How to SSH to target AWS machine using a bastion host

Question

Assuming Machine A is target machine which I want to SSH into finally while Machine B is a bridge machine (bastion host). These two machines are accessible using the same PEM file.

The security group of Machine A allows SSH connections only from Machine B. So If I want to connect to Machine A, I need to connect through Machine B.

How can this be accomplished without placing the PEM file on the bastion host?

score 2 · Accepted Answer · answered Feb 06 '18 at 19:16

You can use ProxyCommand. I prefer defining the following in your ~/.ssh/config file.

host MachineB
 HostName <MachineB-IP>
 IdentityFile <Full Path of .pem file>
 User username

host MachineA
 HostName <MachineA-IP>
 ProxyCommand  ssh MachineB nc -w 120 %h %p
 IdentityFile <Full Path of .pem file>
 User username

Then access MachineA like:

$ ssh MachineA

score 1 · Answer 2 · answered Feb 06 '18 at 13:35

1

To reach an EC2 instance in a private subnet via a bastion host in a public subnet, without placing your SSH private key on the bastion, you need to use SSH agent forwarding.

Specific instructions are provided here.

answered Feb 06 '18 at 13:35

jarmod

71,565
16
115
122

How to SSH to target AWS machine using a bastion host

2 Answers2