SSH tunneling explained

You can think of it much the same way as dedicated servers: when a cloud server is shut down, you can’t copy an ssh key to it, because it’s not running (just like a dedicated server). Deleting/terminating a cloud server is the same as throwing away a dedicated server - it’s gone for good!

5 Likes

It seems like you’ve already answered your question. However, posting this quick explanation as it might help other as well.

The way SSH connections works, (simplifying things a bit) is that there’s a daemon(background process) listening on a port for SSH connections. (Usually it’s port 22, and the daemon is called SSHD). The SSH daemon has multiple ways of establishing secure authenticated connections. Connecting using SSH keys is one of them. A server you want to connect to most likely has as SSH daemon running and listening on a port that you can reach (over some network).

The SSH daemon reads a file (for SSH key based connections) specified in a certain directory. (Usually, its $HOME/.ssh/authorized_keys). If there’s an entry for a SSH public key in this file that corresponds to your SSH private key, hopefully present on the computer that you’re initiating the connection from (let’s call this the SSH client), the SSH daemon (on the server) will proceed further with authenticating, else you’ll see public key related permission denied errors.

Come to think about it. :thinking:
a) There’s no way your server can listen to your SSH connection requests (on port 22) if it’s not running. (It’s as if you’re trying to call a telephone that’s turned off.)
b) If you cannot connect to your server initially with a password etc., you won’t be able to copy the necessary public key in the right location for the SSH daemon to make use of.

Hopefully, that clarifies a bit on why the server needs to be up and running to be able to a) connect, and b) copy keys. :wink:

Of course, there are other ways to bootstrap/preload your server with required keys, but that’s for another day. :key:

6 Likes

I am getting the error message "Resource Temporarily unavailable. The paperspace is up and running. Please

I also did verify the IP address of papersource machine

. Any help appreciated.

That’s the internal IP you’re connecting to. You need to enable public IP, and connect to that.

Thanks Jeremy. I will try to modify the machine setting in paperspace.

It’s working now. In case if any of you have same issue here what I did.
In paperspace click on the Public IP and a static IP will be assigned to your machine @ $3 per month. See below screen shot for more info. ssh issue

1 Like

I got this error while SSHing
sumanths-MacBook-Pro:~ sumanthnandamuri$ ssh -i .ssh/fastai.pem.txt ubuntu@54.237.97.183
ssh: connect to host 54.237.97.183 port 22: Connection refused

I think that is because of proxy for my internet connection, someone please help me resolve this issue i.e how to make ssh work with an internet connection with proxy ??

when you see “connection refused” it means that target instance is reachable, but it rejects incoming connection on a port (compare to “connection timeout”) - possible scenario could be when you just started instance, but it is still booting up - it rejects connection until sshd starts.
if that’s the case in your situation - it should resolve within a few minutes when instance finishes starting all daemons.

Hard to tell without having access to console.

Try running ssh with verbose settings, and you might be able to pinpoint the issue.
(ssh -v …, you can increase the verbosity levels with more vs, eg. ssh -vv …, ssh -vvv … )

I’m assuming one of the following things.
a) The security groups (firewall) settings hasn’t been configured to allow requests on port 22.
b) The host is not ready to accept connections.
c) The host/ip is unreachable from your network, rather unlikely unless you are inside a locked-down/filtered network.

it might be due to proxy attached to my internet connection.

Got this output on running ssh -v command.

Sorry for not being clear. I meant adding the -v flag to your ssh command that you use to connect to the instance.

Based on the example you pasted above

ssh -v -i .ssh/fastai.pem.txt ubuntu@54.237.97.183
OR
ssh -vv -i .ssh/fastai.pem.txt ubuntu@54.237.97.183
OR
ssh -vvv -i .ssh/fastai.pem.txt ubuntu@54.237.97.183

I created new key pair “aws-key”, launched a t2.micro instance and then after the instance launched properly I did following things in terminal
.

When I am connected to another network which don’t require proxy, I think it worked.


But I want to use ssh with a network that has proxy.

I see. So, you want to access the instance from a locked down network. That’s unfortunate.

With some work, you should be able to tunnel out of the proxied networked, as long as your (current proxied) network allows you to connect to a machine outside the network (most likely your home etc.) that
a) can correct to the regular internet, and hence your EC2 instance
b) you have control over to setup a SSH tunnel.

I won’t go into details of how to make that happen, as there’s tons of blogposts on the internet about this. (Search for SSH over proxy) Here’s one such link for you to follow along. https://daniel.haxx.se/docs/sshproxy.html

1 Like

I had trouble setting this up so posting this because I found an article that helped me: http://fizzylogic.nl/2017/11/06/edit-jupyter-notebooks-over-ssh/

In short, set up jupyter notebook with the following flags:

jupyter notebook --no-browser --port=8080

Then, on your laptop, connect to the remote server running the jupyter notebook with:

ssh -N -L 8080:localhost:8080 <remote_user>@<remote_host>

Then go to localhost:8080 in your laptop browser to get to work!

3 Likes

I had trouble for the longest time trying to do it - even after ekami’s amazing tutorial - thank you very much!

1 Like

For anyone who’s already able to ssh into an aws instance: here’s a quality of life script to save typing:

#!/bin/bash

IP = $1
SSHKEYPATH=$HOME/.ssh/your_key.pem

if [ -z "$2" ]
    then
        PORT=5913
else
    PORT=$2
fi

if [ -z "$1" ]
    then
        echo Error: IP Address Required.
        exit 1
fi

ssh -i $SSHKEYPATH ubuntu@$IP -L$PORT:localhost:$PORT

Make sure to replace your_key.pem with the actual ssh key you’ll use. Also don’t forget to set the script to executable via chmod +x sshaws.sh in terminal (make sure you use whatever name you save the script as).

Usage: place this script wherever you want and run it via
>>> ./sshaws.sh IPADDRESS PORT.
Port number is optional (default 5913 is from using a vnc screen sharer - set to whatever you like), but ip address is required. I added a condition so it won’t fail silently if you forget to pass it in.

You can then run an ssh jupyter notebook via jupyter notebook --no-browser --port=PORTNUM on the remote machine as you usually do.

1 Like

I am able to ssh the Paperspace on my mac, however the returned URL to open a jupyter notebook with my browser doesn’t work.

Copy/paste this URL into your browser when you connect for the first time,
to login with a token:
http://psxxxxxxx:8888/?token=fc29523d4fc45ae621bbf4ded86c1c7e2c003e0960be8202&token=fc29523d4fc45ae621bbf4ded86c1c7e2c003e0960be8202

Any working solution?

1 Like

this was very helpful with my paperspace

start the jupyter in the paperspace using options --allow-root and --ip=0.0.0.0

and on my laptop i used the ssh tunnel like this (copy into a shell script and chmod +x for it)

LOCAL_PORT=“9000”
REMOTE_SERVER=“paperspace ip”
REMOTE_PORT=“8888”
TUNNEL_USER=“paperspace”
TUNNEL_HOST=“paperspace ip”

ssh -L $LOCAL_PORT:$REMOTE_SERVER:$REMOTE_PORT $TUNNEL_USER@$TUNNEL_HOST -N

run the above script, it will ask for the password, type that in, and it will keep running, close it after you are done with the exercise, else it will keep the port open, also dont forget to close out paperspace instance

and when i open browser to localhost:9000 it will open the notebook running on paperspace
this is so easy

1 Like

The link to this article changed to An Illustrated Guide to SSH Tunnels (solitum.net)