Ssh – query Redshift over multiple SSH hops

sockssshssh-tunnel

I'd like to query an AWS Redshift cluster from an IDE running on my laptop (IntelliJ). This cluster is only directly accessible from an EC2 instance in our VPC.

That EC2 instance isn't directly accessible from my laptop: it's necessary to ssh to another server in our datacenter, and then ssh to an EC2 instance in our VPC in order to run queries on the Reshift cluster via the psql client. Other users and cron'd shell scripts also execute commands on this cluster from the same EC2 instance.

I'd like to setup an SSH tunnel from my laptop, through the intermediate server in our datacenter, to the EC2 instance, and ultimately to the Redshift cluster without impacting other users/scripts.

I tried this:

ssh -fNL 5439:localhost:22 host_in_datacenter ssh -fNL 22:localhost:22 ec2_instance ssh -fNL 22:localhost:5439 reshift_host

Which returned:

[08P01] Protocol error.  Session setup failed.

… when I try to connect via a client.

Most of the SSH chaining examples to access remote databases I've seen have just one hop to the host running the database, and the final hop ends up on the database host itself.

Is it possible to create an SSH tunnel, without impacting other users, from my laptop to the Redshift cluster? If so, can you see what I'm doing wrong?

Best Answer

It seems as if you may not understand the SSH forwarding syntax. Please don't take this personally, but this is a prime example of why copy/paste software development and systems administration is so dangerous. People find examples online of how to do things, without bothering to do a bit of research into what actually is happening.

Let's break down a part of your command:

ssh -fNL 5439:localhost:22 host_in_datacenter

This means take traffic on localhost:5439 and forward it to port 22 on the server you're ssh'ing to. This doesn't make any sense, and won't ever work, as it's an SSH server listening on port 22, which won't know what to do with non-SSH traffic.

What you want to do is pick another random high port and use that for passing traffic through your chain. Something like this:

ssh -fNL 5439:localhost:12345 host_in_datacenter ssh -fNL 12345:redshift_host:12345 ec2_instance

Honestly, though, this is pretty kludgy. If I were you, I'd either collapse your network so you only need to go through a single host to get to Redshift or set up a VPN in AWS so you can connect directly from your workstation.

Related Solutions

SSH – Bad Owner or Permissions on ~/.ssh/config

I needed to have rw for user only permissions on config. This fixed it.

chmod 600 ~/.ssh/config

As others have noted below, it could be the file owner. (upvote them!)

chown $USER ~/.ssh/config

If your whole folder has invalid permissions here's a table of possible permissions:

Path	Permission
.ssh directory (code)	0700 (drwx------)
private keys (ex: `id_rsa`) (code)	0600 (-rw-------)
`config`	0600 (-rw-------)
public keys (*.pub ex: `id_rsa.pub`)	0644 (-rw-r--r--)
`authorized_keys` (code)	0644 (-rw-r--r--)
`known_hosts`	0644 (-rw-r--r--)

Sources:

openssh check-perm.c
openssh readconf.c
openssh ssh_user_config fix_authorized_keys_perms

Ssh tunnel refusing connections with “channel 2: open failed”

Problem solved:

$ ssh -L 7000:127.0.0.1:7000 user@host -N -v -v

...apparently, 'localhost' was not liked by the remote host. Yet, remote /etc/hosts contains:

::1                     localhost localhost.
127.0.0.1               localhost localhost.

while the local network interface is

lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 33184
        inet 127.0.0.1 netmask 0xff000000
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x2

Sigh. so much for the bounty of 100rp I put on :)

Best Answer

Related Solutions

SSH – Bad Owner or Permissions on ~/.ssh/config

Ssh tunnel refusing connections with “channel 2: open failed”

Related Topic