The problem connecting via ssh

metanovii · February 8, 2024, 10:38am

Hi. My terraform code:

variable "servers_ssh_ru_zone" {
  type = map(object({
    name        = string
    description = string
    address     = string
    port        = string
    target_type = string
  }))
  default = {
    schrodinger_1 = {
      name        = "sch..."
      description = "db-api-..."
      address     = "94...."
      port        = "22"
      target_type = "tcp"
    }
  ...
  }
}
resource "boundary_target" "servers_ssh_ru_zone" {
  for_each = var.servers_ssh_ru_zone

  name                     = each.value.name
  description              = each.value.description
  type                     = each.value.target_type
  default_port             = each.value.port
  session_connection_limit = -1
  scope_id                 = boundary_scope.infra_prod_ssh.id
  egress_worker_filter     = "\"ru\" in \"/tags/region\""
  address                  = each.value.address
}

My ssh config

Host *
    ForwardAgent yes

Host ttcp_*
  ProxyCommand boundary connect -target-id %n -exec nc -- {{boundary.ip}} {{boundary.port}}
  User s.mikhaltsov
  IdentityFile /home/metanovii/.ssh/id_rsa

❯ ssh ttcp_w8GIZqve5c
kex_exchange_identification: Connection closed by remote host
Connection closed by UNKNOWN port 65535

❯ boundary connect ssh -target-id ttcp_w8GIZqve5c
ssh: connect to host 127.0.0.1 port 44955: Connection refused

from the side of boundary workers, there is nothing interesting in the logs. I don’t see any ssh connection attempts in the logs on the target server

What I doing wrong?

metanovii · February 8, 2024, 3:35pm

After downgrade client to version 0.14.3 connection was established and I was able to log in via ssh

0.15.0:

❯ boundary connect -target-id=ttcp_EuN7nVm9Jy

Proxy listening information:
  Address:             127.0.0.1
  Connection Limit:    0
  Expiration:          Fri, 09 Feb 2024 02:36:05 MSK
  Port:                34751
  Protocol:            tcp
  Session ID:          s_UM1qEcD533

Connection limit 0? Why? With client 0.14.3 i has limit -1

jeff · February 13, 2024, 2:33am

Hello,

There is a bug in the 0.15.0 release where connection limited sessions will terminate after one less connection than they should. I think this is what you’re hitting; this bug will be resolved in 0.15.1, which I believe will be released within the next week or so.

metanovii · March 20, 2024, 3:31pm

Version 0.15.2 has already been released, but the problem is still relevant. Do you have any information when the fix will be?

jeff · March 21, 2024, 1:23pm

The bug mentioned was fixed in fix: Proxy closing listener with 0 connections left by elimt · Pull Request #4389 · hashicorp/boundary · GitHub which went into 0.15.1. If you are still seeing an issue, it’s a different issue.

Please be aware that this bug affects the boundary CLI only. If you’ve upgraded your controller and/or workers but your CLI is still 0.15.0 you will still hit this bug. The CLI needs to be 0.15.1 for the fix.

metanovii · March 21, 2024, 1:52pm

I have updated only the CLI, the controller and the worker are still 0.14.3.

jeff · March 21, 2024, 2:06pm

I’m not sure how things would behave in that scenario. We are backwards-compatible, not forwards-compatible – we support older clients to the greatest extent possible but make no guarantees about newer clients.