Ssh - Help Understanding Proxy Command

What is the difference between ssh proxycommand -W, nc, exec nc

Here's how I understand it:

  1. ProxyCommand ssh proxyserver -W [%h]:%p

    • The -W option is built into new(er) versions of OpenSSH, so this will only work on machines that have the minimum version (5.4, unless your distro back-ported any features; e.g., RHEL6 OpenSSH 5.3p1 includes this feature). Per the release notes: http://www.openssh.com/txt/release-5.4

      Added a 'netcat mode' to ssh(1): "ssh -W host:port ..." This connects stdio on the client to a single port forward on the server. This allows, for example, using ssh as a ProxyCommand to route connections via intermediate servers.

  2. ProxyCommand ssh proxyserver nc -q0 %h %p 2> /dev/null

    • Before the -W option was available, we used the nc (or netcat) utility. nc allows you to forward TCP & UDP packets to specified (alternate) locations and essentially behaves the same as ssh -W (as ssh -W was modeled after nc). In order for this variation to work the intermediate host(s) require(s) that nc be installed and the option AllowTcpForwarding must be enabled in the host's sshd_config (default: yes). The option -q0 to nc is (supposed to be) for quieting errors, but I can't find which version this was introduced. (Note: 2> /dev/null is probably to quite ssh errors, but one can use ssh -q instead.)

  3. ProxyCommand ssh proxyserver exec nc -q0 %h %p 2> /dev/null

    • This is very much the same as the second variation, except you're calling the shell's built-in function exec. I'm not sure, but I believe there is no difference between including or excluding exec from the ProxyCommand; this variation should function everywhere the variation above does. For example, the Bash manual says something like this:

      exec [-cl] [-a name] [command [arguments]]

      If command is specified, it replaces the shell. No new process is created. The arguments
      become the arguments to command. If the -l option is supplied, the shell places a dash at the
      beginning of the zeroth argument passed to command. This is what login(1) does. The -c
      option causes command to be executed with an empty environment. If -a is supplied, the shell
      passes name as the zeroth argument to the executed command. If command cannot be executed for
      some reason, a non-interactive shell exits, unless the shell option execfail is enabled, in
      which case it returns failure. An interactive shell returns failure if the file cannot be
      executed. If command is not specified, any redirections take effect in the current shell, and
      the return status is 0. If there is a redirection error, the return status is 1.

Problems with SSH ProxyCommand

The problem seems to be, that the proxy tries to login with my local rsa_key and not with the key stored on the proxy.

Yes. It does. It is by design. You don't want to copy private keys over to the proxies. Proxy command will always authenticate from your local host.

There are twa ways out:

  • Copy the key to your local host and configure it to be used.

  • Don't use ProxyCommand and do the simple ssh:

    ssh -t proxy ssh host

    it will use the authentication from the second host

ssh -F configfile and ProxyCommand

Half of an answer:
Rather than using the config file recursively, try not relying on the config at all for the proxy command.

host *.server
proxycommand ssh -W %h:%p bastion.mydomain.com -p 23

This allows it to be portable, but doesn't solve your other issue of having to do this on every line, and makes changing the bastion host address a difficult process.

How to auto connect jumper or proxy and server with one command ssh

You can use something like this:

Host jump
        User [username]
        HostName [ip address]

Host [server ip address] [server alias]
        HostName [server ip address]
        User [username]
        Port [port]
        ProxyCommand ssh -q -W %h:%p jump 2>/dev/null

Host Jump is a proxy server.

The command that will help you take a leap on the proxy server then continue to the server is ProxyCommand.

  • %h: is using your username
  • %p: is using your password from id_rsa.pub.

Reference: https://www.ssh.com/ssh/config/

Is it possible to create a proxy in Remote-SSH Visual Studio Code?

Thanks to a partner, I have found a solution and it consists in changing a little bit the config file from ssh

As I am using VS Code in Windows and I wanted not to use netcat I've implemented the next command to create a proxy:

Host <target-machine-name>
HostName <target-machine-ip>
User <user>
ProxyCommand C:\Windows\System32\OpenSSH\ssh.exe -q -x <proxy-machine-name> -W %h:22

Hope it can help someone else with the same issue.


Related Topics

How to Enable or Configure Ftrace Module

Yocto: How to Install Header Files Along with Kernel Module in Sdk

The Behavior When a Gnu Make Phony Target Happens to Be The Same as a Directory Name

Compiling Kernel Error: Stdio.H: No Such File or Directory

Dpkg Remove to Stop Processes

Can't Increment a 0-Padded Number Past 8 in Busybox Sh

Format and Filter File to CSV Table

"Sudo" Fails with "Sudo Requires a Tty" When Executed from Putty Command Line

Syscall Hooking on Kali Linux (Kernel Version 5)

How to Create a Folder with a Folder Name Containing Spaces in Linux

Why Do My Keystrokes Turn into Crazy Characters After I Dump a Bunch of Binary Data into My Terminal

Insecure $Env{Path} While Running with - T Switch

How to Print Multiple Variables Using Printf

How to Join Columns of Two Files in Unix System

In Shellscript Assign Variable Based on Curl Output

How to Make a Cross Compiler Using Gcc

How to Stop Page Cache for Disk I/O in My Linux System

Mongodb Service Fails After Reboot


Leave a reply



Submit