AskJason.net

One of the cool features of OpenSSH is ProxyCommand - proxycommand allows you to jump through multiple hosts to which you have ssh access to get to a final host (inside a firewall or whatever) in a way that allows your local ssh client to have a direct connection to the final target machine.

The standard way that people do this is by ssh'ing from one host to the next to the next, possibly using wrapper scripts to make it a little easier. This method sucks - it prevents you from using password or keyboard-interactive auth, it requires you to trust each host along the way with your authentication info for all the other hosts, it makes it unwieldy to use other programs that rely on ssh for transport (scp, rsync, cvs, etc), it means that in order to forward agent or x11, every sshd along the way must support forwarding, and, as with auth, you must trust every host along the way with your agent and x11 forwardings - in short, it sucks.

some slightly more savvy people use simple port-forwardings to overcome some of these difficulties. This is conceptually okay, but it prevents you from doing normal key management (every host is localhost) and it's a pain in the ass.

proxy command solves all these problems. what follows is a gale chat about these issues and how to actually use proxycommand:


-------------------------------------------------------------------------------
To: dfmm.comp.openssh
proxycommand:

Host luca
Hostname luca.pas.lab
ProxyCommand ssh -a -x umberto.idealab.com "nc luca.pas.lab 22"
                           -- jason (jason) at 11-10 14:21:26 --
			client=gsend/0.99egg
			instance=dfmm.org/walter.dfmm.org/jason/ttyqd/4146
-------------------------------------------------------------------------------
To: dfmm.comp.openssh
so you add that to your .ssh/config, and then you can ssh/scp/rsync to/from
luca just as if it were directly accessible like umberto is.  you don't
have to trust umberto with your luca credentials, as the umberto connection
is used strictly as transport.  You don't have to worry about not having a
tty available on umberto (eg, in the case of rsync) to type your password,
as all the tty interactions will happen locally.  you can use your agent
without forwarding it - this is why you always want the -a -x - you _can_
forward your agent/x11 connections between yourself and luca without having
umberto ever see them.
                           -- jason (jason) at 11-10 14:26:16 --
			client=gsend/0.99egg
			instance=dfmm.org/walter.dfmm.org/jason/ttyqd/4346
-------------------------------------------------------------------------------
To: dfmm.comp.openssh
you can chain multiple hops, of course (though quoting gets hairy) and still
have every connection be end-to-end between you and each target.  The only
downsides are that you rely on netcat being ubiquitous, and you end up doing
all the client-side crypto on your local box, rather than splaying it out
over each hop.  These are both pretty much non-issues with modern machines
and distributions.
                           -- jason (jason) at 11-10 14:31:55 --
			client=gsend/0.99egg
			instance=dfmm.org/walter.dfmm.org/jason/ttyqd/4508
-------------------------------------------------------------------------------
To: dfmm.comp.openssh
out of curiosity, why is it better to use netcat than another ssh in there?
                               -- rc (r) at 11-10 14:35:29 --
			client=gsend/0.99egg
			instance=dfmm.org/walter.dfmm.org/rc//4894
-------------------------------------------------------------------------------
To: dfmm.comp.openssh
you have to use netcat (or similar - telnet _might_ work if you can give it
commandline options to kill the escape character and all translations) - the
way proxycommand works is that, rather than connect over a tcp socket, it
runs that proxycommand, and expects that command's stdin/stdout to be connected
to an sshd somewhere.

if you ran an ssh inside the proxy command, it would try to speak the ssh
protocol itself, so the local ssh client wouldn't be able to.
                           -- jason (jason) at 11-10 14:38:23 --
			client=gsend/0.99egg
			instance=dfmm.org/walter.dfmm.org/jason/ttyqd/4967
-------------------------------------------------------------------------------
To: dfmm.comp.openssh
proxycommand is cool because it essentially allows you to speak ssh over
any kind of medium - imagine, eg, encrypted serial lines for a modem - it
basically removes the dependence on tcp and lets you just speak the protocol
over whatever.  so when you do it this way, where you still need to speak
tcp, you use netcat to speak it for you.
                           -- jason (jason) at 11-10 14:41:01 --
			client=gsend/0.99egg
			instance=dfmm.org/walter.dfmm.org/jason/ttyqd/5051