I have an Ubuntu 16.04 VirtualBox machine (i.e. machine A) running on OSX connected to a university campus network. I would like to occasionally ssh into the machine from my laptop to remotely assist my colleagues, and I looked at different options.
It seems one of the options is "reverse ssh" (related to "port forwarding" or "ssh tunnelling"). My laptop does not have a fixed IP, so I can't do straight reverse ssh. The possible solution is to use a proxy machine. The idea is that when I need to assist my colleagues, they will type in the connection instructions from machine A, this will create a running GCP instance, and I will be able to then connect to machine A from the outside using this bridging (proxy?) GCP machine.
/ Academic intranet
+----------+ |
| GCE | | +----------+
| instance |<----|--| Machine A|
+----------+ | +----------+
|
\
/ Academic intranet
+----------+ |
+-------------+ ssh | GCE | ssh | +----------+
| Laptop dynIP|---------->| instance |-----|->| Machine A|
+-------------+ +----------+ | +----------+
|
\
We have a Google cloud account and gcloud installed on machine A. For what I can tell, GCP already has a very simple way to set up a tunnel in GCP:
https://cloud.google.com/community/tutorials/ssh-tunnel-on-gce
I tried it and it works. Which makes me guess that the same should be possible on GCP for the final step: for me to be able to open an SSH browser window on the running GCP instance so that I can ssh into machine A from there.
Any ideas?
EDITED:
Here is how far I got following the ssh tunnel on gce instructions:
On machine A:
gcloud compute instances create --zone us-west1-a tunnel
gcloud compute ssh --zone us-west1-a tunnel -- -N -p 22 -D localhost:2210
On my laptop, I can open https://console.cloud.google.com/compute/instances and then open a browser window to SSH connect.
From the GCP instance hostname tunnel, I guess I am missing something like:
ssh-into-machine-A-from-here
This is the last command that I am missing. Or maybe the ssh tunnel in gcloud needs extra flags/parameters.
0) Create an instance on GCP with a command like:
gcloud compute instances create --zone us-west1-a tunnel
0b) Click on the 'SSH' link on https://console.cloud.google.com/compute/instances to open a browser window.
0c) On the browser window, edit the sshd_config file to enable GatewayPorts yes.
0d) Set up gcloud CLI and connect the first time as shown below:
gcloud compute ssh --zone us-west1-a tunnel
This will create the ssh keys in $HOME/.ssh/google_compute_engine. Disconnect from it. Now that the keys are created, follow the next steps.
1) To establish forwarding from GCE to machine A: run following on machine A:
ssh -i ~/.ssh/google_compute_engine -o UserKnownHostsFile=/dev/null -o CheckHostIP=no -o StrictHostKeyChecking=no -f -N -R 2022:*:22 gce_user#gce_address
2) Now, to connect to machine A from your laptop, you can use the browser window with the GCP instance and do:
ssh -p 2022 A_machine_user#localhost
This should then ask for the password on A_machine_user and connect you to machine A.
I am not 100% sure that I got your exact question, but as far as I understood creating a VPN should be the best solution for you. The best and safest way of connecting your GCE instance with the machine A.
You can find here a discussion on the same kind of implementation.
Another option, which is in the same spirit is to a Virtual private server like OpenSSH on Machine A. Here there is a guide on how to implement that using a Virtual Private Server like OpenSSH and how to configure it.
Related
Im experiencing a problem replicate my putty ssh tunneling with Cmder bash (on windows machine).
1. I want to access web interface on port 7183 on server_2. To get there I have to go through jump_server first and and tunnel twice, as from the jump_server, only visible port is 22.
Steps with putty:
1. connect to jump_server with tunnel (L22 server_2:22) using username_1
2. connect to localhost with tunnel (L7183 localhost:7183) using username_2
After that, Im able to access the web interface when I type localhost:7183 into browser on my local machine.
Now Im trying to reproduce this in Cmder, but I havent been able to do that with one big command, nor 2 separate commands:
ssh -L 7183:localhost:7183 username_1#jump_server ssh -L 22:localhost:22 -N username_2#server_2 -vvv
This is only the last command I used as I tried interchanging ports and hosts without success.
2. Is the syntax different when I want to open port 12345 on my local machine and have it forwarded to port 21050 on server_2 or that would be remote tunneling?
Finally managed to achieve the 1. question with:
ssh username_1#jump_server -L 22:server_2:22 -N -vvv
ssh -L 7183:localhost:7183 username_2#localhost
Now Im albe to access the web interface from server_2 on my localhost:7183
We're running DC/OS + Marathon on an Azure cluster (ACS). I find myself in situations where it would be very helpful to tunnel into the master node and more specifically - agent nodes. Then I'd like to run bash commands against my services (docker images) that are running. Is this possible?
Thanks in advance!
There's a page on ACS's documentation regarding ssh tunneling into master nodes, it can be found here: https://azure.microsoft.com/en-us/documentation/articles/container-service-connect/
Say you have an Azure Container Service named my-acs running on the East US region, and your user name is myuser, and you would like to access the DC/OS dashboard of your cluster,
sudo ssh -L 80:localhost:80 -f -N my-user#my-acsmgmt.eastus.cloudapp.azure.com -p 2200 -i path/to/your/private/key
If you would like to directly access the terminal of your master, you would use:
ssh my-user#my-acsmgmt.eastus.cloudapp.azure.com -p 2200 -i path/to/your/private/key
However, I do not know how to connect directly into an Agent node.
