aws-samples / aws-iot-securetunneling-localproxy

AWS Iot Secure Tunneling local proxy reference C++ implementation
https://docs.aws.amazon.com/iot/latest/developerguide/what-is-secure-tunneling.html
Apache License 2.0
77 stars 72 forks source link

ssh_exchange_identification: Connection closed by remote host #7

Closed mehtaparitosh closed 4 years ago

mehtaparitosh commented 4 years ago

I followed the documentation as mentioned and was able to run "$ ./localproxytest" on both my IoT Device(EC2 Instance) as well as my Local Machine(EC2 Instance) with the following results: All tests passed (32 assertions in 2 test cases)

So I'm guessing the setup went well. Then I run the below CLI command to create a tunnel: ############################### $aws iotsecuretunneling open-tunnel --destination-config thingName=RemoteDevice,services=ssh ###############################

I get the Source Token as well as Destination Token. I run the below command on my IoT Device: ############################### $./localproxy -r us-east-1 -d localhost:3389 -t DEST TOKEN ... .. [2020-01-09T15:03:33.912596]{25546}[info] Successfully established websocket connection with proxy server: wss://data.tunneling.iot.us-east-1.amazonaws.com:443 ###############################

Then, I run below command on my Local Machine: ############################### $ ./localproxy -r us-east-1 -s 3389 -t SRC TOKEN ... .. [2020-01-09T15:04:34.269046]{1542}[info] Listening for new connection on port 3389 ###############################

Now, I assume that both devices are working fine. So, I run the below command on my Local Machine (different terminal): ############################### $ ssh ec2-user@localhost -p 3389 ssh_exchange_identification: Connection closed by remote host ###############################

But I get the above error. On my Local Machine (where I ran the localproxy) I get: ############################### [2020-01-09T15:07:07.427609]{1542}[info] Accepted tcp connection on port 3389 from 127.0.0.1:59418 [2020-01-09T15:07:12.518770]{1542}[info] Disconnected from: 127.0.0.1:59418 [2020-01-09T15:07:12.519004]{1542}[info] Listening for new connection on port 3389 ###############################

On my IoT Device, I get: ############################### [2020-01-09T15:10:00.485260]{25555}[info] Attempting to establish tcp socket connection to: localhost:3389 [2020-01-09T15:10:00.485535]{25555}[error] Could not connect to destination localhost:3389 -- Connection refused ###############################

Please help as to what I might be doing wrong

DavidOgunsAWS commented 4 years ago

On your IoT destination device, it appears that you are attempting to connect to an SSH daemon, but have configured the local proxy to connect to port 3389 instead of the likely(standard) port 22. If you believe you are running an SSH server on port 3389, check that it's addressable using 'localhost' as the hostname (instead of 127.0.0.1 or ::1) and port 3389 via a tool like netcat.

mehtaparitosh commented 4 years ago

Okay, understood. Since I was already SSHing into my EC2 instances, I could not use port 22, so I followed this blog: https://www.simplified.guide/ssh/run-multiple-ports to add Port 2022 for SSH along with Port 22

Now, after running "$./localproxy -r us-east-1 -d localhost:2022 -t DEST_TOKEN" on my IoT Device, and running "$./localproxy -r us-east-1 -s 2022 -t SOURCE_TOKEN" on my Local Machine, when I try doing the following I still get an error:

############################### $ ssh ec2-user@localhost -p 2022 Permission denied (publickey,gssapi-keyex,gssapi-with-mic). ###############################

Any thoughts as to why?

P.S. I was also subscribed to the topic: $aws/things/RemoteDevice/tunnels/notify on the IoT Device

mehtaparitosh commented 4 years ago

As mentioned in the below blog, I changed the file /etc/ssh/sshd_config https://www.digitalocean.com/community/questions/ssh-failed-permission-denied-publickey-gssapi-keyex-gssapi-with-mic

############################### $sudo vi /etc/ssh/sshd_config .. ..

To disable tunneled clear text passwords, change to no here!

PasswordAuthentication yes

PermitEmptyPasswords no

PasswordAuthentication no

.. .. ###############################

One both my IoT Device and my Local Machine. Everything works fine