Total Pageviews

Thursday, 14 February 2013

ProxyCommand

Imagine: your work is done in a local network strongly protected by firewalls and proxies the size of an industrial washing machine. Only some connections, the most typical, get out of the LAN and into the network and, of course, those that depart or arrive at the port 22 are routinely discarded, preventing you to connect to your home server.If we keep throwing the mind to fly, there is a simple and easy to bypass the proxy and go outside. But, like all good things, it has conditions and is, I suppose it's thanks to the firewall, it is highly recommended that the ssh port listening to your home server is the 443 or 8080. That is, they use a port recognizable and, most importantly, it can smoothly pass the proxy.On the computer that is located within the local network, install a package that allows us to create the proxy tunnels.sudo aptitude install connect-proxyAnd then on that computer, edit the file ~/.ssh /config and add these lines:# Connections out of the local networkHost server.n1mh.orgProxyCommand connect-H user @ proxy: 8080% 8080 h# Connections within the local network (not using proxy)Host *ProxyCommand connect% h% pOf course, the first two can add as many as needed. This configuration says that for server.n1mh.org connections, ssh should use the argument ProxyCommand and establish a tunnel with these parameters:-H specifies that proxy will use, from the user, host and port, respectively;% h is the server you want to connect, is defined in the first line and need to know the port, which in this case is 8080.After this minimal configuration, we just throw the connection, as we always have:diego @ workaholic $ ssh diego@server.n1mh.orgAnd we'll be at home ... because there is no place like home.
-------------------------------------------------------------------------
If you work in an office where the only way to "go online" is through a HTTP proxy, you can use SSH with ProxyCommand (and by extension SFTP) to connect to a remote host anyway.

In ~ / .ssh / config must add:

host *
ProxyCommand proxy-connect-H: PUERTO_PROXY% h% p

Replacing obviously PUERTO_PROXY by proxy-and corresponding values​​.

Even with a little port forwarding can bypass port restrictions you impose the firewall. Or you could even leave the connection open and enter the pc from outside your office. And reiterated the sysadmin you do not want to give VPN.

-----------------------------------------------------------------------------------
 proxycommand to the rescue

I discussed today with a web developper who needed to reach a machine through ssh but not directly accessible from the wild Internet. In fact, she told me that she takes a shell on each hop with ssh agent forwarding and so from that shell launch another ssh session. Well, of course that works but my question was "Why don't you just simply use a ProxyCommand in your ~/.ssh/config for that host ?". I discussed with quite some people in the last months not knowing that ProxyCommand feature in OpenSSH so once again it was time to at least blog about it
From `man ssh_config` :
ProxyCommand
Specifies the command to use to connect to the server ...
The man page has an example but what I do is using ssh itself as a ProxyCommand. Just an example : suppose you need to reach HostB (not reachable from where you are) but that you can reach HostA (and that HostA can reach HostB). You can configure your ~/.ssh/config like this :
Host HostB
Hostname the.known.fqdn.as.resolvable.by.HostA
User arrfab
ForwardAgent yes
Port 22
ProxyCommand ssh remoteuser@HostA.with.ssh.access nc %h %p


And what if you need to reach HostC, which itself is only reachable by HostB ? Let's just define a new Host section in the ~/.ssh/config and another ProxyCommand !
Host HostC
Hostname the.known.fqdn.as.resolvable.by.HostB
User arrfab
ForwardAgent yes
Port 22
ProxyCommand ssh remoteuser@HostB nc %h %p

You can now directly use the `ssh HostC` from your laptop/workstation and have a direct shell on HostC even if it has to open a connection to HostA and from
there to HostB to finish to HostC.That works also for scp/sftp so you can directly copy/retrieve files to/from HostC instead of copy from one host to the next hop. More informations about those features and the correct syntax in `man ssh_config`.
Hope that you can find that useful if you didn't know that already.

from http://www.arrfab.net/blog/?p=246