For some reason ssh doesn't work to set up a tunnel to my Google Compute Engine instance. I have to use gcloud compute ssh. I'd really like to set up a persistent/resilient tunnel, like one gets with autossh. Is there any way I can do so using gcloud compute ssh?
gcloud compute ssh simply copies your ssh key to the project sshKeys metadata (see Cloud Console > Compute Engine > Metadata > SSH Keys) and runs standalone SSH with the ~/.ssh/google_compute_engine key. To see the exact command line invoked, run gcloud compute ssh --dry-run .... Anything that's possible with typical SSH is possible with gcloud compute ssh.
Another option to investigate is gcloud compute config-ssh, which syncs your ~/.ssh/google_compute_engine SSH key to the project and sets up your ~/.ssh/config file so that you can run ssh without gcloud.
I am trying to ssh into a VM from another VM in Google Cloud using the gcloud compute ssh command. It fails with the below message:
/usr/local/bin/../share/google/google-cloud-sdk/./lib/googlecloudsdk/compute/lib/base_classes.py:9: DeprecationWarning: the sets module is deprecated
import sets
Connection timed out
ERROR: (gcloud.compute.ssh) [/usr/bin/ssh] exited with return code [255]. See https://cloud.google.com/compute/docs/troubleshooting#ssherrors for troubleshooting hints.
I made sure the ssh keys are in place but still it doesn't work. What am I missing here?
There is an assumption that you have connected to the externally-visible instance using SSH beforehand with gcloud.
From your local machine, start ssh-agent with the following command to manage your keys for you:
me#local:~$ eval `ssh-agent`
Call ssh-add to load the gcloud compute public keys from your local computer into the agent, and use them for all SSH commands for authentication:
me#local:~$ ssh-add ~/.ssh/google_compute_engine
Log into an instance with an external IP address while supplying the -A argument to enable authentication agent forwarding.
gcloud compute ssh --ssh-flag="-A" INSTANCE
source: https://cloud.google.com/compute/docs/instances/connecting-to-instance#sshbetweeninstances.
I am not sure about the 'flags' because it's not working for me bu maybe I have a different OS or Gcloud version and it will work for you.
Here are the steps I ran on my Mac to connect to the Google Dataproc master VM and then hop onto a worker VM from the master MV. I ssh'd to the master VM to get the IP.
$ gcloud compute ssh cluster-for-cameron-m
Warning: Permanently added '104.197.45.35' (ECDSA) to the list of known hosts.
I then exited. I enabled forwarding for that host.
$ nano ~/.ssh/config
Host 104.197.45.35
ForwardAgent yes
I added the gcloud key.
$ ssh-add ~/.ssh/google_compute_engine
I then verified that it was added by listing the key fingerprints with ssh-add -l. I reconnected to the master VM and ran ssh-add -l again to verify that the keys were indeed forwarded. After that, connecting to the worker node worked just fine.
ssh cluster-for-cameron-w-0
About using SSH Agent Forwarding...
Because instances are frequently created and destroyed on the cloud, the (recreated) host fingerprint keeps changing. If the new fingerprint doesn't match with ~/.ssh/known_hosts, SSH automatically disables Agent Forwarding. The solution is:
$ ssh -A -o UserKnownHostsFile=/dev/null ...
I need to do some work on a server to which I don't have direct access to. I do have access to my company network (via vpn). If I were on that network, I could access the server directly. But, for some reason when I'm on the vpn, I can't access the server directly.
So, I need to ssh into an intermediary ubuntu box, and then create an ssh tunnel from that box to the server.
Then, I can do my work on my laptop and send it through a local tunnel that points to a foreign tunnel (on my ubuntu box) that goes to the server.
But I don't know how to do a tunnel that creates another tunnel to a third server.
Any ideas?
Thanks,
Scott
What are you trying to achieve? If you just want to get to a shell on the server then ssh into the Ubuntu box and then ssh from there to the server.
If you want to access some other network resource on the server then you want to forward a port from the server (where you can't get to it) to the Ubuntu box (where you can). Take a look at the -L option in ssh.
Edit:
Copying files to the server:
tar c path/* | ssh ubuntuName 'ssh serverName "tar x"'
Copying stuff back:
ssh ubuntuName 'ssh serverName "tar c path/*"' | tar x
Obviously you need to change ubuntuName, serverName and path/* to what you want. To use rsync you need the -E option and the same trick of wrapping one ssh command inside another. After reading your comment I'd say that the most general answer to your question is that the trick is making ssh execute a command on the target machine. You do this by specifying the command as an argument after the machine name. If you use ssh as the target command for ssh to execute then you get the two-hop behaviour that you are looking for. Then it is just a matter of playing with quotes until everything is escaped correctly.
It's just a double port forward. Forward the ports from the PC to the ubuntu box, then on the ubuntu box forward those destination ports to the final endpoint. It's been a while since I've done command line ssh (been trapped in windows hell :)), so I can't give the command line you need. Another possibility is to use the SOCKS proxy ability built into SSH.
To connect from your local machine over a second machine to a specific port on the third machine you can use the ssh -N -L option:
ssh -N second_machine -L 8080:third_machine:8082
This maps the Port 8082 on the third machine to port 8080 on the local machine (eg. http://localhost:8080/ ).