Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Examples of ProxyCommand?
1,564 views
Skip to first unread message
ghand
Apr 26, 2012, 9:47:41 PM4/26/12
to
As a test to find some examples of using ProxyCommand, I tried
ProxyCommand nc %h %p
that seemed to make no change I could see..
I have 3 computers with ssh servers on them and i'm trying to do some example
ProxyCommand lines so I can see what they do.
The only one i've got to work is ProxyCommand nc %h %p and I can't see
it doing anything.
And others i've tried aren't working.
One site said
ProxyCommand ssh user@intermediatehost nc %h %p
and to ssh to internalhost and it'd go through that.
But when I tried it just hung.
I did Ctrl-C and it said
ssh_exchange_identification: Connection closed by remote host
Wolfgang Meiners
Apr 27, 2012, 10:31:30 AM4/27/12
to
Am 27.04.12 03:47, schrieb ghand:
have to connect to a host which is not directly reachable.
So lets assume, you have a client computer C, with ssh installed.
Lets assume, there is a second compter H, the host running sshd, which
is standing behind a firewall and can not be reached directly by C.
Connecting from C to H is possible, if there is an intermediate Host IH
with an sshd, to which you can connect from C, and which can connect to
H. The simplest way would be somethink like
ssh IHUser@IH
and then, from IH:
ssh HUser@H
where IHUser is a valid user at the intermediate Host IH and HUser is a
valid user at host H.
You could also reach this by the one command
ssh -At IHUser@IH ssh HUser@H
when PubkeyAuthentication is setup correctly on host IH and H and you
use the same public key on host IH and H. But how do you set up a tunnel
from C to H? There is a third possibility (and there are furhter
possibilities, too):
ssh -oProxyCommand="ssh IHUser@IH nc %h %p" HUser@H
This gives you a connection from C to H, and you can setup a tunnel:
ssh -L 8080:localhost:80 -oProxyCommand="ssh IHUser@IH nc %h %p" HUser@H
assuming there is a http-server listening at port 80 on host H.
Of course, there has to be nc at the intermediate host IH for this to
work. To understand, how this works, you should read
man 5 ssh_config (look for ProxyCommand)
and
man ssh (look for -o)
If everythink works as expected, you can put the correct ProxyCommand
into ~/.ssh/config
(But if you just need a tunnel from C to H, you could simply run
ssh -L 8080:H:80 IHUser@IH
so i am not sure, you really need ProxyCommand at all)
Wolfgang
> As a test to find some examples of using ProxyCommand, I tried
>
> ProxyCommand nc %h %p
>
> that seemed to make no change I could see..
>
why do you think you need ProxyCommand? Usually this is needed if you
>
> ProxyCommand nc %h %p
>
> that seemed to make no change I could see..
>
have to connect to a host which is not directly reachable.
So lets assume, you have a client computer C, with ssh installed.
Lets assume, there is a second compter H, the host running sshd, which
is standing behind a firewall and can not be reached directly by C.
Connecting from C to H is possible, if there is an intermediate Host IH
with an sshd, to which you can connect from C, and which can connect to
H. The simplest way would be somethink like
ssh IHUser@IH
and then, from IH:
ssh HUser@H
where IHUser is a valid user at the intermediate Host IH and HUser is a
valid user at host H.
You could also reach this by the one command
ssh -At IHUser@IH ssh HUser@H
when PubkeyAuthentication is setup correctly on host IH and H and you
use the same public key on host IH and H. But how do you set up a tunnel
from C to H? There is a third possibility (and there are furhter
possibilities, too):
ssh -oProxyCommand="ssh IHUser@IH nc %h %p" HUser@H
This gives you a connection from C to H, and you can setup a tunnel:
ssh -L 8080:localhost:80 -oProxyCommand="ssh IHUser@IH nc %h %p" HUser@H
assuming there is a http-server listening at port 80 on host H.
Of course, there has to be nc at the intermediate host IH for this to
work. To understand, how this works, you should read
man 5 ssh_config (look for ProxyCommand)
and
man ssh (look for -o)
If everythink works as expected, you can put the correct ProxyCommand
into ~/.ssh/config
(But if you just need a tunnel from C to H, you could simply run
ssh -L 8080:H:80 IHUser@IH
so i am not sure, you really need ProxyCommand at all)
Wolfgang
ghand
Apr 28, 2012, 2:26:45 AM4/28/12
to
so am looking at trying some examples
I looked at man ssh_config
it mentioned
ProxyCommand /usr/bin/nc -X connect -x 192.0.2.0:8080 %h %p
I am on cygwin and the nc in the package there doesn't have -X and -x
So, I tried
ProxyCommand nc 192.168.1.7:808 %h %p
and I can do
$ curl --proxy 192.168.1.7:808 http://ifconfig.me/ip
(so the http proxy is up)
but when I did
ssh destcomp
it said
$ ssh destcompuser@destcomp
192.168.1.7:808: forward host lookup failed: : Operation not permitted
ssh_exchange_identification: Connection closed by remote host
Still looking into ProxyCommand,
On to your example..
