Search code examples
amazon-web-servicesaws-ssmaws-session-manager

Can't get SSH connections through AWS Session Manager working

I have an EC2 instance in a private subnet in which I want to copy files.

Instead of a S3 bucket I want to use Secure File Copy through Session Manager as documented on here and announced on here.

A running EC2 instance is attached with an instance profile containing the policy AmazonEC2RoleforSSM. On my local machine (macOS 10.14.5) the AWS CLI (aws-cli/1.16.195) and the Session Manager Plugin (1.1.26.0) is installed and .ssh/config is configured accordingly.

  • I can log into the instance with Session Manager on the web AWS Console.

  • I can log into the instance using the CLI with aws ssm start-session --target i-XXX.

  • I can't log into the instance using SSH. I've tried 2 different OpenSSH client versions:

OpenSSH_7.9p1:

When I run ssh ec2-user@i-XXX it hangs infinitely. However I can see an connected session in the Session Manager. When I SIGTERM the process I get following output and the session is terminated:

Command '['session-manager-plugin', '{"SessionId": "XXX", "TokenValue": "XXX", "StreamUrl": "wss://ssmmessages.eu-central-1.amazonaws.com/v1/data-channel/XXX?role=publish_subscribe", "ResponseMetadata": {"RetryAttempts": 0, "HTTPStatusCode": 200, "RequestId": "XXX", "HTTPHeaders": {"x-amzn-requestid": "XXX", "date": "Wed, 07 Aug 2019 08:47:23 GMT", "content-length": "579", "content-type": "application/x-amz-json-1.1"}}}', 'eu-central-1', 'StartSession', u'cc', '{"DocumentName": "AWS-StartSSHSession", "Target": "i-XXX", "Parameters": {"portNumber": ["22"]}}', u'https://ssm.eu-central-1.amazonaws.com']' returned non-zero exit status -13

OpenSSH_8.0p1:

When I run ssh ec2-user@i-XXX I get the following error and need to manually terminate the session in the Session Manager:

kex_exchange_identification: banner line contains invalid characters
Solution

  • I just got an answer from AWS Support and it working for me now. There was a bug in one of the following components.

    Ensure at least following versions and it should work then.

    local

    • aws cli: aws-cli/1.16.213 Python/3.7.2 Darwin/18.7.0 botocore/1.12.203
      • aws --version
    • session-manager-plugin: 1.1.26.0
      • session-manager-plugin --version

    target ec2 instance

    • amazon-ssm-agent: 2.3.687.0
      • for AmazonLinux yum info amazon-ssm-agent | grep "^Version"

    I've also created a neat SSH ProxyCommand script that temporary adds your public ssh key to target instance during connection to target instance.