SSH tunneling explained

Here is an AWS webinar which explains how Jupyter Notebooks can be run on DL-AMIs. Specifically, it talks about the tunneling idea which @yinterian introduced today.

15 Likes

SSH tunnels are extremely useful when working with servers(computers) over a network.
Here’s a great visual guide to understanding various ‘configurations’ of SSH tunnels in use. https://solitum.net/an-illustrated-guide-to-ssh-tunnels/

10 Likes

EDIT: Ok, I self answered this one, if machine is disconected in Paperspace it is not there to listen (as could be expected), so yes, it has to be on. (Once machine is on kees copied without problem).

Maybe someone can confirm this, in Paperspace, is it necessary that machine is running (opened previously, via web) before SSH keys coping and accesing? (I get a "resource temporary unavailable when trying to copy the keys).

So the question is, especifically in Paperspace, SSH will always require activation of machine first? (Sorry if answer is obvious to those familiar with SSH, first time SSH-ing…) :slight_smile:

I don’t have a lot of experience with SSH, but from what I’ve observed after using it with AWS is that even for AWS instances, SSH requires for the instance to be running before you can copy keys and/or SSH into the instance and do something.

I tried the same thing with Paperspace yesterday, with the machine running, SSH was successful. With the machine off, SSH gave me an error saying “resource temporarily unavailable”. So, yes, you need the machine to be running or “activated” before SSH-ing into it.

I’m afraid I don’t know the technicalities associated with SSH but I hope this answers your question. :slight_smile:

2 Likes

Yes, thank you @Ankit, I think you are 100% right.

My experience before was with dedicated servers, never cloud, so quite new to this concept that machine"doesnt exist" if you dont activate it /create instance.

Anyway… eveything fine now with machine activated and SSH in Paperspace, works nicely.

1 Like

You can think of it much the same way as dedicated servers: when a cloud server is shut down, you can’t copy an ssh key to it, because it’s not running (just like a dedicated server). Deleting/terminating a cloud server is the same as throwing away a dedicated server - it’s gone for good!

4 Likes

It seems like you’ve already answered your question. However, posting this quick explanation as it might help other as well.

The way SSH connections works, (simplifying things a bit) is that there’s a daemon(background process) listening on a port for SSH connections. (Usually it’s port 22, and the daemon is called SSHD). The SSH daemon has multiple ways of establishing secure authenticated connections. Connecting using SSH keys is one of them. A server you want to connect to most likely has as SSH daemon running and listening on a port that you can reach (over some network).

The SSH daemon reads a file (for SSH key based connections) specified in a certain directory. (Usually, its $HOME/.ssh/authorized_keys). If there’s an entry for a SSH public key in this file that corresponds to your SSH private key, hopefully present on the computer that you’re initiating the connection from (let’s call this the SSH client), the SSH daemon (on the server) will proceed further with authenticating, else you’ll see public key related permission denied errors.

Come to think about it. :thinking:
a) There’s no way your server can listen to your SSH connection requests (on port 22) if it’s not running. (It’s as if you’re trying to call a telephone that’s turned off.)
b) If you cannot connect to your server initially with a password etc., you won’t be able to copy the necessary public key in the right location for the SSH daemon to make use of.

Hopefully, that clarifies a bit on why the server needs to be up and running to be able to a) connect, and b) copy keys. :wink:

Of course, there are other ways to bootstrap/preload your server with required keys, but that’s for another day. :key:

6 Likes

I am getting the error message "Resource Temporarily unavailable. The paperspace is up and running. Please

I also did verify the IP address of papersource machine

. Any help appreciated.

That’s the internal IP you’re connecting to. You need to enable public IP, and connect to that.

Thanks Jeremy. I will try to modify the machine setting in paperspace.

It’s working now. In case if any of you have same issue here what I did.
In paperspace click on the Public IP and a static IP will be assigned to your machine @ $3 per month. See below screen shot for more info. ssh issue

1 Like

I got this error while SSHing
sumanths-MacBook-Pro:~ sumanthnandamuri$ ssh -i .ssh/fastai.pem.txt ubuntu@54.237.97.183
ssh: connect to host 54.237.97.183 port 22: Connection refused

I think that is because of proxy for my internet connection, someone please help me resolve this issue i.e how to make ssh work with an internet connection with proxy ??

when you see “connection refused” it means that target instance is reachable, but it rejects incoming connection on a port (compare to “connection timeout”) - possible scenario could be when you just started instance, but it is still booting up - it rejects connection until sshd starts.
if that’s the case in your situation - it should resolve within a few minutes when instance finishes starting all daemons.

Hard to tell without having access to console.

Try running ssh with verbose settings, and you might be able to pinpoint the issue.
(ssh -v …, you can increase the verbosity levels with more vs, eg. ssh -vv …, ssh -vvv … )

I’m assuming one of the following things.
a) The security groups (firewall) settings hasn’t been configured to allow requests on port 22.
b) The host is not ready to accept connections.
c) The host/ip is unreachable from your network, rather unlikely unless you are inside a locked-down/filtered network.

it might be due to proxy attached to my internet connection.

Got this output on running ssh -v command.

Sorry for not being clear. I meant adding the -v flag to your ssh command that you use to connect to the instance.

Based on the example you pasted above

ssh -v -i .ssh/fastai.pem.txt ubuntu@54.237.97.183
OR
ssh -vv -i .ssh/fastai.pem.txt ubuntu@54.237.97.183
OR
ssh -vvv -i .ssh/fastai.pem.txt ubuntu@54.237.97.183

I created new key pair “aws-key”, launched a t2.micro instance and then after the instance launched properly I did following things in terminal
.

When I am connected to another network which don’t require proxy, I think it worked.


But I want to use ssh with a network that has proxy.

I see. So, you want to access the instance from a locked down network. That’s unfortunate.

With some work, you should be able to tunnel out of the proxied networked, as long as your (current proxied) network allows you to connect to a machine outside the network (most likely your home etc.) that
a) can correct to the regular internet, and hence your EC2 instance
b) you have control over to setup a SSH tunnel.

I won’t go into details of how to make that happen, as there’s tons of blogposts on the internet about this. (Search for SSH over proxy) Here’s one such link for you to follow along. https://daniel.haxx.se/docs/sshproxy.html

1 Like

I had trouble setting this up so posting this because I found an article that helped me: http://fizzylogic.nl/2017/11/06/edit-jupyter-notebooks-over-ssh/

In short, set up jupyter notebook with the following flags:

jupyter notebook --no-browser --port=8080

Then, on your laptop, connect to the remote server running the jupyter notebook with:

ssh -N -L 8080:localhost:8080 <remote_user>@<remote_host>

Then go to localhost:8080 in your laptop browser to get to work!

4 Likes