Support for AWS Session Manager

[stevekm]

For usage of CyberDuck with AWS EC2 instances, the standard method is to configure SFTP access to the instance using the standard ssh access keys enabled for the EC2 instance.

However this does not work if the AWS instance requires the use of AWS Session Manager to access the instance;

https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager.html

Is there some way to utilize the AWS Session Manager with CyberDuck? If not can this feature be added? Thanks.

To be clear, the support for AWS S3 does not work here. Because the AWS instances often have local storage volumes such as FSX storage which need to be accessed. It currently works fine using the ssh + SFTP method.

I saw that there was some mention of enabling ssh over AWS Session Manager here

https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-getting-started-enable-ssh-connections.html

However this is subject to the administrators of the AWS Account (who are not the same as the CyberDuck users) allowing this specific IAM policy. The AWS Session Manager can already be used to access the EC2 without this policy, so it would be great if there was some way to get Cyberduck to support standard AWS Session Manager usage.

[stevekm]

as a follow up, following the docs here

https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-getting-started-enable-ssh-connections.html

https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-working-with-sessions-start.html#sessions-start-ssh

I have found that even if you configure your local ~/.ssh/config with the required settings to enable SSH over SSM

# SSH over Session Manager
host i-* mi-*
    ProxyCommand sh -c "aws ssm start-session --target %h --document-name AWS-StartSSHSession --parameters 'portNumber=%p'"

and enable an ssh key such that you are able to log in to the remote server via a command like

# i-0123456789 is the Instance ID of the EC2 to log in to 

ssh -i ~/.ssh/my-ec2-ssh-key i-0123456789

Cyberduck still does not work, it gives a error that "DNS Lookup for i-0123456789 failed".

So it seems that even "SSH over SSM" does not work with CyberDuck at the moment

Perhaps there's some way to get it to not attempt a DNS lookup for the server address and instead match it only against the ~/.ssh/config?

[stevekm]

It seems like the reason that Cyberduck SFTP does not work with SSH over SSM is that its not detecting the ProxyCommand part of the ssh config, whereas both ssh itself and sftp on the command line do and use it properly. From the Cyberduck debug log, I see this;

2024-03-29 14:18:49,269 [Thread-381] INFO  ch.cyberduck.core.proxy.SystemConfigurationProxy - No proxy configuration found for target ftp://my-aws-ssm-server:22

despite using a working ssh config like this

host my-aws-ssm-server
    HostName 1.2.3.4
    # using a hard-coded ec2 instance id here
    ProxyCommand sh -c "aws ssm start-session --target i-1234567890 --region us-east-1 --profile my-aws-profile --document-name AWS-StartSSHSession --parameters 'portNumber=%p'"
    User my-aws-username
    IdentityFile ~/.ssh/ssh-key-that-i-copied-to-ec2

perhaps if ProxyCommand worked with SFTP in Cyberduck, this method might work? I do not see any mention of it in the docs here https://docs.cyberduck.io/protocols/sftp/ there is only ProxyJump which does not work in this case

[dkocher]

I can confirm there is currently no support for ProxyCommand directive in OpenSSH configuration ¹ and as documented ² ProxyJump is supported only.

Footnotes

1. Support for ProxyCommand in SSH config #8688 ↩

2. https://docs.cyberduck.io/protocols/sftp/#connect-via-ssh-tunnel-through-bastion-server ↩

[stevekm]

Is it possible to get either support for ProxyCommand or direct support for access via AWS Session Manager?