I've got a web server on the destcomp
$ ssh -L 456:localhost:80 -oProxyCommand="ssh IHuser@IH nc %h %p"
from another window-
>curl 127.0.0.1:456
curl: (56) Recv failure: Connection was reset
then in the window where I did the $ssh -L...
it says
$ channel 2: open failed: connect failed: Operation not permitted
channel 2: open failed: connect failed: Operation not permitted
channel 2: open failed: connect failed: Operation not permitted
ghand
Apr 28, 2012, 2:41:47 AM4/28/12
to
"ghand" <gha...@hotmail.com> wrote:
>
.
>curl: (56) Recv failure: Connection was reset
>
typo, curl said (80) not (56). (80 is web server port).
>
Wolfgang Meiners
Apr 28, 2012, 8:17:37 AM4/28/12
to
Am 28.04.12 08:26, schrieb ghand:
ssh -L 456:localhost:80 -oProxyCommand="ssh IHuser@IH nc %h %p" HUser@H
means, there is a intermediate host IH running an ssh-server and you
connect via this ssh-server to host H. What you try to do, is something
quite different. The command
ssh -L 456:localhost:80 \
-oProxyCommand="/usr/bin/nc -X connect -x 192.0.2.0:8080 %h %p" \
HUser@H
is useful if you have a firewall on the client side, that does not allow
ssh connections from your client, so
ssh -L 456:localhost:80 HUser@H
would not work from your client. In this case, you try to connect via
proxy and the proxy is a https-proxy which is located at 192.0.2.0:8080.
For this to work, there must be a proxy at 192.0.2.0, port 8080 and this
proxy must allow ssh-connections. If you dont have nc with appropriate
options (-X, -x), then you should replace nc by a command that can be used.
So, you could try
ssh -L 456:localhost:80 \
-oProxyCommand="curl --proxytunnel --proxy 192.0.2.0:8080 %h %p" \
HUser@H
Of course, you must replace 192.0.2.0:8080 with address:port of your
proxyserver and HUser@H with your ssh-server and a valid user at this
server. Since i dont have a proxyserver here, i can not test wether it
does work or not. But there are proxyservers, which do not allow
connections to an ssh-server.
Wolfgang
>
> I'm just trying to learn how ProxyCommand works..so just getting it working..
>
> so am looking at trying some examples
>
> I looked at man ssh_config
> it mentioned
> ProxyCommand /usr/bin/nc -X connect -x 192.0.2.0:8080 %h %p
>
it seems, we are talking about different things. The command
> I'm just trying to learn how ProxyCommand works..so just getting it working..
>
> so am looking at trying some examples
>
> I looked at man ssh_config
> it mentioned
> ProxyCommand /usr/bin/nc -X connect -x 192.0.2.0:8080 %h %p
>
ssh -L 456:localhost:80 -oProxyCommand="ssh IHuser@IH nc %h %p" HUser@H
means, there is a intermediate host IH running an ssh-server and you
connect via this ssh-server to host H. What you try to do, is something
quite different. The command
ssh -L 456:localhost:80 \
HUser@H
is useful if you have a firewall on the client side, that does not allow
ssh connections from your client, so
ssh -L 456:localhost:80 HUser@H
would not work from your client. In this case, you try to connect via
proxy and the proxy is a https-proxy which is located at 192.0.2.0:8080.
For this to work, there must be a proxy at 192.0.2.0, port 8080 and this
proxy must allow ssh-connections. If you dont have nc with appropriate
options (-X, -x), then you should replace nc by a command that can be used.
So, you could try
ssh -L 456:localhost:80 \
HUser@H
Of course, you must replace 192.0.2.0:8080 with address:port of your
proxyserver and HUser@H with your ssh-server and a valid user at this
server. Since i dont have a proxyserver here, i can not test wether it
does work or not. But there are proxyservers, which do not allow
connections to an ssh-server.
Wolfgang
0 new messages