $5/month.

    16. That was your first exciting adventure into using Amazon EC2 and it cost you less than 1 cent. Of course, now you know how you can experiment with servers on demand, try out various ssh tunnels, alter the sshd_config at will using sudo - you have full root control here. Hope this intro gets you started, and later you manage to get your tunnels happening.

    Part two - how to setup Linux cmd line tools to make this all fast. Later... Cheers!
    Last edited by BkkBonanza; September 17th, 2010 at 07:41 PM.

  3. #13
    Join Date
    Nov 2008
    Location
    Metro Boston
    Beans
    11,496
    Distro
    Kubuntu 14.04 Trusty Tahr

    Re: seamless ssh through intermediate host?

    I'd suggest you look into OpenVPN as an alternative. You can set up a simple shared-key arrangement with the home computer as a client and the remote machine as the server (assuming you can see the remote from home). You will need to designate an arbitrary port on the server machine that is visible to the client at home. Once you've got it set up, you'll have a full-time encrypted tunnel between the two machines. You can then simply ssh to the home machine's VPN IP.

    Here's an example:

    On the client create the file: /etc/openvpn/yourlink.conf

    dev tun
    remote your.remote.com
    ifconfig 10.0.0.2 10.0.0.1
    secret /etc/openvpn/myshared.key
    port 33333
    user nobody
    group nogroup
    comp-lzo
    ping 15
    ping-restart 45
    ping-timer-rem
    persist-tun
    persist-key
    verb 3

    On the server, the file looks identical except it doesn't have the "remote" parameter and the order of the IP addresses in the ifconfig statement will be reversed. Make sure myshared.key is readable only by root (chmod 0600 /etc/openvpn/myshared.key).

    If you need to add routing through the tunnel, you can use the "up" parameter to run a script after the tunnel is created.

  4. #14
    Join Date
    Jan 2008
    Location
    Malmö
    Beans
    133
    Distro
    Ubuntu 15.10 Wily Werewolf

    Re: seamless ssh through intermediate host?

    Quote Originally Posted by BkkBonanza View Post
    I'll lay out the basic steps here for when you get back, and for others who want to try it out...

    1. ...

    Part two - how to setup Linux cmd line tools to make this all fast. Later... Cheers!
    Great! Done all that, worked like a charm. Only difference is since I'm in Denmark, I used the EU West region for a server based on Ireland rather than across the Atlantic. For the image, I simply went to the Alestic website and picked the directly corresponding EU-based one to the Virginia-based one you mentioned, which I found was ami-38bf954c. It's a little more expensive than the one in the states, but I think I can survive the additional 0.3 cents The data traffic price is the same for both regions, which I think in the long run may be the "bigger" cost.

    Keeping the instance up and running for now as I toy with it a bit. Whenever you have the opportunity to post step 2, I'm looking forward to it. This is fun.


    Quote Originally Posted by SeijiSensei View Post
    I'd suggest you look into OpenVPN as an alternative. You can set up a simple shared-key arrangement with the home computer as a client and the remote machine as the server (assuming you can see the remote from home). You will need to designate an arbitrary port on the server machine that is visible to the client at home. Once you've got it set up, you'll have a full-time encrypted tunnel between the two machines. You can then simply ssh to the home machine's VPN IP.

    Here's an example:

    On the client create the file: /etc/openvpn/yourlink.conf

    dev tun
    remote your.remote.com
    ifconfig 10.0.0.2 10.0.0.1
    secret /etc/openvpn/myshared.key
    port 33333
    user nobody
    group nogroup
    comp-lzo
    ping 15
    ping-restart 45
    ping-timer-rem
    persist-tun
    persist-key
    verb 3

    On the server, the file looks identical except it doesn't have the "remote" parameter and the order of the IP addresses in the ifconfig statement will be reversed. Make sure myshared.key is readable only by root (chmod 0600 /etc/openvpn/myshared.key).

    If you need to add routing through the tunnel, you can use the "up" parameter to run a script after the tunnel is created.
    Thanks a lot. I've been meaning to look into OpenVPN as well for some time, if mostly for future use when I live in one place long enough to start setting up the servers I would like... However, it seems the intermediate host I would use doesn't have OpenVPN installed. Also, it seems to me from your instructions I would need root access also to make the settings for it, which unless I could get the admins there to help me out would probably rule out this route under these circumstances. Certainly useful for future use though. Maybe on a cloud instance...

  5. #15
    Join Date
    Jan 2008
    Location
    Malmö
    Beans
    133
    Distro
    Ubuntu 15.10 Wily Werewolf

    Re: seamless ssh through intermediate host?

    Gave it a shot to set up the tunnel as discussed before.

