Thomas Claridge

Thomas Claridge

Some guy

SSH Proxy with AWS Systems Manager

1 minute read

This one is more of a personal note that anything else. Recently I’ve had a need to connect to devices attached to a host I don’t have any sort of network access to. Thankfully these devices have AWS Simple Systems Manager agents installed. I can connect to that and set up a SSH proxy to allow me to access the remote devices.

SSH via Systems Manager

First step is to set up port forwarding via the Systems Manager agent. This will connect local port 2222 to port 22 on the remove device.

export NODE_ID=""
aws ssm start-session --target $NODE_ID --document-name AWS-StartPortForwardingSession --parameters '{"portNumber":["22"],"localPortNumber":["2222"]}'

The tunnel will operate as long as this command remains running.

From here you can use SSH to do anything you could if you had a direct connection. For example, SCP files to or from the device.

export SSH_KEY_PATH=""
export SOURCE_PATH=""
export TARGET_PATH=""
scp -P 2222 -I $SSH_KEY_PATH -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no $SOURCE_PATH username@localhost:$TARGET_PATH

Note

If you’ve already got a record for localhost:2222 in your known hosts file this would normally fail.

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.

We get around this by setting UserKnownHostsFile and StrictHostKeyChecking. You normally wouldn’t want to do this, however in our situation we re-use the same hostname/port combo for different hosts. The alternative is to either remove the entries in the known hosts file, or to dedicate one port per SSM host so you don’t run into collisions.

HTTP Proxy

This is really useful to connect to remote devices over HTTP. With the tunnel still open run the following.

export SSH_KEY_PATH=""
sudo ssh -p 2222 -i $SSH_KEY_PATH -ND 9999 -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no username@localhost

Set your browser proxy config

Host: 127.0.0.1
Port: 9999
Protocol: SOCKS v5

Now just browse to any page on the remote network and you web browser will proxy the request through the SSM agent.

Updated: