AWS SSM / Session Manager support in WinSCP

Advertisement

mattisdada
Guest

AWS SSM / Session Manager support in WinSCP

I'm trying to hook up WinSCP and AWS SSM / Session Manager. But I cannot get it to work with current tooling... :(

My attempt was to use Advanced > Proxy. Specify proxy as local and use the following proxy command:
aws ssm start-session --target %host --document-name AWS-StartSSHSession --parameters 'portNumber=%port' --profile getnext --region us-east-1

But it appears as if WinSCP doesn't even get to that stage as it first looks for host (which is an AWS instance ID, not a valid host normally ie `i-02633e980a031c37f`

AWS SSM would normally recommend to use .ssh/config with the following config:
host i-* mi-*
    ProxyCommand C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "aws ssm start-session --target %h --document-name AWS-StartSSHSession --parameters portNumber=%p"

Any help would be appreciated or if native support for this feature was added in, that'd be great :)

Description: What current config looks like

Annotation 2020-04-29 093658.png

Reply with quote

Advertisement

martin
Site Admin
martin avatar
Joined:
Posts:
33,846
Location:
Prague, Czechia

Re: AWS SSM / Session Manager support in WinSCP

You probably have to turn on "Do DNS name lookup at proxy end".
Also if they recommend starting the aws via powershell.exe (though I have no idea why), then you should do the same in WinSCP.
If none of this help, please post a session log file.

Reply with quote

mattisdada
Donor
Joined:
Posts:
2

Thanks for that Martin, don't know how I missed that option!

The only other thing I had to change to get it to work was changing `'` to `"` in the parameter list. For whatever reason it doesn't like it.

Do you think it's worthwhile creating a small guide for this particular authentication option?

aws ssm start-session --target %host --document-name AWS-StartSSHSession --parameters "portNumber=%port" --profile <aws profile> --region <region>

Was my final proxy string

Reply with quote

martin
Site Admin
martin avatar
Joined:
Posts:
33,846
Location:
Prague, Czechia

mattisdada wrote:

Do you think it's worthwhile creating a small guide for this particular authentication option?
I'm not familiar with AWS SSM / Session Manager. Would that fit as a subsection to the following article (along with "Connecting to EC2 instance in VPC" section)?
https://winscp.net/eng/docs/guide_amazon_ec2

Reply with quote

Invigor
Guest

Hi guys,

I'm also trying to get this working but the only way to get a successful connection is to pass a username and the associated PPK file via the SSH > Authentication setting.

This sort of defeats the purpose of using AWS SSM if we need to main user accounts and keys to set up an SFTP connection.

I assumed that my AWS credentials would be sufficient or am I missing something?

Thanks,
Michael

Reply with quote

Advertisement

mattisdada
Donor
Joined:
Posts:
2

martin wrote:

mattisdada wrote:

Do you think it's worthwhile creating a small guide for this particular authentication option?
I'm not familiar with AWS SSM / Session Manager. Would that fit as a subsection to the following article (along with "Connecting to EC2 instance in VPC" section)?
https://winscp.net/eng/docs/guide_amazon_ec2
It would suit on that page yes :) . Short explaination on what SSM is, it's basically just a way of SSHing into a server without the need of network access, it's also possible to use it without requiring keys or passwords and it uses AWSs IAM authentication system instead. Pretty cool stuff honestly.

I'm also trying to get this working but the only way to get a successful connection is to pass a username and the associated PPK file via the SSH > Authentication setting.

This sort of defeats the purpose of using AWS SSM if we need to main user accounts and keys to set up an SFTP connection.

I assumed that my AWS credentials would be sufficient or am I missing something?

For my situation it was okay for the keys, but no I couldn't get it to work without providing keys. I tried skipping authentication. SSM should allow it to work without keys, but.... didn't really work for me. Got ssh errors instead. Let me know if you find a workaround

Reply with quote

martin
Site Admin
martin avatar
Joined:
Posts:
33,846
Location:
Prague, Czechia

mattisdada wrote:

It would suit on that page yes :) . Short explaination on what SSM is, it's basically just a way of SSHing into a server without the need of network access, it's also possible to use it without requiring keys or passwords and it uses AWSs IAM authentication system instead. Pretty cool stuff honestly.
Thanks.
I've put the part I've understood to:
https://winscp.net/eng/docs/guide_amazon_ec2#ssm
Feel free to improve it :)

Reply with quote

Advertisement

You can post new topics in this forum