    Turned on GatewayPorts in sshd_config, and restarted it using pkill. Confirming as follows:

    ubuntu@awshost:~$ grep GatewayPorts /etc/ssh/sshd_config
    GatewayPorts yes
    ubuntu@awshost:~$ sudo netstat -lntp
    Active Internet connections (only servers)
    Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
    tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 384/sshd
    tcp 0 0 127.0.0.1:7777 0.0.0.0:* LISTEN 1258/sshd: ubuntu
    tcp6 0 0 :::22 :::* LISTEN 384/sshd
    tcp6 0 0 ::1:7777 :::* LISTEN 1258/sshd: ubuntu
    It says "LISTEN" on the same line as 7777, don't know if that's sufficient?

    Then creating the tunnel locally:

    myuser@laptop:~$ ssh -i ~/.ssh/mykey.pem -fNR *:7777:localhost:22 ubuntu@myhost.compute.amazonaws.com
    No error message to that, trying to connect on that port:

    myuser@laptop:~$ ssh -i ~/.ssh/mykey.pem -p 7777 ubuntu@myhost.compute.amazonaws.com
    ssh: connect to host myhost.compute.amazonaws.com port 7777: Connection timed out
    For some reason it still doesn't work. I assume I still need to use the same key when doing the new connection to 7777... Ran the iptables command too, just in case that helps though it's not telling me much:

    ubuntu@awshost:~$ sudo iptables -vnL
    Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
    pkts bytes target prot opt in out source destination

    Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
    pkts bytes target prot opt in out source destination

    Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
    pkts bytes target prot opt in out source destination
    Any ideas?
    Last edited by anlag; September 19th, 2010 at 12:15 AM. Reason: added stuff

  6. #16
    Join Date
    Apr 2008
    Location
    Far, far away
    Beans
    2,148
    Distro
    Ubuntu 11.04 Natty Narwhal

    Re: seamless ssh through intermediate host?

    That's great you got all that going. Using an EU West instance is a good idea. You should get better response speed to Denmark.

    You also need to alter the "Security Group" you setup on the AWS console (allowing SSH, port 22) and add another custom rule for 7777, to allow connections on that port. Maybe you already tried that. AWS must use some form of hardware firewalling since it doesn't show up in iptables at all (output looks fine, all open).

    The netstat output isn't quite right. Instead of 127.0.0.1 for listen address, the 7777 line should be like the 22 line where is says listening on 0.0.0.0. I'm not sure why that is yet.

    Couple more points...

    Remember to kill the background processes once you don't want the tunnel open any more, since you can only bind one at a time to any port. Starting a second tunnel would likely fail with the first still intact.

    One more thing... when you run the tunnel cmd you should be able to see that it is active by checking the ps output as follows,

    ps ax |grep ssh

    (will list running processes with "ssh" in output line).

    Added: I fired up my own AWS instance to test this out. At first it didn't work and I started digging more and reading. In the end it was only that I hadn't used sudo to do the pkill. It still closed my connection but it di not actually re-read the sshd_config. So beware, you need,

    sudo pkill -HUP sshd

    You should see the sshd pid value change, indicating it is a new process, when you login again.

    Other than that I got the tunnel to show up on 0.0.0.0:7777.
    Last edited by BkkBonanza; September 19th, 2010 at 02:23 AM.

  7. #17
    Join Date
    Jan 2008
    Location
    Malmö
    Beans
    133
    Distro
    Ubuntu 15.10 Wily Werewolf

    Re: seamless ssh through intermediate host?

    Quote Originally Posted by BkkBonanza View Post
    You also need to alter the "Security Group" you setup on the AWS console (allowing SSH, port 22) and add another custom rule for 7777, to allow connections on that port. Maybe you already tried that.
    D'oh! Missed that one, did it now (with a new session, shut the old one down before.) That does help things a bit...

    The netstat output isn't quite right. Instead of 127.0.0.1 for listen address, the 7777 line should be like the 22 line where is says listening on 0.0.0.0. I'm not sure why that is yet.
    Now with the same tunnel command as previously I got it to be:

    Active Internet connections (only servers)
    Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
    tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 370/sshd
    tcp 0 0 127.0.0.1:7777 0.0.0.0:* LISTEN 804/sshd: ubuntu
    tcp6 0 0 :::22 :::* LISTEN 370/sshd
    tcp6 0 0 ::1:7777 :::* LISTEN 804/sshd: ubuntu

    Better, right? At least there's a line up there like the standard 22 sshd line. Still, there's the localhost IP listed only... so tried your latest tunnel command (after killing the first one) which I thought would make it work, since in it you've basically changed localhost for *, so locally:

    myuser@laptop:~$ ssh -i ~/.ssh/mykey.pem -fNR *:7777:*:22 ubuntu@myhost.compute.amazonaws.com

    One more thing... when you run the tunnel cmd you should be able to see that it is active by checking the ps output as follows,

    ps ax |grep ssh

    (will list running processes with "ssh" in output line).
    It's there alright:

    18685 ? Ss 0:00 ssh -i /home/myuser/.ssh/mykey.pem -fNR *:7777:*:22 ubuntu@myhost.compute.amazonaws.com

    In fact going a step further, I tried to use the tunnel from the side of the AWS host:

    ubuntu@awshost:~$ ssh -p 7777 myuser@localhost

    ...and that connects just fine to my home laptop. So the tunnel exists and works, it's still only the matter of making it accessible from a third party. I'll see if I can work it out as well but obviously... any further input is most valued.

