search

MisterTea / EternalTerminal

Re-Connectable secure remote shell
https://mistertea.github.io/EternalTerminal/
Apache License 2.0
3.02k stars 173 forks source link

Using et through a jumphost #532

Closed rayjlinden closed 9 months ago

rayjlinden commented 2 years ago

I've been using et for a while over a VPN - works great!

However, we are moving to use a jumphost instead. I can not seem to get et to work through the jump host.

I can jump through the jumpiest just fine with ssh. I do it like this:

ssh -A -J rayj@backdoor.dev.tilia-inc.com rayj@int.bullseye31.dev.tilia-inc.com

With et though things just hang for me. Here is what I'm running:

et --jumphost backdoor.dev.tilia-inc.com  -c "tmux -CC -S /tmp/shareds attach -t shared || tmux -CC -S /tmp/shareds new -s shared" rayj@int.bullseye31.dev.tilia-inc.com

I'm probably doing something wrong. So any help would be appreciated. Or at least some guidance on how to debug this better?

MisterTea commented 2 years ago

Is the et server running on the jumphost?

rayjlinden commented 2 years ago

Yes. And the target server of course. I can et to the jumphost directly and that works fine.

It just hangs when trying the jump….

On Wed, Aug 24, 2022 at 9:39 PM Jason Gauci @.***> wrote:

Is the et server running on the jumphost?

— Reply to this email directly, view it on GitHub https://github.com/MisterTea/EternalTerminal/issues/532#issuecomment-1226766473, or unsubscribe https://github.com/notifications/unsubscribe-auth/AKE5LWTCJAMAK5KL3LQQMKTV232JHANCNFSM57RIDN7Q . You are receiving this because you authored the thread.Message ID: @.***>

--

Ray Johnson | CTO

email: @.***

Tilia | http://www.tilia.io/ http://www.tilia.io/Powering Virtual http://www.tilia.io/ Economies http://www.tilia.io/

jshort commented 1 year ago

@rayjlinden Can you provide logs from your client (/tmp/etclient-) and your server(s) (/tmp/etserver- and /tmp/etterminal--*).

Also I'd recommend removing your complex -c arg and trying to simply get to a shell on your target host to debug the issue.

yurenchen000 commented 1 year ago

heavily Inspired by ET in order to interoperability with ssh

I made a ssh proxyCommand tool to achieve that goal ssh-keep

ddebin commented 9 months ago

Same bug here, can't ProxyJump. I found the bug lie in the parsing of the hostname string when you specify a user.

et user0@server.com --jumphost bastion.server.com works though it connects to bastion.server.com with local user.

But et user0@server.com --jumphost user1@bastion.server.com doesn't work as it parses the hostname to connect to as user1@bastion.server.com.

It's visible in the error message Could not reach the ET server: user1@bastion.server.com:2022 (we should read Could not reach the ET server: bastion.server.com:2022).

(MacOS, Apple Silicon M1)

AGI-chandler commented 7 months ago

At first we could not connect to the destination from the jump host due to SSH Agent error.  That appears resolved with et's -f option and now we've been able to connect to our destination by first connecting to the jump host.

However, still unable to connect to our destination through the jump host with a single command.  Is it due to this issue which was fixed in #614 but not exist in our version of et yet?  We just upgraded to version 6.2.8-trixie2 from https://mistertea.github.io/debian-et/debian-source trixie/main amd64 Packages.

Can you help us establish this connection?

