SSH Connection with private key file not working


I have the following setup:

Client → HCP Boundary → Ingress worker (in AWS) → Egress worker (in Azure in private subnet) → Private server

After setting up the target (Private server) I try to connect to it but fails.

$ boundary connect ssh -target-id=tssh_l7NG5VuZB2 -- -l azureuser -i ~/Downloads/server_key.pem
Unable to authorize connection
kex_exchange_identification: read: Connection reset by peer
Connection reset by port 61485

The private key file is there and permissions have been set.

$ ls -l ~/Downloads/server_key.pem
-rw-------@ 1 chris  staff  2494 May  8 11:08 /Users/chris/Downloads/server_key.pem

But when I create a (static) credentials store with the azureuser and private key file contents and then inject this into the target, then it somehow does work.

$ boundary connect ssh -target-id=tssh_l7NG5VuZB2
Welcome to Ubuntu 22.04.2 LTS (GNU/Linux 5.15.0-1037-azure x86_64)
Last login: Mon May  8 09:34:00 2023 from

The journal logs of the ingress worker do show these logs talking about empty credentials.

May 08 10:43:09 ingress boundary-worker[2114]: {"id":"Xpj7lxnLE0","source":"","specversion":"1.0","type":"system","data":{"version":"v0.1","op":"worker.(Worker).handleProxy","data":{"msg":"session successfully activated","session_id":"s_ULXIQJSb92"}},"datacontentype":"application/cloudevents","time":"2023-05-08T10:43:09.790617434Z"}
May 08 10:43:09 ingress boundary-worker[2114]: {"id":"964SSDCyqK","source":"","specversion":"1.0","type":"error","data":{"error":"error authorizing connection: rpc error: code = Unknown desc = handlers.entProtocolContext: handlers.GetEncryptedCredentials: empty credentials: parameter violation: error #100","error_fields":{},"id":"e_reoFVtNeyn","version":"v0.1","op":"worker.(Worker).handleProxy","info":{"msg":"unable to authorize connection"}},"datacontentype":"application/cloudevents","time":"2023-05-08T10:43:09.921966032Z"}
$ boundary version

Version information:
  Build Date:          2023-04-04T15:39:15Z
  Git Revision:        482cc6879118f94ce32e28740cf0b4da2507d0aa
  Version Number:      0.12.2

What am I doing wrong here?

When using an SSH target type, Boundary must be the one providing the credential to the end host; since Boundary is decoding the session, it cannot simply pass through a given credential from the client. That’s why it’s working when you give the credential to the credential store but not when you specify it on the command line.

If you want to specify a credential on the command line, use the TCP target type which will leave the underlying network connection alone, so the SSH session is between your client and the end host.


Thanks, that makes sense.

@jeff already gave the correct hint, when creating an SSH target, Boundary has to provide the credentials.