An SSH tip for modern AWS patrons

Cloud computing and immutable infrastructure deployments have changed the way I use SSH. I miss the days when I could run:

$ ssh app1-prod

to jump onto a machine and investigate an issue. This would work as, back in the days of yore, your web servers didn’t change IP address several times a week so I could create a helpful alias in ~/.ssh/config:

Host app1-prod
    User example_user
    HostName 74.207.251.29

This circumvented the labour-intensive act of typing in the remote username and IP address when SSHing around town.

I can no longer do this as:

  • Immutable infrastructure deployments mean EC2 instances are replaced for every update so the IP addresses keep changing. Life is too short to keep updating ~/.ssh/config with their details.
  • Plus, aside from your load balancers, servers should be unreachable from the outside world. Now all access is via a bastion machine: the only machine in the VPC that exposes its SSH port to the network your laptop is using.

These are both good things.

Aren’t you supposed to stop using SSH with AWS?

Yeah, that’s been recommended before and seems a good idea.

I’m not there yet though. There’s still occasions where I want to SSH onto a machine and run diagnostics. For instance, as part of a canary release I often SSH onto one of the new machines and check for smoke before replacing the entire auto-scale group with the new AMI. (I’m happy to accept this is an regrettable practice and I need to raise my automation game.)

In such circumstances, I want to be able to run:

$ ssh ip-10-5-8-179.eu-west-1.compute.internal

jumping straight onto an AWS EC2 instance using only its internal DNS name, plucked from the AWS console or a boto command.

Here’s how.

ProxyCommand and a wildcard SSH alias

Add an alias to ~/.ssh/config for your bastion server. Something like:

Host bastion-prod
    User example_user
    Hostname bastion.example.com
    IdentityFile ~/.ssh/bastion-prod.key
    LogLevel Quiet

then you can route SSH traffic through the bastion server using ProxyCommand:

Host *.compute.internal
    User ubuntu
    IdentityFile ~/.ssh/aws-prod.key
    ProxyCommand ssh bastion-prod -W %h:%p
    StrictHostKeyChecking no

and that’s sufficient for commands like:

$ ssh ip-10-5-8-179.eu-west-1.compute.internal

to work.

Note, disabling StrictHostKeyChecking suppresses the confirmation prompt when connecting to a new host for the first time. I’m ignorant of whether this is a dreadful security misstep.

Some vaguely related articles:

----

Tagged with: aws
Filed in: tips
Revision history

Previous: commandlinefu.com is in new hands
Next: Copying Postgres output into a spreadsheet

Copyright © 2005-2017 David Winterbottom
Content licensed under CC BY-NC-SA 4.0.