Certified Security - Specialty

Sign Up Free or Log In to participate!

re: Linux Bastion Hosts on the AWS Cloud

re: Linux Bastion Hosts on the AWS Cloud


1. Do we need to provide the private key to SSH to a EC2 host in a private subnet once logged into the Bastion host?

If no, what is the sample ssh command?


1 Answers

I think I have found the answer …

SSH Proxy

The simplest method is like this:

ssh -o ProxyCommand=’ssh -W %h:%p user@bastion’ user@target

To make this easier (and to make it also work for other tools like scp or rsync), you can edit your ~/.ssh/config file to define the proxy command and other params. For example:

Host bastion

Hostname my-bastion-host.example.com

Host my_server


ProxyCommand ssh bastion -W %h:%p

then you can use:

$ ssh my_server

There are lots of ways you can combine options to suit nearly any workflow. Combining hosts, using different keys, whatever. Check out the cookbook for really good examples.


Adding to the above answer, Ryan has a video (CSAA) on his VPC series that shows him SSHing into his Web Server (public IP) and from there using the private key SSHing into his DB server in the private subnet. I tested several times and it works like a charm.

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?