How to SSH into a Private Instance via a Bastion Host Using a Single Command

Table of Contents

1. Introduction

2. Problem Statement

3. Solution Overview

4. Step-by-Step Instructions

   • 1. Verify Access

   • 2. Prepare the Key

   • 3. Configure Authorized Keys on the Private Instance

   • 4. Connect via Single Command

5. Notes

6. Conclusion

   
   

Introduction

SSH access to private instances in AWS often requires routing through a bastion host for security. This guide outlines how to configure and execute a single-command SSH connection to a private instance via a bastion host, enhancing both security and usability.

Problem Statement

The client requires secure SSH access to their private EC2 instance through a bastion host, but with the ability to execute this connection in a single command. This simplifies workflows while ensuring adherence to security protocols.

Solution Overview

To achieve a single-command SSH setup:

1. Verify access to both the bastion host and private instance.

   
   

2. Configure SSH keys to ensure secure communication.

   
   

3. Utilize SSH's ProxyCommand feature to route traffic through the bastion host seamlessly.

   
   

Step-by-Step Instructions

1. Verify Access

Ensure the following prerequisites:

• Security Groups:

  
  

  • The bastion host allows inbound SSH (port 22) from your IP.

  • The private instance allows inbound SSH from the bastion host's private IP.

    
    

• PEM Files: Have the private keys (PEM files) for both the bastion host and the private instance.

  
  

2. Prepare the Key

1. Copy the Bastion Host's PEM File:Save the private key (bastion_host.pem) to your local machine's SSH directory:

   bash

   Copy code

   cp /path/to/bastion_host.pem ~/.ssh/bastion_host.pem chmod 400 ~/.ssh/bastion_host.pem

   
   

2. SSH into the Bastion Host: Connect to the bastion host:

   bash

   Copy code

   ssh -i ~/.ssh/bastion_host.pem ubuntu@<public-ip-of-bastion-host>

   
   

3. Extract the Public Key: Generate the public key from the bastion host's PEM file:

   bash

   Copy code

   ssh-keygen -y -f ~/.ssh/bastion_host.pem > bastion_host.pub

   
   

3. Configure Authorized Keys on the Private Instance

1. Copy the Public Key to the Private Instance: Append the bastion host’s public key to the private instance’s authorized_keys file:

   bash

   Copy code

   cat bastion_host.pub | ssh -i ~/.ssh/bastion_host.pem ubuntu@<private-ip-of-instance> 'cat >> ~/.ssh/authorized_keys'

   
   

2. Verify Access: Confirm you can SSH from the bastion host to the private instance:

   bash

   Copy code

   ssh ubuntu@<private-ip-of-instance>

   
   

4. Connect via Single Command

Use the following command to SSH into the private instance via the bastion host:

bash

Copy code

ssh -o ProxyCommand="ssh -i ~/.ssh/bastion_host.pem -W %h:%p ubuntu@<public-ip-of-bastion-host>" -i ~/.ssh/bastion_host.pem ubuntu@<private-ip-of-instance>

Notes

1. Key Permissions: Ensure the PEM files have the correct permissions to avoid errors:

   bash

   Copy code

   chmod 400 ~/.ssh/bastion_host.pem

   
   

2. ProxyCommand in SSH Config: Simplify repeated access by adding the configuration to ~/.ssh/config:

   plaintext

   Copy code

   Host bastion HostName <public-ip-of-bastion-host> User ubuntu IdentityFile ~/.ssh/bastion_host.pem Host private-instance HostName <private-ip-of-instance> User ubuntu ProxyCommand ssh -W %h:%p bastion IdentityFile ~/.ssh/bastion_host.pem

   Then connect using:

   bash

   Copy code

   ssh private-instance

   
   

Conclusion

This solution provides a secure and efficient method to SSH into a private instance via a bastion host using a single command. By configuring SSH keys and leveraging ProxyCommand, users can simplify access while adhering to best security practices. For frequent connections, the SSH configuration file offers additional convenience.