3

I have a EC2 instance with a dynamic IP and I would like to connect to it directly without having to modify the .ssh/config every time it changes.

I can query the ip with

aws ec2 describe-instances --filters 'Name=tag:Name,Values=MYTAG' --query 'Reservations[0].Instances[0].NetworkInterfaces[0].Association.PublicIp' --output text

Now, I want to add this command to the ProxyCommand section in my .ssh/config file but I'm getting some errors.

This is the section for that host

Host ec2-instance
     User ubuntu
     IdentityFile my/pem/file.pem
     ProxyCommand bash -c "host=$(aws ec2 describe-instances --filters 'Name=tag:Name,Values=MYTAG' --query 'Reservations[0].Instances[0].NetworkInterfaces[0].Association.PublicIp' --output text); ssh ${host}"

I honestly don't know how the ProxyCommand option works and neither man ssh or man ssh_config seems to do a good job explaining it.

can this be achieved?

Improve this question
1
  • yes, I deleted my comment because I read it too fast :)
    – Sathyajith Bhat
    Commented Mar 15, 2021 at 9:34

1 Answer 1

Reset to default
5

ProxyCommand acts as an alternative for the raw TCP connection. It doesn't replace the whole SSH connection – although you often see it used to invoke ssh -W, but that's still just using another SSH system to provide a raw TCP tunnel.

So in your situation, the ProxyCommand should run some simple "TCP pipe" app such as nc or socat or ncat – anything which attaches stdin/stdout to a TCP connection will do:

Host ...
    ProxyCommand bash -c "host=...; nc $host %p"

Host ...
    ProxyCommand bash -c "host=...; socat STDIO TCP:$host:%p"

I would really recommend moving all the complex stuff out of your ~/.ssh/config into a separate script, so that your configuration could just look like this:

Host ...
    ProxyCommand ~/bin/ec2-connect %h %p
Improve this answer
2
  • Because the command is executed using the user's shell exec directive, at some point it's exec bash -c "… $host …" in some shell. Therefore $host will be expanded at this stage (i.e. prematurely). Additional or different quoting/escaping can prevent it. Moving the code to a separate script is a very good way to avoid such pitfalls, so +1 for the answer anyway.
    – Kamil Maciorowski
    Commented Mar 15, 2021 at 10:11
  • I ended up doing the "separate file + nc connection" way. Thanks, it's working
    – Gonzalo Hernandez
    Commented Mar 15, 2021 at 10:15

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .