Port forward only account

Hello!

Could Core Tunnel be able to support -N option to use port forward only accounts? I can't get it how to config that option on app.

Thanks,

Elison

It's not possible in current version, will try implement it in version 3.5, which is now in beta stage.

Yang

Hi Elison,

Core Tunnel 3.5 Beta 2 added an option to enable -N explicitly:

Could you please give it a try? And please let me if you find it not functional as expected.

Yang

The "Equivalent Command" now put the -N option! I copy and paste in my terminal and works, but the app cant connect yet... the log (I'm obfuscating the parameters) :

––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––
Equivalent Command: ssh -N -L localhost:8081:my-precious-server.amazonaws.com:8081 -o PermitLocalCommand=yes ec2-user@i-123456
20:40:38 Connecting…
20:40:38 Using Core Helper 6.1 (r3332)
20:40:38 kex_exchange_identification: Connection closed by remote host
20:40:38 Connection closed by UNKNOWN port 65535
20:40:39 Jumping…
20:40:39 Abnormal Disconnect
20:40:39 Connection failed, retry after 3s…

You may need to run Core Tunnel (Beta) from Applications folder.

Core Tunnel 3.5.1 has released, now -N is supported officially, please upgrade to public release instead of using Beta app.

Thank you for the suggestion.

Kindly Regards,

Yang

Still not connect... if i copy equivalent command and run on terminal it's work

Equivalent Command: ssh -N -L localhost:8081:my-precious-server.amazonaws.com:8081 -o ec2-user@i-123456
14:05:17 Connecting…
14:05:17 Using Core Helper 6.2 (r3342)
14:05:17 Jumping…
14:05:17 kex_exchange_identification: Connection closed by remote host
14:05:17 Connection closed by UNKNOWN port 65535
14:05:17 Abnormal Disconnect
14:05:17 Connection failed, retry after 3s…

What print if run ssh command directly in a local terminal?

ssh -N -L localhost:8081:my-precious-server.amazonaws.com:8081 -o ec2-user@i-123456

Could you please set debug level to DEBUG3 and send me a desensitized connection log?

Yang

Debug3 level log:

Equivalent Command: ssh -N -vvv -L localhost:8081:host.amazonaws.com:8081 ec2-user@i-12345
20:25:24 Connecting…
20:25:24 Using Core Helper 6.2 (r3342)
20:25:24 OpenSSH_8.4p1, OpenSSL 1.1.1h  22 Sep 2020
20:25:24 debug1: Reading configuration data /Users/elison.rissatto/.ssh/config
20:25:24 debug1: /Users/elison.rissatto/.ssh/config line 1: Applying options for i-*
20:25:24 debug1: Reading configuration data /etc/ssh/ssh_config
20:25:24 debug1: /etc/ssh/ssh_config line 47: Applying options for *
20:25:24 debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts' -> '/Users/elison.rissatto/.ssh/known_hosts'
20:25:24 debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts2' -> '/Users/elison.rissatto/.ssh/known_hosts2'
20:25:24 debug1: Executing proxy command: exec sh -c "aws ssm start-session --target i-12345 --document-name AWS-StartSSHSession --parameter 'portNumber=22'"
20:25:24 debug1: identity file /Users/elison.rissatto/.ssh/id_rsa type -1
20:25:24 debug1: identity file /Users/elison.rissatto/.ssh/id_rsa-cert type -1
20:25:24 debug1: identity file /Users/elison.rissatto/.ssh/id_dsa type -1
20:25:24 debug1: identity file /Users/elison.rissatto/.ssh/id_dsa-cert type -1
20:25:24 debug1: identity file /Users/elison.rissatto/.ssh/id_ecdsa type -1
20:25:24 debug1: identity file /Users/elison.rissatto/.ssh/id_ecdsa-cert type -1
20:25:24 debug1: identity file /Users/elison.rissatto/.ssh/id_ecdsa_sk type -1
20:25:24 debug1: identity file /Users/elison.rissatto/.ssh/id_ecdsa_sk-cert type -1
20:25:24 debug1: identity file /Users/elison.rissatto/.ssh/id_ed25519 type -1
20:25:24 debug1: identity file /Users/elison.rissatto/.ssh/id_ed25519-cert type -1
20:25:24 debug1: identity file /Users/elison.rissatto/.ssh/id_ed25519_sk type -1
20:25:24 debug1: identity file /Users/elison.rissatto/.ssh/id_ed25519_sk-cert type -1
20:25:24 debug1: identity file /Users/elison.rissatto/.ssh/id_xmss type -1
20:25:24 debug1: identity file /Users/elison.rissatto/.ssh/id_xmss-cert type -1
20:25:24 debug1: Local version string SSH-2.0-OpenSSH_8.4
20:25:24 Jumping…
20:25:24 kex_exchange_identification: Connection closed by remote host
20:25:24 Connection closed by UNKNOWN port 65535
20:25:24 Abnormal Disconnect
20:25:24 Connection failed, retry after 3s…
20:25:27 Disconnected

