In AWS, to ssh into the private server instance, we need to first ssh into bastion host first. Only from bastion host we shall be able to login into private server instances. Hence we need to store our ssh private key into the bastion host to be able to login to private instances.
But storing ssh private key in bastion host is not a good practise. To overcome that, there are two possibilities
1) Use ssh-agent for forwarding keys through bastion host
2) Use ssh ProxyCommand
Let me explain the later option of using ssh ProxyCommand to login to AWS private instance by tunneling through bastion host.
From our localhost(desktop client), we need to
1) SSH into our bastion host
2) Run netcat command on the bastion host to open a connection to the remote host(private aws instance)
3) Connect to the remote host(private aws instance) through the netcat tunnel from the local desktop without having to store the private ssh key in the bastion host.
OpenSSH 5.4 and above have netcat built in. So in our local desktop, we need to configure ssh client configuration ~/.ssh/config as below
Host privateecinstance
Hostname <aws_private_instance_ip>
User ec2-user #Username to ssh into private ec2 instance
ProxyCommand ssh -W %h:%p ec2-user@<bastion-host-ip> 2> /dev/null
Now we can login to private ec2 instance from our local desktop as follows
ssh privateecinstance
No comments:
Post a Comment