Cloud computing and immutable infrastructure deployments have changed the way I use SSH. I miss the days when I could run:
to jump onto a machine and investigate an issue. This would work as, back in the
days of yore, your web servers didn’t change IP address several times a week so
I could create a helpful alias in
Host app1-prod User example_user HostName 220.127.116.11
This circumvented the labour-intensive act of typing in the remote username and IP address when SSHing around town.
I can no longer do this as:
- Immutable infrastructure deployments mean EC2 instances are replaced for every
update so the IP addresses keep changing. Life is too short to keep updating
~/.ssh/configwith their details.
- Plus, aside from your load balancers, servers should be unreachable from the outside world. Now all access is via a bastion machine: the only machine in the VPC that exposes its SSH port to the network your laptop is using.
These are both good things.
Aren’t you supposed to stop using SSH with AWS?
Yeah, that’s been recommended before and seems a good idea.
I’m not there yet though. There’s still occasions where I want to SSH onto a machine and run diagnostics. For instance, as part of a canary release I often SSH onto one of the new machines and check for smoke before replacing the entire auto-scale group with the new AMI. (I’m happy to accept this is an regrettable practice and I need to raise my automation game.)
In such circumstances, I want to be able to run:
jumping straight onto an AWS EC2 instance using only its internal DNS name,
plucked from the AWS console or a
ProxyCommand and a wildcard SSH alias
Add an alias to
~/.ssh/config for your bastion server. Something like:
Host bastion-prod User example_user Hostname bastion.example.com IdentityFile ~/.ssh/bastion-prod.key LogLevel Quiet
then you can route SSH traffic through the bastion server using
Host *.compute.internal User ubuntu IdentityFile ~/.ssh/aws-prod.key ProxyCommand ssh bastion-prod -W %h:%p StrictHostKeyChecking no
and that’s sufficient for commands like:
StrictHostKeyChecking suppresses the confirmation prompt when
connecting to a new host for the first time. I’m ignorant of whether this is a
dreadful security misstep.
Some vaguely related articles:
- Using a ProxyCommand to Leap Frog Your Bastions
- A Github repo for
- Easily SSH into Amazon EC2 instances using the Name tag