When i run on terminal, debug 3 level log:

ssh -N -vvv -L localhost:8081:host:8081 ec2-user@i-123456
OpenSSH_8.1p1, LibreSSL 2.7.3
debug1: Reading configuration data /Users/elison.rissatto/.ssh/config
debug1: /Users/elison.rissatto/.ssh/config line 1: Applying options for i-*
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 47: Applying options for *
debug1: Executing proxy command: exec sh -c "aws ssm start-session --target i-123456 --document-name AWS-StartSSHSession --parameter 'portNumber=22'"
debug1: identity file /Users/elison.rissatto/.ssh/id_rsa type -1
debug1: identity file /Users/elison.rissatto/.ssh/id_rsa-cert type -1
debug1: identity file /Users/elison.rissatto/.ssh/id_dsa type -1
debug1: identity file /Users/elison.rissatto/.ssh/id_dsa-cert type -1
debug1: identity file /Users/elison.rissatto/.ssh/id_ecdsa type -1
debug1: identity file /Users/elison.rissatto/.ssh/id_ecdsa-cert type -1
debug1: identity file /Users/elison.rissatto/.ssh/id_ed25519 type -1
debug1: identity file /Users/elison.rissatto/.ssh/id_ed25519-cert type -1
debug1: identity file /Users/elison.rissatto/.ssh/id_xmss type -1
debug1: identity file /Users/elison.rissatto/.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.1
debug1: kex_exchange_identification: banner line 0: 
debug1: kex_exchange_identification: banner line 1: Starting session with SessionId: elison.rissatto-123456
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.4
debug1: match: OpenSSH_7.4 pat OpenSSH_7.0*,OpenSSH_7.1*,OpenSSH_7.2*,OpenSSH_7.3*,OpenSSH_7.4*,OpenSSH_7.5*,OpenSSH_7.6*,OpenSSH_7.7* compat 0x04000002
debug2: fd 5 setting O_NONBLOCK
debug2: fd 4 setting O_NONBLOCK
debug1: Authenticating to i-123456:22 as 'ec2-user'
debug3: hostkeys_foreach: reading file "/Users/elison.rissatto/.ssh/known_hosts"
debug3: record_hostkey: found key type ECDSA in file /Users/elison.rissatto/.ssh/known_hosts:1
debug3: load_hostkeys: loaded 1 keys from i-123456
debug3: order_hostkeyalgs: prefer hostkeyalgs: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521
debug3: send packet: type 20
debug1: SSH2_MSG_KEXINIT sent
debug3: receive packet: type 20
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,ext-info-c
debug2: host key algorithms: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,zlib@openssh.com,zlib
debug2: compression stoc: none,zlib@openssh.com,zlib
debug2: languages ctos: 
debug2: languages stoc: 
debug2: first_kex_follows 0 
debug2: reserved 0 
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1
debug2: host key algorithms: ssh-rsa,rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519
debug2: ciphers ctos: aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com
debug2: ciphers stoc: aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com
debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,zlib@openssh.com
debug2: compression stoc: none,zlib@openssh.com
debug2: languages ctos: 
debug2: languages stoc: 
debug2: first_kex_follows 0 
debug2: reserved 0 
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug3: send packet: type 30
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug3: receive packet: type 31
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:SOnWdJGZ/Dh4wL/g0WjMyqPNnuWzCudnofvC3zy/cu8
debug3: hostkeys_foreach: reading file "/Users/elison.rissatto/.ssh/known_hosts"
debug3: record_hostkey: found key type ECDSA in file /Users/elison.rissatto/.ssh/known_hosts:1
debug3: load_hostkeys: loaded 1 keys from i-123456
debug1: Host 'i-123456' is known and matches the ECDSA host key.
debug1: Found key in /Users/elison.rissatto/.ssh/known_hosts:1
debug3: send packet: type 21
debug2: set_newkeys: mode 1
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug3: receive packet: type 21
debug1: SSH2_MSG_NEWKEYS received
debug2: set_newkeys: mode 0
debug1: rekey in after 134217728 blocks
debug1: Will attempt key: /Users/elison.rissatto/.ssh/id_rsa 
debug1: Will attempt key: /Users/elison.rissatto/.ssh/id_dsa 
debug1: Will attempt key: /Users/elison.rissatto/.ssh/id_ecdsa 
debug1: Will attempt key: /Users/elison.rissatto/.ssh/id_ed25519 
debug1: Will attempt key: /Users/elison.rissatto/.ssh/id_xmss 
debug2: pubkey_prepare: done
debug3: send packet: type 5
debug3: receive packet: type 7
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<rsa-sha2-256,rsa-sha2-512>
debug3: receive packet: type 6
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug3: send packet: type 50
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic
debug3: start over, passed a different list publickey,gssapi-keyex,gssapi-with-mic
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /Users/elison.rissatto/.ssh/id_rsa
debug3: sign_and_send_pubkey: RSA SHA256:SHA
debug3: sign_and_send_pubkey: signing using rsa-sha2-512
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 52
debug1: Authentication succeeded (publickey).
Authenticated to i-123456 (via proxy).
debug1: Local connections to localhost:8081 forwarded to remote address host:8081
debug3: channel_setup_fwd_listener_tcpip: type 2 wildcard 0 addr NULL
debug3: sock_set_v6only: set socket 6 IPV6_V6ONLY
debug1: Local forwarding listening on ::1 port 8081.
debug2: fd 6 setting O_NONBLOCK
debug3: fd 6 is O_NONBLOCK
debug1: channel 0: new [port listener]
debug1: Local forwarding listening on 127.0.0.1 port 8081.
debug2: fd 7 setting O_NONBLOCK
debug3: fd 7 is O_NONBLOCK
debug1: channel 1: new [port listener]
debug1: Requesting no-more-sessions@openssh.com
debug3: send packet: type 80
debug1: Entering interactive session.
debug1: pledge: proc
debug3: receive packet: type 80
debug1: client_input_global_request: rtype hostkeys-00@openssh.com want_reply 0
debug3: receive packet: type 4
debug1: Remote: Forced command.
debug3: receive packet: type 4
debug1: Remote: X11 forwarding disabled.
debug3: receive packet: type 4
debug1: Remote: Agent forwarding disabled.
debug3: receive packet: type 4
debug1: Remote: PTY allocation disabled.
debug1: Connection to port 8081 forwarding to host port 8081 requested.
debug2: fd 8 setting TCP_NODELAY
debug3: fd 8 is O_NONBLOCK
debug3: fd 8 is O_NONBLOCK
debug1: channel 2: new [direct-tcpip]
debug3: send packet: type 90
debug1: Connection to port 8081 forwarding to host port 8081 requested.
debug2: fd 9 setting TCP_NODELAY
debug3: fd 9 is O_NONBLOCK
debug3: fd 9 is O_NONBLOCK
debug1: channel 3: new [direct-tcpip]
debug3: send packet: type 90
debug3: receive packet: type 91
debug2: channel 2: open confirm rwindow 2097152 rmax 32768
debug3: receive packet: type 91
debug2: channel 3: open confirm rwindow 2097152 rmax 32768
debug1: Connection to port 8081 forwarding to host port 8081 requested.
debug2: fd 10 setting TCP_NODELAY
debug3: fd 10 is O_NONBLOCK
debug3: fd 10 is O_NONBLOCK
debug1: channel 4: new [direct-tcpip]
debug3: send packet: type 90
debug1: Connection to port 8081 forwarding to host port 8081 requested.
debug2: fd 11 setting TCP_NODELAY
debug3: fd 11 is O_NONBLOCK
debug3: fd 11 is O_NONBLOCK
debug1: channel 5: new [direct-tcpip]
debug3: send packet: type 90
debug1: Connection to port 8081 forwarding to host port 8081 requested.
debug2: fd 12 setting TCP_NODELAY
debug3: fd 12 is O_NONBLOCK
debug3: fd 12 is O_NONBLOCK
debug1: channel 6: new [direct-tcpip]
debug3: send packet: type 90
debug1: Connection to port 8081 forwarding to host port 8081 requested.
debug2: fd 13 setting TCP_NODELAY
debug3: fd 13 is O_NONBLOCK
debug3: fd 13 is O_NONBLOCK
debug1: channel 7: new [direct-tcpip]
debug3: send packet: type 90
debug3: receive packet: type 91

