HCP Boundary cli vs Desktop - connecting to an ubuntu target in ec2

I am new to Boundary and set up cluster on HCP. I am following the training section Connect to your first target . The Boundary cli installed on my Linux machine is 0.14.2.

The initial setup to completing target to connect to my public aws ubuntu instance is completed. I can successfully use the boundary cli to connect to my instance with the command $boundary connect ssh -target-id=ttcp_123456789 -- -l user_name -i user_key.pem

The ssh logs have these :

sshd[38104]: Accepted publickey for user_name from 35.168.53.57 port 30371 ssh2: RSA SHA256:GPz+K5jGpaix5FK8KIsQuxAO2N2144sJPXMsOey0umw
sshd[38104]: pam_unix(sshd:session): session opened for user user_name (uid=1000) by (uid=0)
systemd-logind[3057]: New session 314 of user user_name.

When trying to replicate the setup with the Boundary Desktop , I can see the target listed and clicking connect is also successful. The status turns to pending and the session is ready. When choosing shell , it shows :

ssh 127.0.0.1 -p 34567 , it fails with error user@127.0.0.1 : Permission denied (publickey).

ssh logs for this session :

Connection closed by authenticating user user_name 44.194.155.74 port 6803 [preauth]

Question :

1. why does the Boundary Desktop fails when ssh from terminal or the boundary cli work
2. when i use another machine (Windows for example) and use the Boundary desktop , will any changes are to be made to establish session (private key, broker any credentials etc)

Update : tested the cli and boundary :

1. Using the CLI :

$boundary connect ssh -target-id=ttcp_123456789 – -l user_name -i user_key.pem

2. Using Boundary Desktop : After successfully creating a session with the target, copy the session’s ssh port forwarding details. Once inside the inbuilt shell , use the command and ensure you have the private key in the path to connect successfully.

ssh user_name@127.0.0.1 -p 50360 -i user_key.pem

So answering my questions :

1. why does the Boundary Desktop fails when ssh from terminal or the boundary cli work : tested and works now
2. when i use another machine (Windows for example) and use the Boundary desktop , will any changes are to be made to establish session (private key, broker any credentials etc) : yes will have to provide the necessary keys to complete ssh session

If there is a better way, happy to learn

Hey @ict-singapore, thanks for trying out Boundary! Apologies for the delayed response.

First, before we dive into your question, let me provide a breakdown of Target Types within Boundary. A target is a resource that represents a networked service with an associated set of permissions a user can connect to and interact with through Boundary by way of a session.

There are currently two types of Targets within Boundary, TCP & SSH Targets.

TCP Targets are generic – they can represent any TCP Service on a machine.This could include RDP, Postgres, MySQL, RDP, SFTP, SSH, etc. Boundary has no knowledge of the underlying service youre connecting to, and is simply proxying your request if youre authenticated & authorized to make the connection

In this case, as an administrator you may setup a TCP Target, and have to enter the credentials as you did in this example.

boundary connect ssh -target-id=ttcp_4q0113bvik -- -l ubuntu -i ~/Downloads/sandbox.pem

With the SSH Target type, however, we are essentially telling boundary that the service you’re connecting to is using SSH. Boundary is able to do SSH protocol decoding, which allows us to inject authentication credentials on behalf of users. This requires the creation & association of credentials in a Boundary Credential Store(either the native Static Cred Store, or Vault) to your SSH Target.

In this case, the user essentially gets a passwordless experience, only needing to be authorized to establish a session to the target:

boundary connect ssh -target-id=ttcp_4q0113bvik

You can have a TCP Target that is used to connect to a machine over SSH, but there is no credential injection support, only brokering of credentials.

So, going back to your initial question here, to SSH to your TCP Target, you needed to provide the username & credential to SSH as you later did,

ssh user_name@127.0.0.1 -p 50360 -i user_key.pem

But given you’re using HCP Boundary, I’d highly recommend checking out this tutorial, that walks through the creation of an SSH Target, so that you can securely offload the management of credentials to Boundary

For a further breakdown of Features between versions of Boundary, there is a feature matrix here: What is Boundary? | Boundary | HashiCorp Developer

thanks @bouhmad for the detailed answer. I shall definitely work on the ssh creds injection this weekend and explore different types of policies.

One of the pressing questions is in terms of trying to access my internal ec2 hosts in aws compared to public hosts. Do i need to enable any ingress / egress checks (sorry, i cant find my detail on this topic outside)