3

I am trying to figure out how to get a jump host to work with AWS Cloud9. Below is a diagram taken from the blog post (on my staging server) there I am writing on the subject. Please refer to the blog post (just under 3000 words) for the entire scenario.

diagram

Here is the 4-party initialization sequence performed by an administrator using the client (laptop):

  1. The administrator logs into the target server ($C9_TARGET_HOST) using a (command line) terminal, and leaves the terminal open.
  2. The administrator logs into the jump host ($C9_JUMP_HOST) using a second (command line) terminal, and leaves the terminal open.
  3. An administrator opens a port ($C9_JUMP_PORT) on the jump host to accept ssh connections from AWS Cloud9.
  4. The administrator points a web browser at the Cloud9 web console to begin defining a Cloud9 environment.
  5. Once the administrator reaches the web page where the Cloud9 ssh key is available, they copy it to the clipboard.
  6. The administrator uses the open terminal connected to the target server to:
      Add the Cloud9 ssh key to ~/.ssh/authorized_hosts. Add a new host block to ~/.ssh/config that makes it easier to define a reverse ssh port forwarding tunnel from the target server to the jump host.
  7. The administrator uses the open terminal connected to the jump host to:
      Add the Cloud9 ssh key to ~/.ssh/authorized_hosts. Add a new host block to ~/.ssh/config that makes it easier to forward ssh commands from Cloud9 to the target server.
  8. The administrator defines a reverse ssh port forwarding tunnel from the target server to the jump host, which means that the jump host will connect back to the target server via the tunnel and forward ssh commands when a connection is made to the specified port ($C9_JUMP_PORT) on the jump host. 
    ssh -fNR \
$C9_JUMP_HOST:$C9_JUMP_PORT:localhost:22 $C9_JUMP_USER@$C9_JUMP_HOST
    I wonder if the `-T` option might be helpful? Should `nohup` be used?
  9. The administrator creates a reverse port forwarded tunnel using the definition they just created. nohup is used when creating the tunnel so it remains in place once the administrator logs off.
  10. After defining the jump host in the Cloud9 web console, the administrator presses the Next step button.
  11. Cloud9 attempts to reach the jump host.
  12. Cloud9 attempts to reach the target server via the jump host.
  13. If successful, Cloud9 advances the administrator's web page to the next step.
  14. The administrator clicks on each Next step button that appears until the Cloud9 environment is defined.

I would be happy to provide credit in the blog posting to whomever might provide the solution.

Improve this question
12
  • Many of these questions/answers look like they would help. Just seeing if there are one or two specific ones... Commented Sep 29, 2020 at 21:41
  • Thanks @roaima. I have never seen any articles or discussions about initiating a 4-party handshake from a target system to a jump host. If you know of any, please let me know. Commented Sep 30, 2020 at 1:04
  • 1
    The diagram shows the client and target in the same NAT zone, in which case the jump host is unnecessary. Now, that's not what you describe but it is what you show Commented Sep 30, 2020 at 6:33
  • 1
    Sorry but like others, I can not workout what you are trying to do. Edit the question to make it clear. Commented Sep 30, 2020 at 9:21
  • 1
    Am I missing something? You say "Hopefully the edits I make today will clarify." However the last edit was mine. Where is this edit? Commented Sep 30, 2020 at 19:50

1 Answer 1

Reset to default
2

So what you want to to is to establish a reverse tunnel from the Target (private server) to the Jump Host (public server) so that you could establish a connection from AWS to Target, correct?

In that case, the reverse tunnel has to be built from the Target, so there you could invoke something like

ssh -f -N -R $JUMPER:$PORT:localhost:22 $USER@$JUMPER

Maybe you also want to try out "autossh" instead of "ssh", to keep your reverse tunnel open. The command uses an additional parameter for a monitor port:

autossh -M $MONITORPORT -f -N -R $JUMPER:$PORT:localhost:22 $USER@$JUMPER

If you use only the part $PORT:localhost:22, you have to go to the target in two steps:

  1. From AWS ssh to the Jump Server
  2. From the Jump Server ssh to localhost:$PORT to use the reverse tunnel.

Hope that helps, Georg

Improve this answer
2
  • I will check it out and get back to you. Never knew about autossh. Never thought about building the tunnel from target. Many thanks! Commented Sep 29, 2020 at 22:27
  • is there anyway to use the -J option with autossh?, trying to do the same here but want to jump before doing anything Commented Jun 27, 2023 at 16:54

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.