Attempting use use ZSSH, after successfully using SSH and NF Console

Hi All,

I have used my Teams Edition to build a network and connect to an EC2 instance using stock ssh. All is working fine.

Here’s what I did:

  1. Registered for Teams
  2. Built my first network
  3. Created an AWS EC2 Instance in my VPC (my target machine)
  4. Created a NetFoundry Edge Router in my VPC, installed from the AWS marketplace.
  5. Created two endpoints (1 AWS Edge Router, 1 My MacBook)

  1. Created SSH Service

  1. Created APP WAN

Using the SSH command below all works fine.
ssh -i “AWS East Key Pair.pem” ec2-user@myserver.ziti

Key Pair is a pem file “AWS East Key Pair.pem”

I then wanted to use ZSSH instead of SSH.

  1. Downloaded ZSSH and ZITI latest releases for Apple MacBook M1 Pro Chip, macOS Monterey 12.4

Note the downloads say “macOS Darwin AMD64” but all seems to work.

  1. Using NF console created a new endpoint “zsshclient” and downloaded the identity zsshclient.jwt

  2. Using NF console added “zsshclient” endpoint to AppWan (See AppWan image)

  3. Using Ziti created a json config with the following command:

% ./ziti edge enroll zsshclient.jwt
INFO generating 4096 bit RSA key
INFO enrolled successfully. identity file written to: zsshclient.json

Seemed to be successful

  1. Attemped to use zssh instead of ssh with the following command.

% ./zssh -i ./AWS\ East\ Key\ Pair.pem -c ./zsshclient.json -s “SSH AppWorkLoad” ec2-user@“AWS East Edge Router” -d

also tried “myserver.ziti” hostname from service definition

% ./zssh -i ./AWS\ East\ Key\ Pair.pem -c ./zsshclient.json -s “SSH AppWorkLoad” ec2-user@myserver.ziti -d

Both fail to connect and with the debug flag set, the execution and error appears as follows:

./zssh -i ./AWS\ East\ Key\ Pair.pem -c ./zsshclient.json -s “SSH AppWorkLoad” ec2-user@“AWS East Edge Router” -d

INFO username set to: ec2-user
INFO targetIdentity set to: AWS East Edge Router
INFO connection to edge router using api session token 734dc89f-d4d1-4dc7-82c8-75ca417dce18
FATAL error when dialing service name SSH AppWorkLoad. unable to dial service ‘SSH AppWorkLoad’: dial failed: service ygNIuQjWCf has no terminators for identity AWS East Edge Router

service ygNIuQjWCf is clearly odd.

Any clues?
JerseyMike

1 Like

Hi @jersey.mike

I am validating your network configurations in the console and will get back to you shortly.

Regards,
Sheik Ahamed

Thanks for the detailed report @jersey.mike! I learned from @dovholuknf that there’s a necessary host config property for this that can only be set in the power user service creator in the console.

You don’t normally see the host config when you create a simple service in the console, but you’ll need to do this one a bit more manually.

First, let’s enable power user features in your personal settings so you can start looking at the configs sub-tab that will then appear with your services view.

Peek 2022-06-17

Ok I did that, but I’m not sure what I’m looking for, this is what I see.

ygNIuQjWCf is apparently the ziti ID for my Service “SSH AppWorkLoad”

The cause of the no terminators error message is that the service is lacking a necessary property. You need to create a new service with this property because it’s not possible to edit the existing service in this particular way.

Create a new “advanced configuration” service, which is a type that becomes available after you enable power user features, named “zssh service”.

Let the new service be hosted by the same endpoint identity and same service role attributes as the existing service “SSH AppWorkLoad”.

Delete any extra configs on the right hand side. Keep just one config of type host.v1 with this value.

{
  "protocol": "tcp",
  "address": "localhost",
  "port": 22,
  "listenOptions": {
    "bindUsingEdgeIdentity": true
  }
}

Now change your zssh command to have zssh -s “zssh service” instead of -s “SSH AppWorkLoad”.

Hi JerseyMike,

On the Netfoundry youtube channel, we have a video showing how to configure zssh service.

Thanks,

James

Ken,

Follow the directions seems to be fine, but still erroring out. I think the identity is still hosed.

./zssh -s “zssh service”
2022/06/27 12:39:42 failed to load ziti configuration file: config file (/Users/mkochanik/.ziti/zssh.json) is not found
mkochanik@Michaels-MBP zssh %

MikeK

zssh is trying to find your identity JSON file in the default path ~/.ziti/zssh.json. You may install your identity JSON file in that location or you may override the default with the zssh --ZConfig /path/to/identity.json option.

Ken the Json that is there is the file I created - prior to creating the zssh service with the advance configuration options as instructed above. I’m guessing after I created the new service “zssh service” with the advance configuration provided, the Json in question need to be updated. Am I off base here?

Using this command line
./zssh -s “zssh service” -c zssh.json -d

The debug output is …

INFO username set to: mkochanik
INFO targetIdentity set to: service”
FATAL service not found: “zssh

It seems to be hating on the fact that my service “zssh service” has a space

MikeK

You are correct. Should be an easy fix inside zssh command. Let me take a quick look.

Yes, you won’t need to change the identity.

Working on this in service name with whitespace is not parsed correctly · Issue #21 · openziti-test-kitchen/zssh · GitHub

@jersey.mike Do you get the same result if you enclose the double-quoted string in single quotes like this (single quotes outside the doublequotes)?

./zssh -s '“zssh service”' -c zssh.json -d

Why wrap the “smart quotes” with apostrophes at all? I would expect this to be

./zssh -s "zssh service" -c zssh.json -d
or
./zssh -s 'zssh service' -c zssh.json -d

?

Now I think it’s more likely that @jersey.mike pasted text with smart quotes instead of dumb double-quotes. The quotes are directional, not vertical like ".

@jersey.mike Please try your command with literal double-quotes by pasting the command from your notes, then erasing the " and re-adding them in the terminal.

Reference for using quotes with MacOS Terminal.app: On Smart Quotes and Terminal – Scripting OS X

Hi @jersey.mike

Refer to our support guide on ZERO TRUST SSH for more details.

Please let us know if this helps.

Regards,
Sheik Ahamed

1 Like