are you zssh opc@ssh.client.ziti? seems that way based on the “for identity ssh.client.ziti”
here is the command
zssh opc@ssh.client.ziti -d -s ssh_server -c zssh.json -i abc.key
not sure how else to debug…
I tried ssh ssh.client.ziti but the host did not resolve
This is from the logs from the tunneller
540.283] INFO ziti-edge-tunnel:ziti-edge-tunnel.c:315 send_events_message() Events Message => {"Op":"controller","Action":"connected","Identifier":"./ssh_server.json"}
[ 1010.582] ERROR ziti-sdk:connect.c:442 connect_get_net_session_cb() conn[0.0] failed to get session for service[ssh_server]: NOT_FOUND(The resource requested was not found or is no longer available)
[ 1010.582] WARN ziti-sdk:connect.c:1117 rebind_cb() conn[0.0] failed to re-bind [-17/Service not available]
[ 1010.582] ERROR tunnel-cbs:ziti_hosting.c:534 on_hosted_client_connect() incoming connection to service[ssh_server] failed: Service not available
[ 1010.842] INFO tunnel-cbs:ziti_tunnel_cbs.c:547 ziti_sdk_c_on_service() service unavailable: ssh_server
[
i might ask you to just use the zssh cheatsheat now... I am positive that works. Generally speaking when I get into this situation - it's always some little think my brain just won't let me 'see' until I eventually find what I messed up...
This is good - makes me think that things are really close!
I'm not sure what "service not available" means. Can you show me the config? Is it pointing to "tcp:localhost:22"?
Also would be good to run ziti edge policy-advisor services and show me that output too.
I tried changing the role attributes.. which created another error
FATAL service not found: ssh_server
this makes sense.. so I changed it back.. for a different fatal erro
FATAL error when dialing service name ssh_server. unable to dial service 'ssh_server': dial failed: service QOFOXnUf8h has no terminators for identity ssh.client.ziti
so.. it found it.. but the dialing did not.. would that be about right?
Maybe I need to create that dialing config manually..?
ziti edge list terminators
id: VR7y
service: ssh_server
router: instance-20220317-1005-edge-router
binding: edge
address: hosted:b032ee03-20a5-4052-92c5-46e969209bdb
identity: cost: 0 precedence: default dynamic-cost: 0
OKAY : ssh_client (1) → ssh_server (1) Common Routers: (1/1) Dial: Y Bind: N
OKAY : ssh_server (1) → ssh_server (1) Common Routers: (1/1) Dial: N Bind: Y
I will delete the services and configs… and try manually using the cheat sheet… will revert shortly 
got it.
zssh opc@ssh_server -d -s ssh-server -c .json -i .key
INFO username set to: opc
INFO targetIdentity set to: ssh_server
INFO connection to edge router using api session token 9bacfc42-265e-4917-baf8-111bad122c1f
connected.
Activate the web console with: systemctl enable --now cockpit.socket
Last login: Wed Apr 13 13:09:11 2022 from 111.220.140.199
adding /home/opc/.ziti/quickstart/instance-20220317-1005/ziti-bin/ziti-v0.25.4 to the path
I think I made the server identity and the name of the service the same… so it was getting confused… or something like that
These were all of the commands.
ziti edge create config ssh-server-host.v1 host.v1 ‘{“protocol”:“tcp”, “address”:“localhost”,“port”:22, “listenOptions”: {“bindUsingEdgeIdentity”:true}}’
ziti edge create config ssh-server-client-config intercept.v1 ‘{“protocols”:[“tcp”],“addresses”:[“ssh.server.ziti”], “portRanges”:[{“low”:20, “high”:20}]}’
ziti edge create service ssh-server --configs ssh-server-client-config, ssh-server-host.v1
ziti edge create service-policy ssh-server-binding Bind --service-roles ‘@ssh-server’ --identity-roles ‘@ssh_server’
ziti edge create service-policy ssh-server-dialing Dial --service-roles ‘@ssh-server’ --identity-roles ‘@ssh_client’
My understanding is this one is actually not required.. is that correct?
this is because.. when you use the zssh.. it uses the identity "ssh_server" and the service "ssh-server" in the example below
zssh opc@ssh_server -d -s ssh-server
btw.. this is a bad naming convention.. which probably caused most of my issues.
do you have any guides... I have noticed that sometimes there is an underscore.. sometimes a period ...
What have you found the best approach?
Right - when using zssh you don't need that whatsoever. Looking at it - it's also wrong since it doesn't have the necessary ListenOptions - i should delete that....
Best approach for naming conventions - lol i WISH! I keep refining my OWN! 
If you look at the sort of stuff I do now, I will CLEARLY mark a service with ".svc" and I sometimes will make identities with ".id"... Since it's "any string you want" - I fall into similar traps myself. I try really hard not to reuse the exact same string anywhere because it's just so dang easy to screw up (for me). So when i add an attribute to an identity, it'll be something obvious, and plural like "sshable endpoints". Or "ssh servers" ...
I don't have any great advice other than "use what works for you"
1 Like