  8. #18
    Join Date
    Apr 2008
    Location
    Far, far away
    Beans
    2,148
    Distro
    Ubuntu 11.04 Natty Narwhal

    Re: seamless ssh through intermediate host?

    See my very recent update to my post above. I added an important pkill comment.

    Netstat must show listening on 0.0.0.0:7777 otherwise it is still bound to localhost.
    I'm about to modify my security group and see if I can connect to 7777.

    Edit:
    I just realized I can't easily test this here. I don't have sshd installed on my local machine (and don't really want to install it). Once the tunnel forwards back to your home machine it will still needs sshd listening on port 22 to answer the connection. But I think you already have that.

    I did use nmap to do a connection test to port 7777 and that showed it OPEN. Which is good.
    Last edited by BkkBonanza; September 19th, 2010 at 02:49 AM.

  9. #19
    Join Date
    Jan 2008
    Location
    Malmö
    Beans
    133
    Distro
    Ubuntu 15.10 Wily Werewolf

    Re: seamless ssh through intermediate host?

    Wicked! sudo pkill fixed this:

    Active Internet connections (only servers)
    Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
    tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 945/sshd
    tcp 0 0 0.0.0.0:7777 0.0.0.0:* LISTEN 1198/sshd: ubuntu
    tcp6 0 0 :::22 :::* LISTEN 945/sshd

    However, trying to log on after that asked me for a password:

    myuser@laptop:~/.ssh$ ssh -i ~/.ssh/mykey.pem -p 7777 ubuntu@myhost.compute.amazonaws.com
    ubuntu@myhost.compute.amazonaws.com's password:

    I don't have any password for the ubuntu user obviously, so tried getting around it by creating a pair of rsa keys on the AWS host, passing the public one to my laptop and attempting the connection again but no dice.

    Without thinking it would actually work, I tried replacing the username when connecting from home on 7777 to my own local username... and that actually worked.

    myuser@laptop:~/.ssh$ ssh -i ~/.ssh/mykey.pem -p 7777 myuser@myhost.compute.amazonaws.com
    myuser@myhost.compute.amazonaws.com's password:

    Entered my local password as that's really the only one I have, and it connected me to my laptop as desired. Smoothed the process out by adding my own public rsa key to my authorized_keys (bit bizarre that...) and the next time didn't even require password.

    ...

    Just now realized I don't even need the keyfile when doing that connection. So any connection on 7777 to the AWS host is not even logged in on there, but just passed on to my laptop. That's even better than I realized it would work, for instance for setting up SFTP access for others I should only need to make them guest accounts on my machine and tell them the AWS address and port... and make sure they don't pull enough data to cost me a lot of money, but I think at 15 cents per Gb (after the first free one) it should be rather acceptable.

    In other words: success! A million thanks, your help has been invaluable.

    If you don't mind... for doing this regularly, what can I do to set this up so settings etc are saved on the AWS host between connections? Kind of assuming there's a convenient way to do that, for regular users...

  10. #20
    Join Date
    Apr 2008
    Location
    Far, far away
    Beans
    2,148
    Distro
    Ubuntu 11.04 Natty Narwhal

    Re: seamless ssh through intermediate host?

    Ha. Good. I was going to mention that your final connection is actually to YOUR home machine and so that is the one you need the user/pwd/key for.

    Setting up your own machine (AMI) on AWS isn't too hard. You can take a snapshot of the instance you have customized and then create a new personal AMI from that. This can be done from the console with a few steps.

    The complaint I have is that the custom AMI uses 15 GB of EBS space so you end being charged for that space monthly. I did manage to get around this in a convoluted way so that only a 1 or 2 GB EBS store is needed. It's a bit of work to do that but not so hard. The Ubuntu image only uses about 750 MB of space so having a 15GB partition is just wasteful since any other EBS (data) partitions can be easily mounted when needed.

    I need to do this again myself as I want to keep a backup of my own VPS server stored on AWS. In case of a failure I can fire up the backup and be operational again in minutes.

    I can write a tutorial on this process as well. I don't mind because I'm keeping a copy for later when I setup a blog someday. But which first, linux cmd line or snap shotting AMIs?
    Last edited by BkkBonanza; September 19th, 2010 at 03:18 AM.

Page 2 of 3 FirstFirst 123 LastLast

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •