Is there a trick to running Fabric over a reverse SSH tunnel? An interactive ssh connects fine back over the turnnel, but running fab, I just get asked for my password repeatedly.
Here is a snippet with a solution
https://gist.github.com/856179
Just copy, paste and use
Here's a solution that doesn't involve writing any extra Python code:
If you set up your SSH configuration to tunnel over a SOCKS proxy, you can tell Fabric to use the SSH configuration. It's sweet.
Example $HOME/.ssh/config file:
Host bastion
HostName bastion.yourdomain.com
DynamicForward 0.0.0.0:1080
ServerAliveInterval 120
ServerAliveCountMax 30
Host hostbehindthebastion.yourdomain.com
ProxyCommand /usr/bin/nc -x 127.0.0.1:1080 %h %p
Now tell Fabric to use the configuration:
env.use_ssh_config = True
env.hosts = [
"user#hostbehindthebastion.yourdomain.com",
]
Now ssh bastion in one window, then run fab from another window.
See the official Fabric documentation for more information.
NB. You will have to have nc (netcat) installed on your machine to use this solution.
Related
i have a question regarding port forwarding in combination with proxy jump in my ssh config:
Is it possible to make use of DynamicForward from the host used as proxy? Here's my config:
Host proxy
HostName proxy.private.com
User user
IdentityFile ~/path/to/file
DynamicForward 3000
Host target
HostName target.somewhere.com
User user
IdentityFile ~/path/to/file
ProxyJump proxy
It does not work with this config, but this would be exactly what i need.
Any tips on how to get it to work?
If there is nothing preventing you from using ProxyCommand you can most likely use this approach:
In your ~/.ssh/config file:
Host target
HostName target.somewhere.com
User target-user
IdentityFile ~/path/to/target-user-file
ProxyCommand ssh -A <proxy-user>#<proxy-host> -i <proxy-user-key> -W %h:%p
DynamicForward 3000
You can then run this command on your local machine:
ssh target -D 3000
I was able to test this by running this command locally and retreiving public IP of the target host:
curl -x socks5h://localhost:3000 https://ifconfig.me/
Usefull links I read:
More details on these use cases can be found here
Detail on this very approach can be found on this site (sadly not in english nor HTTPS)
You can probably define another Host on top to avoid having to mess with ssh parameter each time. This would be done by using CanonicalizeHostname, but I couldn't manage to it. An alias might be more interesting at that point ?
My organisation makes us connect to our AWS environments using a "bastion" host so my openssl .ssh config file looks a bit like this:
Host bastion.*.c1.some.com
User bastionuser
ProxyCommand none
StrictHostKeyChecking no
ForwardAgent yes
Host *.c1.some.com 12.345.* 456.12.1.*
User awsuser
StrictHostKeyChecking no
ForwardAgent yes
ProxyCommand ~/.ssh/proxy_command.sh %h %p
I want to use an ssh client built into the CLion IDE to connect to my AWS environment but it does not support this kind of configuration.
Can I setup a port forward using openssl and then establish an ssh connection over that tunnel from within CLion?
I was able to setup a port forward using PuTTY and afterwards I was able to establish a second ssh connection over the port forward using Intellij. For some reason I couldn't establish the second ssh connection over the OpenSSH port forward, perhaps because the Git Bash environment is sandboxed or something?
Presumably this will also work with any other SSH client that doesn't support tunneling out of the box.
I need to connect via REMOTE-SSH in Visual Studio Code to a machine with ssh but from a specific machine in which I have previously connected through ssh to.
I can connect to the first machine with no problem, the problem is when I am logged in the first machine and I try to connect to the second it doesn't let me. I have been looking but what I can only find is examples showing how to connect only to one machine without passing through an other one.
Thanks to a partner, I have found a solution and it consists in changing a little bit the config file from ssh
As I am using VS Code in Windows and I wanted not to use netcat I've implemented the next command to create a proxy:
Host <target-machine-name>
HostName <target-machine-ip>
User <user>
ProxyCommand C:\Windows\System32\OpenSSH\ssh.exe -q -x <proxy-machine-name> -W %h:22
Hope it can help someone else with the same issue.
If you are using macOS and want to ssh to machine 1.1.1.1:2222 under socks proxy(127.0.0.1:1080), then you can use the below configuration:
Host 1.1.1.1
HostName 1.1.1.1
ProxyCommand nc -X 5 -x 127.0.0.1:1080 %h %p
Port 2222
User YourName
If you are using http proxy or using Windows(Linux), go to check Connect with SSH through a proxy . Then replace the corresponding ProxyCommand.
Hope this could help you.
SSH has been working fine for the last few weeks since I got my new PC. I've had no problems but today I started getting:
ssh: connect to host github.com port 22: resource temporarily unavailable
I did some googling and found that there is a common issue with WSL which sometimes causes this, but I'm unable to SSH from my bash shell, or from cmd/powershell.
This is the part that confuses me, if I do: ssh -T git#192.30.253.113 I am prompted for the password to my key, it successfully authenticates and responds with "Hi alexmk92! You've successfully authenticated".
Great, that at least proves that my firewall isn't blocking SSH on port 22. But why does git#github.com throw the resource failed error? My initial thought is that this could be a DNS problem.
So I tried to configure my network adapter to use Google's DNS server (8.8.8.8 and 8.8.4.4) I even configured the IPV6 DNS servers just in case. Following this I did an ipconfig /flushdns, attempted to connect via git#github.com again and BAM the same result, however git#192.30.253.113 still works.
I'm guessing another potential cause is that github.com is behind a load balancer and one of the IP's on the cluster could be black-listed somewhere on my machine? I'm just pulling guesses out of thin air now, any help would be greatly appreciated, this is driving me insane.
After some further Googling it turned out that my machine did not have a hosts entry for github.com and it was unable to automatically resolve it.
In Windows Subsystem for Linux I created a ssh config file
touch ~/.ssh/config
(for some reason the base distro of Ubuntu 18.04 on the windows marketplace didn't have one) I then had to make sure the file permissions were correct:
chmod 755 ~/.ssh/config
Once the file was created, I edited it with
sudo nano ~/.ssh/config
and added github.com as a Host.
Host github.com
Hostname ssh.github.com
Port 22
Upon saving, I ran
sudo /etc/init.d/ssh restart
and attempted
ssh -T git#github.com
Everything now seems to be working.
In my case my ISP did not allow ssh, so it was not working from cmd and wsl both. Got around it using vpn
To have successful SSH connection to Github, SSH key has to be import into Github
Open Git bash or Terminal
Run the command ssh-keygen
Choose all default option
A private and a public key gets generated in the folder * < user_home>/.ssh/*
Login to Github.com
Navigate to account settings
Choose item "SSH and GPG Keys" from the side navigation bar
click added new SSh key
Copy and save public key content from * < user_home>/.ssh/id_rsa.pub *
I am running Ansible on my machine. And my machine does not have ssh access to the remote machine. Port 22 connection originating from local machine are blocked by the institute firewall. But I have access to a machine (ssh-tunnel), through which I can login to the remote machine. Now is there a way we can run ansible playbook from local machine on remote hosts.
In a way is it possible to make Ansible/ssh connect to the remote machine, via ssh-tunnel. But not exactly login to ssh-tunnel. The connection will pass through the tunnel.
Other way is I can install ansible on ssh-tunnel, but that is not the desired and run plays from there. But that would not be a desired solution.
Please let me know if this is possible.
There are two ways to achieve this without install the Ansible on the ssh-tunnel machine.
Solution#1:
Use these variables in your inventory:
[remote_machine]
remote ansible_ssh_host=127.0.0.1 ansible_ssh_port=2222 ansible_ssh_user='username' ansible_ssh_private_key_file='/home/user/private_key'
hope you understand above parameters, if need help please ask in comments
Solution#2:
Create ~/.ssh/config file and add the following parameters:
####### Access to the Private Server through ssh-tunnel/bastion ########
Host ssh-tunnel-server
HostName x.x.x.x
StrictHostKeyChecking no
User username
ForwardAgent yes
Host private-server
HostName y.y.y.y
StrictHostKeyChecking no
User username
ProxyCommand ssh -q ssh-tunnel-server nc -q0 %h %p
Hope that help you, if you need any help, feel free to ask
No request to install ansible on the jump and remote servers, ansible is ssh service only tool :-)
First make sure you can work it directly with SSH Tunnel.
On local machine (Local_A), you can login to Remote machine (Remote_B) via jump box (Jump_C).
login server Local_A
ssh -f user#remote_B -L 2000:Jump_C:22 -N
The other options are:
-f tells ssh to background itself after it authenticates, so you don't have to sit around running something on the remote server for the tunnel to remain alive.
-N says that you want an SSH connection, but you don't actually want to run any remote commands. If all you're creating is a tunnel, then including this option saves resources.
-L [bind_address:]port:host:hostport
Specifies that the given port on the local (client) host is to be forwarded to the given host and port on the remote side.
There will be a password challenge unless you have set up DSA or RSA keys for a passwordless login.
There are lots of documents teaching you how to do the ssh tunnel.
Then try below ansible command from Local_A:
ansible -vvvv remote_B -m shell -a 'hostname -f' --ssh-extra-args="-L 2000:Jump_C:22"
You should see the remote_B hostname. Let me know the result.
Let's say you can ssh into x.x.x.x from your local machine, and ssh into y.y.y.y from x.x.x.x, while y.y.y.y is the target of your ansible playbook.
inventory:
[target]
y.y.y.y
playbook.yml
---
- hosts: target
tasks: ...
Run:
ansible-playbook --ssh-common-args="-o ProxyCommand='ssh -W %h:%p root#x.x.x.x'" -i inventory playbook.yml