this post was submitted on 06 Feb 2025

9 points (90.9% liked)

Linux

49653 readers

1500 users here now

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.
No misinformation
No NSFW content
No hate speech, bigotry, etc

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

founded 5 years ago

MODERATORS

[email protected]

Use AWS Windows instance as an SSH proxy? (lemmy.ml)

submitted 20 hours ago* (last edited 19 hours ago) by [email protected] to c/[email protected]

17 comments fedilink hide all child comments

My work has given me a remote windows desktop to use, that I access using AWS.

Through this windows desktop (accessed via a chrome web-browser), I can SSH into a compute node to do work.

I dont actually need this virtual desktop, I'd rather just SSH from my local machine directly to the compute node, using the remote desktop's network without having to spawn the desktop itself.

Ive been reading up about SSM agents[0] as a solution, but am unsure if I have the priveledges to do this myself.

https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-getting-started-enable-ssh-connections.html#ssh-connections-enable

Is this something I can easily do using the AWS credentials that I have?

top 17 comments

sorted by: hot top controversial new old

[–] carl_dungeon 5 points 16 hours ago

If they require you to use the bastion, then trying to avoid it is probably a bad idea.

If the bastion is running an ssh server, you can jump through it with ssh pass through (using -J).

SSM provides session manager which allows you to skip having a bastion altogether- it basically lets you start an “ssh” session to a private instance without opening ports or networking using aws creds. This requires that you have access permissions to do this and that ssm is enabled.

But… if the reason you are using the bastion is so that they can inspect the traffic, then they’re not gonna let you bypass it via ssm because that also bypasses the managed networking.

[–] [email protected] 7 points 19 hours ago (1 children)

From having played with the remote desktop offering from AWS, it's a Windows Server running a terminal session. It's likely heavily locked down and on its own network with likely no inbound network connectivity.

Similarly, the compute nodes are likely to be locked down to only accept connections from the remote desktop network.

It all depends on what the brief was to whomever set it up.

You might be able to do some shenanigans with the web browser on the remote desktop, but for my money, I'd just open your browser, set it to full screen and forget about how your keystrokes are travelling.

Ultimately, unless you're a shareholder, it's their money.

And for the record, it might be that the IT department doesn't want you to run your own SSH session for a bunch of very good reasons.

[–] [email protected] 0 points 16 hours ago (1 children)

Yeah the browser seems to be what I'm resigned to. In terms of security, there isn't really much stopping me from spawning an reverse SSH proxy to a public server from within the desktop, and then connecting to that....

If I wanted to wreac havok, my user would still need to be in the right access groups to do anything. I feel that cutting out the middleman and letting me connect directly to the bastion would be easier for everyone...

[–] [email protected] 2 points 16 hours ago (1 children)

Except that the idea is that you cannot get data in or out of the corporate network. Depending on how it's implemented will determine how successful that is.

Regardless, you're likely to lose your job if it's detected without written permission and even then it's likely to turn into a security pissing match.

[–] [email protected] 1 points 14 hours ago* (last edited 14 hours ago)

In the scenario I have, the browser clipboard literally lets me drag-and-drop files to my laptop. I do hear your wider point though

[–] [email protected] 5 points 20 hours ago (1 children)

Maybe ask your work before you get fired?

[–] [email protected] 0 points 19 hours ago* (last edited 19 hours ago) (1 children)

I have, but the IT dept either willfully misinterprets my request, or does not actually know. No judgement from my side, as I am also uncertain.

My plan is to find a solution that complies with their security standards (i.e. through AWS's authentication spec), but allows me a VPN/SSH style passthrough.

[–] [email protected] 2 points 18 hours ago* (last edited 18 hours ago) (1 children)

Maybe ask them to provide you with a Linux cli only bastion? Then you've got a lot of options, it costs almost nothing, and it's even better security wise.

My plan is to find a solution that complies with their security standards (i.e. through AWS's authentication spec)

I think SSO is your best bet, if you use identity center.

[–] lordnikon 2 points 14 hours ago (1 children)

Most likely using workspaces and the reason for it is to stop the very thing they are trying to do to keep data from directly leaking out of their network. If they had a Linux desktop workspace if they opened the ssh port on the workspace Eni you could do that but that would send up all kinds of security alerts.

[–] [email protected] 1 points 14 hours ago (1 children)

I'm not sure what you use by workspaces, I haven't touched windows in a while.

Wouldn't a bastion with SSO do the same thing? In both cases OP needs to pass AWS based security checks in order to ssh from the bastion instance. And both options can be locked down by enterprise standards.

[–] lordnikon 2 points 13 hours ago

Workspaces is an AWS service that creates desktops that can be used via a workspace client or through the web browser like guacamole project. It's main feature is the data stays in AWS not on local hardware.

[–] [email protected] 4 points 20 hours ago (1 children)

It depends on how the network is setup, I suppose. I don't know how AWS does things, but I would imagine that the Windows Desktop is set to be on the same network/subnet as the compute node you ssh into. Else the node would be accessible by anyone on the internet for brute forcing.

[–] [email protected] 1 points 19 hours ago* (last edited 19 hours ago) (1 children)

The way I reason it, the Windows Desktop that AWS spawns in done on a Linux-based VM in the cloud. AWS then creates a VPN to the workplace to make it seem like it shares the same subnet as the compute nodes. I think that's how this works.

If so, I'm wondering if I can just SSH either into that VM without spawning the desktop and access the VPN that way, or if AWS itself offers some kind of service that extends the VPN directly to me.

I should stress that I'm not asking for creative solutions, I'm only wondering if this is a common use-case that easily catered for and I just need to RTFM better

[–] [email protected] 2 points 19 hours ago

They could also just be spawning Windows VMs directly in AWS, no point doing nested virtualization for something like this. Pretty sure they have a service for doing exactly what you described. No need for a VPN, it can spawn your VM on the right network already (they call it VPC). They can even put real GPUs for AutoCAD and stuff on those things.

[–] Deckweiss 2 points 19 hours ago

https://github.com/cea-hpc/sshproxy

Maybe? I saw a presentation from the dev, not sure if it will run on windows though

[–] [email protected] 1 points 19 hours ago (1 children)

It's going to depend on how the access is set up. It could be set up such that the only way into that network is via that browser thing.

You can always connect to yourself from the Windows machine and tunnel SSH over that, but it's likely you'll hit a firewall or possibly even a TLS MitM box.

Virtual desktops like that are usually used for security, it would be way cheaper and easier to just VPN your workstation in. Everything about this feels like a regulated or certified secure environment like payment processing/bank/government stuff.

[–] [email protected] 1 points 14 hours ago

You can always connect to yourself from the Windows machine and tunnel SSH over that, but it’s likely you’ll hit a firewall or possibly even a TLS MitM box.

I don't want to undermine their security. I could do a reverse proxy of course, I was just wondering if AWS itself had a solution here