Home / server / Questions / 843243
Accepted
zefciu
Asked: 2017-04-08 04:05:53 +0800 CST

SSH jumping with aliases and "-F"

  • 772

I have a server in a private subnet to which I want to connect via a machine that faces the Internet. There are some tutorials for this. I used this one: https://heipei.github.io/2015/02/26/SSH-Agent-Forwarding-considered-harmful/

The problem with it is that it assumes I can edit the ~/.ssh/config file. If I am however running code on CI, I would rather use the config file shipped in my repository and use -F switch. In this case the above strategy stops working as the ssh command used as ProxyCommand doesn't load the the same configuration file and doesn't know the aliases. What I did was:

Host ansible                                                                    
  User ubuntu                                                                   
  Hostname xxx.compute.amazonaws.com                  

Host app                                                                        
  User ubuntu                                                                   
  Hostname 10.0.2.40                                                            
  ProxyCommand ssh -F test-ssh.cfg -W %h:%p ansible

This works but is a little dirty, as I need to put the name of the file into the file itself and it would break if someone changes the filename. So my question is: is there a cleaner way to create a configuration file with aliases and ProxyCommand that could be used with -F?

ssh

3 Answers

  1. Best Answer

    According to this SuperUser entry, from version 7.3p1, there is an Include directive, so you can create a config file which includes your "regular" config, but has all the ProxyCommand entries. This way, if you specify that file, the proxying connections will work, if you omit the -F switch, the default config will be read, like this:

    ~/.ssh/config:

    Host ansible
  User ubuntu
  Hostname xxx.compute.amazonaws.com

    ~/.ssh/proxyconfig:

    Include config

Host app
  User ubuntu
  Hostname 10.0.2.40
  ProxyCommand ssh -W %h:%p ansible

    If you have configs like above, you can use

    ssh -F proxyconfig app

    to reach the "app" server.

    If you can't install the aformentioned version to your client computer, you can specify the ProxyCommand in the command line, without needing a separate config file, like this:

    ssh -o ProxyCommand='ssh -W %h:%p ansible' app

    Since it is a bit uncomfortable to write the whole command every time, you might want to make an alias to the command, or - if you want to access more computers by proxy - a function, like this:

    function proxyssh {
    # The first argument is the 'stepping stone',
    # the second is the target to ssh into
    ssh -o proxyCommand="ssh -W %h:%p $1" $2
}

    and use it like

    proxyssh ansible app
    • 6

  2. For proxy hosts you don't need ProxyCommand anymore. There is a new option ProxyJump, which does the same without the need of another ssh with configuration. It will internally issue the same command, but it will also pass the -F argument if provided:

    Host ansible                                                                    
  User ubuntu                                                                   
  Hostname xxx.compute.amazonaws.com                  

Host app                                                                        
  User ubuntu                                                                   
  Hostname 10.0.2.40                                                            
  ProxyJump ansible

    This feature is available since OpenSSH 7.3.

    • 6

  3. You could do this without editing ~/.ssh/config by using ProxyCommand as a parameter.

    From OpenSSH 5.4 (2010-03-08) there has been "netcat mode":

    • Added a 'netcat mode' to ssh(1): ssh -W host:port ... This connects stdio on the client to a single port forward on the server. This allows, for example, using ssh as a ProxyCommand to route connections via intermediate servers. bz#1618

    So it is possible to:

    ssh -o ProxyCommand="ssh -W %h:%p firewall" [email protected]

    For historical versions, you can use external nc (from a SSH ProxyCommand article by Vivek Gite):

    ssh -o ProxyCommand='ssh user@firewall nc 10.0.2.40 22' [email protected]

    Where

    • firewall is the server facing the Internet.
    • 10.0.2.40 is the server on the local network.
    • netcat (nc) is used to set and establish a TCP pipe between the servers on your local network.
    • 2