The ssh connection shows pending when doing boundary ssh

Boundary
1

the boundary ssh is showing as pending . its not getting connected.
![Screenshot 2024-11-13 at 1.35.06 PM|690x499](upload://jknCbY3WS8ts7f6ap3XzEmY6wNY.png
i am using below architecture the connection from worker to backend host on native ssh working fine. but via boundary its not working.

1 Like
2

Boundary-arch-azure
Boundary-arch-azure2208×1218 228 KB

3

Screenshot 2024-11-13 at 1.35.06 PM
Screenshot 2024-11-13 at 1.35.06 PM945×684 67.2 KB

boundary hosts read -id hst_OlJeA24zQt

Host information:
Created Time: Tue, 12 Nov 2024 18:42:30 IST
Description: Backend server #172.18.4.4
Host Catalog ID: hcst_v2z59y3F76
ID: hst_OlJeA24zQt
Name: backend_server_172.18.4.4
Type: static
Updated Time: Tue, 12 Nov 2024 18:42:30 IST
Version: 1

Scope:
ID: p_0LDZvv00Mo
Name: Landing Zone
Parent Scope ID: o_rqFFRE1zne
Type: project

Authorized Actions:
no-op
read
update
delete

Host Set IDs:
hsst_k6ZykclxXP

Attributes:
address: 172.18.4.4
boundary targets read -id ttcp_yYXWEDnGMX

Target information:
Created Time: Tue, 12 Nov 2024 18:42:35 IST
Description: Backend SSH target
Egress Worker Filter: “egress” in “/tags/type”
ID: ttcp_yYXWEDnGMX
Name: backend_servers_ssh
Session Connection Limit: -1
Session Max Seconds: 28800
Type: tcp
Updated Time: Tue, 12 Nov 2024 19:54:32 IST
Version: 6

Scope:
ID: p_0LDZvv00Mo
Name: Landing Zone
Parent Scope ID: o_rqFFRE1zne
Type: project

Authorized Actions:
remove-credential-sources
read
authorize-session
add-host-sources
add-credential-sources
set-credential-sources
set-host-sources
remove-host-sources
update
delete
no-op

Host Sources:
Host Catalog ID: hcst_v2z59y3F76
ID: hsst_k6ZykclxXP

Brokered Credential Sources:
Credential Store ID: csst_LFm0JtDRVB
ID: credup_RYRQrkXvFy

Attributes:
Default Port: 22

4

my configs look like : azureuser@controller-0:~$ cat /etc/boundary/boundary-controller.hcl
disable_mlock = true

telemetry {
prometheus_retention_time = “24h”
disable_hostname = true
}

controller {
name = “controller-controller-0”
description = “Landing Zone Boundary Controller”

database {
url = “postgresql://sqladmin:@.postgres.database.azure.com:5432/boundary?sslmode=require”
}
}

listener “tcp” {
address = “172.18.2.4:9200”
purpose = “api”
tls_disable = true
tls_cert_file = “/etc/pki/tls/boundary/cert.crt”
tls_key_file = “/etc/pki/tls/boundary/cert.key”

proxy_protocol_behavior = “allow_authorized”

proxy_protocol_authorized_addrs = “127.0.0.1”

cors_enabled = true
cors_allowed_origins = [“*”]
}

listener “tcp” {
address = “172.18.2.4:9201”
purpose = “cluster”
tls_disable = true
tls_cert_file = “/etc/pki/tls/boundary/cert.crt”
tls_key_file = “/etc/pki/tls/boundary/cert.key”

proxy_protocol_behavior = “allow_authorized”

proxy_protocol_authorized_addrs = “127.0.0.1”

}

kms “azurekeyvault” {
purpose = “root”
tenant_id = “xxxxxxxxx”
vault_name = “boundary-vault-lz-sK8k”
key_name = “root”
}

kms “azurekeyvault” {
purpose = “worker-auth”
tenant_id = “xxxxxx”
vault_name = “boundary-vault-lz-sK8k”
key_name = “worker”
}

kms “azurekeyvault” {
purpose = “recovery”
tenant_id = “xxxxxxxx”
vault_name = “boundary-vault-lz-sK8k”
key_name = “recovery”
}
azureuser@controller-0:~$

azureuser@controller-0:~ telnet 172.18.3.4 9202 Trying 172.18.3.4... Connected to 172.18.3.4. Escape character is '^]'. ^CConnection closed by foreign host. azureuser@controller-0:~

azureuser@worker-0:~$ cat /etc/boundary/boundary-worker.hcl

listener “tcp” {
address = “172.18.3.4:9202”
purpose = “proxy”
tls_disable = true
tls_cert_file = “/etc/pki/tls/boundary/cert.crt”
tls_key_file = “/etc/pki/tls/boundary/cert.key”
# proxy_protocol_behavior = “allow_authorized”
# proxy_protocol_authorized_addrs = “127.0.0.1”
}

worker {
# Name attr must be unique
# public_addr = “x.x.x.x”
name = “worker-worker-0”
description = “Landing Zone Boundary Worker”
tags {
type = [“worker”, “egress”]
}
initial_upstreams = [
“172.18.2.4”,
]
}

kms “azurekeyvault” {
purpose = “worker-auth”
tenant_id = “xxxxxxxxxx”
vault_name = “boundary-vault-lz-sK8k”
key_name = “worker”
}

azureuser@worker-0:~$ telnet 172.18.4.4 22
Trying 172.18.4.4…
Connected to 172.18.4.4.
Escape character is ‘^]’.
SSH-2.0-OpenSSH_8.9p1 Ubuntu-3ubuntu0.10
^C
Connection closed by foreign host.

Screenshot 2024-11-13 at 2.00.44 PM
Screenshot 2024-11-13 at 2.00.44 PM1918×390 30.3 KB

5

@kishore-behera When running the connect command Boundary creates a localhost proxy to connect to which will then proxy your traffic to the worker and finally the target.

The command you show is the first step boundary connect which creates the localhost proxy, you then need to ssh into this localhost proxy. Alternatively you can use the connect helpers to automatically ssh Connect helpers | Boundary | HashiCorp Developer