Tunnelling from on GCP instance to another with SSH or SCP

Keywords: WordPress - Google Cloud Platform - Technical issue - Connectivity (SSH/FTP)
Description:
So, I’m reluctant to ask for support on this because I should be able to solve it myself, but I’ve read through both the Bitnami guide and Google’s (https://cloud.google.com/compute/docs/troubleshooting/troubleshooting-ssh) and nothing resonates with my problem.

I am trying to use WP-CLi to move a couple of websites between two Google Cloud VM instances - both under the same GCP project, both using the same SSH keys with the keys stored as metadata (at both project and VM level) under the same user, ‘bitnami’.

My SSH connections to both VM’s work flawlessley- I can access each VM via the Google Web Console, I can access both via PuTTY and with the tunnel open I can access PHPMyAdmin for both. So, my direct access via SSH works perfectly.

I have checked that the public key stored in /home/bitnami/.ssh/authorized_keys matches the SSH key stored in the Google Cloud console (for both my instance and project meta data). I have checked that OS Login is NOT enabled within the console and have even run the following to command line check - curl “http://metadata.google.internal/computeMetadata/v1/instance/attributes/enable-oslogin” -H “Metadata-Flavor: Google”, which produces a 404 error.

But when I run either of the following (scp or ssh) instructions within bash:

ssh bitnami@OTHER-SERVER-IP "cd /opt/bitnami/apps/MyApp > /dev/null&&wp --allow-root db export /tmp/the-old-wp-database.sql"

scp bitnami@OTHER-SERVER-IP:/opt/bitnami/apps/MyApp/htdocs/oldfile.txt /tmp/oldfile.txt

it produces:

bitnami@OTHER-SERVER-IP: Permission denied (publickey).

Can you see any reason why this is failing? Is there anything about the Bitnami stack that would preclude this working?

I made some progress by running the following command using gcloud compute;

gcloud compute scp INSTANCE-NAME:/opt/bitnami/apps/MyApp/htdocs/oldfile.txt /tmp/oldfile.txt

But this produced the following error:

ERROR: (gcloud.compute.scp) Could not fetch resource: - Request had insufficient authentication scopes.

So I stopped the VM instance and edited the 'API access scopes ’ section to select “Allow full access to all Cloud APis”. Then saved and started the instance.

Success. I can now scp between my old and new instances.

So far I haven’t found a way of running WP-CLi from within the gcloud compute argument, so I would still welcome any suggestions on fixing my original problem to SSH between the two Bitnami-GCP installations.

Hi @steve12,

Thanks for your message. I understand you can SSH connect to both instances from your local computer, but not to server2 from server1. If my understanding is wrong, please let me know.

If my understanding is correct, then the issue is likely to be caused by the SSH agent in server1 not having your private key loaded to access server2. You can propragate the SSH keys in your local computer to the server1 session only for the time that the SSH connection to server1 is alive, using the -A option of SSH

ssh -A bitnami@server1-IP-address

Now, from the server1 command line, you can check the SSH keys loaded in the agent with

ssh-add -l

You can also run the command above on your local computer to check the SSH keys loaded in the agent. In case any of them is show, you can add an SSH key running

ssh-add -K /path/to/ssh/private/key

If the output shows an ID with your SSH private key name, try to SSH to server2

ssh bitnami@server2-ip-address

From SSH man page:

-A Enables forwarding of the authentication agent connection. This can also be specified on a per-host basis in a configuration file.

Agent forwarding should be enabled with caution. Users with the ability to bypass file permissions on the remote host (for the agent’s UNIX-domain socket) can access the local agent through the forwarded connection. An attacker can‐
not obtain key material from the agent, however they can perform operations on the keys that enable them to authenticate using the identities loaded into the agent.

Thanks @gongomgra, I will try those suggestions and update this thread with the outcome.

Yes, you are correct in your understanding - I can SSH connect to both instances from my local computer but not to server2 from server1 (or vice versa).

I’m not sure if there’s much performance difference, but now that I can use gcloud compute for scp at least I can migrate files between the server instances as I’d planned.

I can get around the SSH problem by logging in to server1, performing the WP-CLi commands as a legitimate user and then logging in to server2 and use SCP to transfer the output (zip files or SQL dumps) across. Not as elegant a workflow, but at least it works.

But I would still like to apply your suggestions and at least know why my original approach didn’t work.

Thanks for your help,

Hi @steve12,

Thanks for your message. Let me try to give you an explanation on why you can’t connect from one server to another.

When you try to connect to a server, you use an specific SSH key usually with the ssh -i /path/to/ssh/key command. Alternatively, you can use a helper tool called ssh-agent that keeps track of your identities and uses them automatically when connecting to a server. However, it lives in your local computer, not in the remote server, but you can temporarily (while your SSH session is alive) “move” your SSH identities to the new server using the -A option I shared in my previous post.

Hope it helps!