0

We have bastion server B. We need to SSH from A through B to C, using private key (we use keepass with keeAgent).

In the bastion I have: AllowTcpForwarding yes.

I tried to use proxyCammand:

Host app
    Hostname *.*.*.*
    User my-user
    Port 22
    ProxyCommand ssh -W %h:%p bast

Host bast
     Hostname *.*.*.*
     # ForwardAgent no
     User my-user

ssh app manages to enter the bastion server and falls when trying to connect the private server. The error is:

channel 0: open failed: connect failed: Connection timed out
stdio forwarding failed
ssh_exchange_identification: Connection closed by remote host

On the /var/log/secure log in bastion I see:

error: connect_to *.*.*.* port 22: failed.

user2503775
  • 223
  • 3
  • 9
  • 1
    In addition to on "bastion" also check the logs on the host "app" and the debugging output when you add one or more `-v` flags to your `ssh` command. Also: I find the [`ProxyJump`](https://serverfault.com/a/912253/37681) directive more flexible and easier to use than the `ProxyCommand` – HBruijn Mar 18 '19 at 11:51
  • I got same error with ProxyJump. And no special information when running `-vvv`. Also, I see no logs on server "app". – user2503775 Mar 18 '19 at 11:57
  • Maybe superfluous, but when you're logged in on "bast" then you can `ssh my-user@*.*.*.*` to the ip-address of host "app", right? – HBruijn Mar 18 '19 at 12:08
  • I don't want to put the private key of server app on the bastion, it's only on my comp. So for now I cannot verify that. – user2503775 Mar 18 '19 at 12:09
  • Can it be related to iproutes? – user2503775 Mar 18 '19 at 12:10
  • I don't want to allow agent forwarding because of the socket file, but for now I logged in to bastion with `ForwardAgent yes` and tried to ssh host app, I get `ssh: connect to host *.*.*.* port 22: Connection timed out` – user2503775 Mar 18 '19 at 12:44
  • Is the firewall on `app` open for port 22/tcp? Is an SSH server listening on port 22 on app? In the ssh_config, for the "app" host you do need to enter the data from the point of view of the bastion computer, and not your external laptop. – Huygens Mar 18 '19 at 19:42
  • Yes. I have rule for ssh 22 on app's security group, and the ssh server is listening on port 22. I can connect this server from my local computer but not through the bastion. – user2503775 Mar 19 '19 at 07:46

2 Answers2

1

I found the problem.

In app section I wrote public IP, as I did in Bast section, and as I'm always connecting.

Now I changed the IP to the private one and it works! I'm not sure why I can't connect via public IP. I used AWS Quick Start.

user2503775
  • 223
  • 3
  • 9
0

How will bast authenticate to app if you have agent forwarding disabled? You need to enable the agent forwarding on bast so it can relay your key to app.

Further, do you have a key for app loaded in your local agent?

Joe Webster
  • 16
  • I followed this:https://serverfault.com/a/958466/506245 – user2503775 Mar 18 '19 at 11:13
  • Anyway... Also removing that gives same error – user2503775 Mar 18 '19 at 11:13
  • And yes, I have my keys loaded on keeAgent. Also when locking the agent and writing the IdentityFile, I get the same error... – user2503775 Mar 18 '19 at 11:22
  • 1
    Hi, the OP stated that he is using ProxyCommand, so there is no need for Agent Forwarding. Basically the client establish first a connection to bast and tries to do the plumbing (with the `-W`) through which input/output will be forwarded to the app host behind the bastion. So we are kind of tunnelling through the bastion. I'm using that technique every day :-) – Huygens Mar 18 '19 at 19:37