What is the difference between ssh proxycommand -W, nc, exec nc
Here's how I understand it:
ProxyCommand ssh proxyserver -W [%h]:%p
The
-W
option is built into new(er) versions of OpenSSH, so this will only work on machines that have the minimum version (5.4, unless your distro back-ported any features; e.g., RHEL6 OpenSSH 5.3p1 includes this feature). Per the release notes: http://www.openssh.com/txt/release-5.4Added a 'netcat mode' to ssh(1): "ssh -W host:port ..." This connects stdio on the client to a single port forward on the server. This allows, for example, using ssh as a ProxyCommand to route connections via intermediate servers.
ProxyCommand ssh proxyserver nc -q0 %h %p 2> /dev/null
- Before the
-W
option was available, we used thenc
(or netcat) utility.nc
allows you to forward TCP & UDP packets to specified (alternate) locations and essentially behaves the same asssh -W
(asssh -W
was modeled afternc
). In order for this variation to work the intermediate host(s) require(s) thatnc
be installed and the optionAllowTcpForwarding
must be enabled in the host's sshd_config (default: yes). The option-q0
tonc
is (supposed to be) for quieting errors, but I can't find which version this was introduced. (Note:2> /dev/null
is probably to quitessh
errors, but one can usessh -q
instead.)
- Before the
ProxyCommand ssh proxyserver exec nc -q0 %h %p 2> /dev/null
This is very much the same as the second variation, except you're calling the shell's built-in function
exec
. I'm not sure, but I believe there is no difference between including or excludingexec
from theProxyCommand
; this variation should function everywhere the variation above does. For example, the Bash manual says something like this:exec [-cl] [-a name] [command [arguments]]
If command is specified, it replaces the shell. No new process is created. The arguments
become the arguments to command. If the -l option is supplied, the shell places a dash at the
beginning of the zeroth argument passed to command. This is what login(1) does. The -c
option causes command to be executed with an empty environment. If -a is supplied, the shell
passes name as the zeroth argument to the executed command. If command cannot be executed for
some reason, a non-interactive shell exits, unless the shell option execfail is enabled, in
which case it returns failure. An interactive shell returns failure if the file cannot be
executed. If command is not specified, any redirections take effect in the current shell, and
the return status is 0. If there is a redirection error, the return status is 1.
Problems with SSH ProxyCommand
The problem seems to be, that the proxy tries to login with my local rsa_key and not with the key stored on the proxy.
Yes. It does. It is by design. You don't want to copy private keys over to the proxies. Proxy command will always authenticate from your local host.
There are twa ways out:
Copy the key to your local host and configure it to be used.
Don't use
ProxyCommand
and do the simplessh
:ssh -t proxy ssh host
it will use the authentication from the second host
ssh -F configfile and ProxyCommand
Half of an answer:
Rather than using the config file recursively, try not relying on the config at all for the proxy command.
host *.server
proxycommand ssh -W %h:%p bastion.mydomain.com -p 23
This allows it to be portable, but doesn't solve your other issue of having to do this on every line, and makes changing the bastion host address a difficult process.
How to auto connect jumper or proxy and server with one command ssh
You can use something like this:
Host jump
User [username]
HostName [ip address]
Host [server ip address] [server alias]
HostName [server ip address]
User [username]
Port [port]
ProxyCommand ssh -q -W %h:%p jump 2>/dev/null
Host Jump is a proxy server.
The command that will help you take a leap on the proxy server then continue to the server is ProxyCommand.
- %h: is using your username
- %p: is using your password from id_rsa.pub.
Reference: https://www.ssh.com/ssh/config/
Is it possible to create a proxy in Remote-SSH Visual Studio Code?
Thanks to a partner, I have found a solution and it consists in changing a little bit the config file from ssh
As I am using VS Code in Windows and I wanted not to use netcat I've implemented the next command to create a proxy:
Host <target-machine-name>
HostName <target-machine-ip>
User <user>
ProxyCommand C:\Windows\System32\OpenSSH\ssh.exe -q -x <proxy-machine-name> -W %h:22
Hope it can help someone else with the same issue.
Related Topics
How to Enable or Configure Ftrace Module
Yocto: How to Install Header Files Along with Kernel Module in Sdk
The Behavior When a Gnu Make Phony Target Happens to Be The Same as a Directory Name
Compiling Kernel Error: Stdio.H: No Such File or Directory
Can't Increment a 0-Padded Number Past 8 in Busybox Sh
Format and Filter File to CSV Table
"Sudo" Fails with "Sudo Requires a Tty" When Executed from Putty Command Line
Syscall Hooking on Kali Linux (Kernel Version 5)
How to Create a Folder with a Folder Name Containing Spaces in Linux
Why Do My Keystrokes Turn into Crazy Characters After I Dump a Bunch of Binary Data into My Terminal
Insecure $Env{Path} While Running with - T Switch
How to Print Multiple Variables Using Printf
How to Join Columns of Two Files in Unix System
In Shellscript Assign Variable Based on Curl Output
How to Make a Cross Compiler Using Gcc