We are experimenting replacing bastion hosts with aws ssm. This is working as expected for ssh sessions but we cannot identify a tutorial for setting up a ftp client such as winscp.
according to the documentation at aws ssm userguide we have set up our ec2 instance (amazon linux 2) and our win10 client powershell.
- We have enabled
run as userso we run asec2-user - start an interactive termninal session with
aws ssm start-session --target i-0d40e9d405exxxxxx sh-4.2$ whoami = ec2-user- we have enabled port forwarding and validated with
aws ssm start-session --target i-0d40e9d405exxxxxx --document-name AWS-StartPortForwardingSession --parameters {"portNumber":["nnnn"],"localPortNumber":["nnnn"]}
to set up a ftp connection we used
- aws ssm start-session --target i-0d40e9d405exxxxxx --document-name AWS-StartPortForwardingSession -
- parameters {"portNumber":["22"],"localPortNumber":["40000"]}
in winscp settings
host name: localhost port number : 40000 user name : ec2-user
1st combination
file protocol : sftp or scp
authentication -> bypass authentication entirely
returns
server sent disconnect message
type 2 (protocol error)
bad service request ssh-connection
authentication failed
2nd combination
file protocol : sftp or scp
authentication -> allow agent forwarding
private key (ec2-user.pem) previously used to ssh/sftp into instance
attempt GSSAPI authentication
returns
Authentication log (see session log for details):
Using username "ec2-user".
Server refused our key.
so it seems ssm replaces the exiting user keys so the previously working .pem files are no longer valid
Q1. how can we configure the ftp client to use the `ssm` tunnel
Q2. is it possible to have the ftp client connect to multiple instances using ssm concurrently.