Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

ssh "proxy mode"

10 views
Skip to first unread message

Frank Winkler

unread,
Nov 11, 2009, 5:30:44 AM11/11/09
to
Hi there !

To ssh from one network to some servers, I have to use a hop inbetween,
i.e. two concatenated ssh sessions are necessary. Is there a way to use
the sshd in the middle as something like a "proxy" so I can just ssh to
the destination machine? "ssh -N -D <port> localhost" would need an
additional port opened in the firewall ...

TIA

fw

Jacob Nevins

unread,
Nov 11, 2009, 7:02:02 PM11/11/09
to

I'm not sure why you'd "ssh -D <port> localhost" at any step, or need to
open a firewall port.

Let's call your three machines C (client), S1 (intermediate server), S2
(final server); S2 is not directly reachable from C.

On C, I'd do: "ssh -D <port> S1", creating a SOCKS proxy listening on
localhost:<port> on C.

(Optionally with -N or similar.)

Then, again on C, I'd run something like:
ssh -o ProxyCommand='connect -S localhost:<port> %h %p' S2
(I'm a bit vague about the details here, as I usually use PuTTY for this
sort of trick, which has built-in proxy support. "connect" is a common
SOCKS client that's separate from SSH -- it's packaged as
"connect-proxy" in Debian-derived Linux distributions, for instance --
and I've probably got the invocation wrong.)

Since the SOCKS proxy and SOCKS client will both be running on C, on the
loopback interface, there shouldn't be any need to mess around with
firewalls.

Alternatively, you might be able to use 'ssh' as the ProxyCommand
directly, something like
ssh -o ProxyCommand="ssh S1 nc %h %p" S2
although I'm not sure what happens if the "ssh S1" instance needs to
prompt for a password or similar.

Frank Winkler

unread,
Nov 12, 2009, 1:58:22 AM11/12/09
to
On 12.11.09 01:02, Jacob Nevins wrote:

>I'm not sure why you'd "ssh -D<port> localhost" at any step or need to
>open a firewall port.

That was because I hadn't really understood the "-D" option yet ...

>Let's call your three machines C (client), S1 (intermediate server), S2
>(final server); S2 is not directly reachable from C.
>
>On C, I'd do: "ssh -D<port> S1", creating a SOCKS proxy listening on
>localhost:<port> on C.
>
>(Optionally with -N or similar.)
>
>Then, again on C, I'd run something like:
> ssh -o ProxyCommand='connect -S localhost:<port> %h %p' S2

Ok, now I see how this proxy thing is supposed to work ... thanks!

>(I'm a bit vague about the details here, as I usually use PuTTY for this
>sort of trick, which has built-in proxy support. "connect" is a common
>SOCKS client that's separate from SSH -- it's packaged as
>"connect-proxy" in Debian-derived Linux distributions, for instance --
>and I've probably got the invocation wrong.)

I know it, used it many times in the past.

>Since the SOCKS proxy and SOCKS client will both be running on C, on the
>loopback interface, there shouldn't be any need to mess around with
>firewalls.

see above

>Alternatively, you might be able to use 'ssh' as the ProxyCommand
>directly, something like
> ssh -o ProxyCommand="ssh S1 nc %h %p" S2

That was also one of my ideas but I didn't think of "nc" to connect the
two ssh streams. The problem is that S1 doesn't have "nc" installed and
I have no control over S1.

>although I'm not sure what happens if the "ssh S1" instance needs to
>prompt for a password or similar.

I think this works.

Another idea was port forwarding but that's unusable for many S2s ...

The current approach is "ssh -t S1 'ssh S2'", which is not perfect but
works so far ...

Regards

fw

0 new messages