1

I need to setup locally a tool that connects to the EC2 instance through SSH to perform profiling on the remote machine. The problem is the following: EC2 requires to use of a PEM certificate to connect, but the tool does not support certificates. Is there a way to do some port-forwarding so that the tool can connect to something like localhost:2222 without password (or at least without certificate) and then the traffic gets redirected to the EC2?

I don't know exactly what ports are used by the tool, but for sure it can tunnel all traffic through SSH.

If you need more info, the tool is the Nvidia Nsight Compute.

I tried sh -L 2222:localhost:22 -i mycertificate.pem <username_ec2>@<ip_ec2> but then ssh <username_ec2>@localhost:2222 returns ssh: Could not resolve hostname localhost:2222: nodename nor servname provided, or not known.

einpoklum
  • 118,144
  • 57
  • 340
  • 684
user1315621
  • 3,044
  • 9
  • 42
  • 86
  • I mean, it might be dumb question. But you have right CA and user pass credentials right? You just don't know how to supply it throw the tool you are using. Right? – GensaGames Feb 01 '21 at 22:29
  • Exactly. Because the tool can't take the certificate in input – user1315621 Feb 02 '21 at 00:00
  • I'm doing port forwarding with python app. and might have sample code. If that's something you can work with, i can share. but the process is simple, you just need to create port forwarding to your localhost port, and then connect your tool . – GensaGames Feb 02 '21 at 07:08

2 Answers2

1

Fix your command to:

ssh -p 2222 <username_ec2>@localhost

but a certificate is still needed if you did the port forwarding like so:

ssh -L 2222:localhost:22 -i mycertificate.pem <username_ec2>@<ip_ec2>

I would try the following:

Run another ssh server which listens only on localhost, and doesn't require certificate on another port e.g 2222. See instructions

and then I would port forward to it like so:

ssh -L 2222:localhost:2222 -i mycertificate.pem <username_ec2>@<ip_ec2>

and ssh to it the same way:

ssh -p 2222 <username_ec2>@localhost
ofirule
  • 4,233
  • 2
  • 26
  • 40
  • Might work better using this: https://stackoverflow.com/questions/4739196/simple-socket-server-in-bash – ofirule Feb 02 '21 at 19:21
0

You can do this with a TCP reverse proxy. A reverse proxy is useful for other high level protocols as well, and can be shared and used by multiple servers/services as well. I make use of one personally as it helped me to consolidate my DMZ a bit. I've used HAProxy and NGINX for this sort of thing in the past. Since you're not using HTTP here you'll want to make sure the proxy is running in TCP mode for the specific frontend and backend that will be used for this connection. The proxy can forward traffic and apply or strip a certificate as you see fit.

TheFunk
  • 981
  • 11
  • 39