AWS SSM / Session Manager support in WinSCP

Advertisement

mattisdada
Guest

AWS SSM / Session Manager support in WinSCP

I'm trying to hook up WinSCP and AWS SSM / Session Manager. But I cannot get it to work with current tooling... :(

My attempt was to use Advanced > Proxy. Specify proxy as local and use the following proxy command:
aws ssm start-session --target %host --document-name AWS-StartSSHSession --parameters 'portNumber=%port' --profile getnext --region us-east-1

But it appears as if WinSCP doesn't even get to that stage as it first looks for host (which is an AWS instance ID, not a valid host normally ie i-02633e980a031c37f.

AWS SSM would normally recommend to use .ssh/config with the following config:
host i-* mi-*
    ProxyCommand C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "aws ssm start-session --target %h --document-name AWS-StartSSHSession --parameters portNumber=%p"

Any help would be appreciated or if native support for this feature was added in, that'd be great :)

Description: What current config looks like

Annotation 2020-04-29 093658.png

Reply with quote

Advertisement

martin
Site Admin
martin avatar
Joined:
Posts:
40,984
Location:
Prague, Czechia

Re: AWS SSM / Session Manager support in WinSCP

You probably have to turn on "Do DNS name lookup at proxy end".
Also if they recommend starting the aws via powershell.exe (though I have no idea why), then you should do the same in WinSCP.
If none of this help, please post a session log file.

Reply with quote

mattisdada
Donor
Joined:
Posts:
2

Thanks for that Martin, don't know how I missed that option!

The only other thing I had to change to get it to work was changing ' to " in the parameter list. For whatever reason it doesn't like it.

Do you think it's worthwhile creating a small guide for this particular authentication option?
aws ssm start-session --target %host --document-name AWS-StartSSHSession --parameters "portNumber=%port" --profile <aws profile> --region <region>
Was my final proxy string

Reply with quote

Invigor
Guest

Hi guys,

I'm also trying to get this working but the only way to get a successful connection is to pass a username and the associated PPK file via the SSH > Authentication setting.

This sort of defeats the purpose of using AWS SSM if we need to main user accounts and keys to set up an SFTP connection.

I assumed that my AWS credentials would be sufficient or am I missing something?

Thanks,
Michael

Reply with quote

Advertisement

mattisdada
Donor
Joined:
Posts:
2

@martin: It would suit on that page yes :) . Short explanation on what SSM is, it's basically just a way of SSHing into a server without the need of network access, it's also possible to use it without requiring keys or passwords and it uses AWSs IAM authentication system instead. Pretty cool stuff honestly.

@Invigor: For my situation it was okay for the keys, but no I couldn't get it to work without providing keys. I tried skipping authentication. SSM should allow it to work without keys, but.... didn't really work for me. Got ssh errors instead. Let me know if you find a workaround

Reply with quote

Advertisement

You can post new topics in this forum