Thanks a lot for the connection logs, could you please try Core Tunnel with -N option disabled?

I managed to reproduce this issue by creating an EC2 instance with AWS SSM feature enabled.

Will make a hot fix release soon.

Thank you very much,

Yang

@Rissatto Could you please download and install Core Helper 6.3? This issue should be fixed after Core Helper upgrade from 6.2 to 6.3.

Same error :frowning:

Elison, I managed to reproduce the issue, in my case, aws command not found caused same failure messages:

kex_exchange_identification: Connection closed by remote host
Connection closed by UNKNOWN port 65535

Where is your aws cli tools installed? Could you please download and install Core Shell, copy the profile and paste it to Core Shell, then open a remote terminal for it?

Core Shell may print more detailed log indicates the causes.

Yang

The log with Core Shell its the same... I install aws cli with brew. How you fix your aws command not found problem?

OK, I see. I thought that your aws cli was installed to folder /usr/local/bin as recommended by Amazon official documentation. The problem is very likely caused by Core Shell/ Tunnel could not found the aws command installed by homebrew.

Please get the path of your aws-cli from command:

which aws

Then print value of PATH environment in local terminal:

echo $PATH

In my case, the value of PATH is:

/opt/homebrew/bin:/opt/homebrew/sbin:/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin:/opt/X11/bin:/Library/Apple/usr/bin

Output may be different on your Mac. Make sure aws command in one of above folders.

Go to Core Tunnel/ Shell Preferences… > Advanced > Environment Variables, add a new item, set Name to PATH, and set Value to what printed previously.

Then close the Preferences and connect the tunnel or open shell session again.

Yang

OMG! Thats it! It Worked! Thanks Man!!!

1 Like