Create an SSH tunnel with authentication keys - Syntax
Solution 1
I made it work using the .ssh/config file instead of trying to put all my parameters in my commands. Here is the results if someone needs it:
Host the-gateway
Hostname GATEWAY_IP
Port 22
User ubuntu
IdentityFile ~/.ssh/keys/GATEWAY_KEY.pem
Host the-tunnel
Hostname localhost
Port 1122
User ubuntu
IdentityFile ~/.ssh/keys/PRIVATE_SERVER_KEY.pem
And then the 2 commands:
ssh -N -L 1122:SERVER_PRIVATE_IP:22 the-gateway
ssh the-tunnel
Doing that way, SSH can use my pem keys.
Solution 2
If I understood your question correctly, and you want to ssh to "PrivateServer", then your second ssh call should be:
myMachine $ ssh -i PRIVATE_SERVER_KEY.pem -p 1122 ubuntu@localhost
If not, please clarify in a comment on your question.
Guilhem Soulas
Updated on September 18, 2022Comments
-
Guilhem Soulas over 1 year
I have to create an SSH tunnel to connect a deployment server to an VPN:
DeploymentServer --> Gateway --> PrivateServer
Each machine using a key, I tried the following command:
myMachine $ ssh -i GATEWAY_KEY.pem -N -L 1122:ubuntu@SERVER_PRIVATE_IP:22 ubuntu@GATEWAY_IP
And then this one in other terminal window:
myMachine $ ssh -i PRIVATE_SERVER_KEY.pem -p 1122 ubuntu@SERVER_PRIVATE_IP
But it doesn't work, I get a timeout error. My port 1122 is open and I can SSH it. I don't what I'm doing wrong, is my syntax correct?
It's my first tunnel so don't laugh at me!
EDIT 1
I added
-v
and fixed the second SSH call.
First call:
myMachine $ ssh -i GATEWAY_KEY.pem -N -L 1122:ubuntu@SERVER_PRIVATE_IP:22 ubuntu@GATEWAY_IP -v
Response:debug1: Authentication succeeded (publickey).
Second call:
myMachine $ ssh -i PRIVATE_SERVER_KEY.pem -p 1122 ubuntu@localhost -v
debug1: Reading configuration data /etc/ssh_config debug1: /etc/ssh_config line 20: Applying options for * debug1: Connecting to localhost [::1] port 1122. debug1: Connection established. debug1: permanently_set_uid: 0/0 debug1: identity file .ssh/wamapi_staging.pem type -1 debug1: identity file .ssh/wamapi_staging.pem-cert type -1 ssh_exchange_identification: Connection closed by remote host
And in the first tab again:
debug1: Connection to port 1122 forwarding to [email protected] port 22 requested. debug1: channel 2: new [direct-tcpip] channel 2: open failed: administratively prohibited: open failed debug1: channel 2: free: direct-tcpip: listening port 1122 for [email protected] port 22, connect from ::1 port 60341, nchannels 3
-
Admin almost 11 yearsWhat are you trying to do? ssh to "PrivateServer"? Or establish a VPN somewhere?!
-
-
Guilhem Soulas almost 11 yearsThanks, I can wait until tomorrow to see if
ubuntu@localhost
works for me. -
Guilhem Soulas almost 11 yearsHi @faker, I tried with
ubuntu@localhost
andlocalhost
but I have these error messages:ssh_exchange_identification: Connection closed by remote host
(second ssh call) andchannel 2: open failed: administratively prohibited: open failed
(first ssh call). -
faker almost 11 yearsAre you able to ssh from the gateway to the private server? In any case, try adding
-v
to both ssh calls and edit the output into your question. -
Guilhem Soulas almost 11 yearsI edited my initial question. I can SSH the private server from the gateway on port 22 without any problem. Maybe should I use another port here also?
-
faker almost 11 yearsOn the gateway, is
AllowTcpForwarding
set to no insshd_config
? I'm running out of ideas, it should work like you posted. -
Guilhem Soulas almost 11 yearsDoesn't help :( I customized the sshd_config as follow:
GatewayPorts yes
,PermitTunnel yes
,Port 1122
,AllowTcpForwarding yes
. But I haven't changed anything on the private server config. -
Guilhem Soulas almost 11 yearsI have some news! I put
-vvv
to have the maximum level of debug and it's telling me:debug3: Not a RSA1 key file .ssh/PRIVATE_SERVER_KEY.pem.
debug2: key_type_from_name: unknown key type '-----BEGIN'
-
Guilhem Soulas almost 11 yearssee my answer below. I made it work that way. Thanks.