~/.ssh/config:

Host myJumphost
    HostName JumpHost.Arizona.EDU
    IdentityFile ~/.ssh/me.myJumphost
Host dest
    User dest-user
    Hostname Dest.arizona.edu
    IdentityFile ~/.ssh/dest-user.dest
    ProxyJump myJumphost

SSH works as expected:

$ ssh dest
Last login:  earlier  from  myJumphost
[dest-user@dest ~]$

Issues with et:

$ et dest
Could not reach the ET server: myJumphost:2022

etclient.log:

[INFO today earlier client-main ParseConfigFile.hpp:1400] unsupported config line: foo yes, ignored
[...20-30 more unsupported config lines found, ignored...]
[INFO today earlier+,001 client-main TerminalClientMain.cpp:244] Parsed ssh config file, connecting to Dest.arizona.edu
[INFO today earlier+,001 client-main TerminalClientMain.cpp:270] ProxyJump found for dst in ssh config: myJumphost
[INFO today earlier+,001 client-main TerminalClientMain.cpp:277] Setting port to jumphost port

etclient-stderr.log:

Setting up and starting sentry
Shutting down sentry

Issue 1 [believed resolved]:

Attempted fix & Issue 2 [unresolved]:

$ et -f dest
Could not reach the ET server: myJumphost:2022

etclient.log and etclient-stderr.log contain the same messages as without -f option.

Have tried different combinations of options like putting the full hostname of myJumphost in the ~/.ssh/config, or removing myJumphost entry from the config and specifying jump options with the command, and so on, but always "could not reach the ET server".

AGI-chandler commented 6 months ago

Hi @MisterTea, any feedback regarding above connection issue and how we might get connected to our server via the jump host?  Thanks

MisterTea commented 6 months ago

Does it work if you make two et connections (one to the jumphost and then another et connection from within the jumphost to the destination)?

AGI-chandler commented 6 months ago

Yes sir, it does, but only if -f is used with first connection to myJumphost (otherwise SSH_AUTH_SOCK error):

$ et -f myJumphost

[me@myJumphost ~]$ 
[me@myJumphost ~]$ et dest

[dest-user@dest ~]$
MisterTea commented 6 months ago

Can you try using the -J command directly instead of relying on the ssh config and see if that works?

AGI-chandler commented 6 months ago

Can you try using the -J command directly instead of relying on the ssh config and see if that works?

Idk what you mean.  There is no -J option for et and I don't see a way to use ssh's -J option with et.  There is only --ssh-option arg Options to pass down to 'ssh -o'.  The man page for -J says:

This is a shortcut to specify a ProxyJump configuration directive.  Note that configuration direc‐
tives supplied on the command-line generally apply to the destination host and not any specified jump hosts.
Use ~/.ssh/config to specify configuration for jump hosts.

Since myJumphost has a different login user and different key file, ~/.ssh/config must be used.  Thus I renamed my ~/.ssh/config to ~/.ssh/config.disabled and used an ~/.ssh/config with only:

Host myJumphost
    HostName JumpHost.Arizona.EDU
    IdentityFile ~/.ssh/me.myJumphost

and tried: et --ssh-option ProxyJump=myJumphost --ssh-option User=dest-user --ssh-option IdentityFile=~/.ssh/dest-user.dest dest.arizona.edu

Result: Could not reach the ET server: dest.arizona.edu:2022

I added -v 1 to the et command and checked the log file, it started with this: [INFO date time client-main ParseConfigFile.hpp:1400] unsupported config line: IdentityFile ~/.ssh/me.myJumphost, ignored

Tried using /home/me instead of ~ but still being ignored.  That took a couple hours already, any further suggestions or ideas?

MisterTea commented 6 months ago

There should be a -J option in et. The longform is --jumphost

rayjlinden commented 6 months ago

Oddly -J does not show up in et --help. But it does work. The flag --jumphost is documented in et --help though. (This is on et version 6.2.8)

Ray

On Sat, Apr 27, 2024 at 6:35 AM Jason Gauci @.***> wrote:

There should be a -J option in et. The longform is --jumphost

— Reply to this email directly, view it on GitHub https://github.com/MisterTea/EternalTerminal/issues/532#issuecomment-2080675540, or unsubscribe https://github.com/notifications/unsubscribe-auth/AKE5LWRTNT2SYIRKLBROG5LY7OSSRAVCNFSM57RIDN72U5DIOJSWCZC7NNSXTN2JONZXKZKDN5WW2ZLOOQ5TEMBYGA3DONJVGQYA . You are receiving this because you were mentioned.Message ID: @.***>