Use ProxyCommand for all SSH Connections
Solution 1
The example above will make it recursive, that every connection will use a proxy command, which is again ssh with another proxy command. Good way to DOS your proxy.
You should exclude the proxy from the list, use -F /dev/null
to ignore the configuration for the proxy command or just ignore the proxy command for the proxy ssh:
ProxyCommand ssh -oProxyCommand=none my_user@proxy_ssh.example.com netcat -w 120 %h %p
Solution 2
Add an entry to the config for the jump host that overrides the proxy command:
Host proxy_ssh.example.com
ProxyCommand none
Otherwise it will try to use the proxy command to get to the jump host itself.
Related videos on Youtube
latz
Started as a child with QBasic quickly got to known Turbo Pascal and jumped quite quickly after that to Java. At quite an early age I got introduce to the world of Linux. Starting with Slackware 3.6 and quickly migrating to Red Hat at the time I had a lot new ground to cover, and new experiences to gather such as Bash, perl and php. Later in my life I adopted to languages such as python and go with the later being some sort of a hobby at the moment. Currently I am working in Luxembourg as a Backend Developer/Sysadmin working mostly with python and Linux.
Updated on September 18, 2022Comments
-
latz over 1 year
I was playing around with the idea of having a SSH Proxy Server or otherwise called Jump Host, which I would use to connect to all of my "hidden" Servers. So basically I have the following setup. Please note I intentionally use IP addresses here instead of hostname.
<client> ---> <proxy_ssh> ---> <192.168.0.*>
My intention is that it should be as transparent for the users as possible. So ideally the users should only have to execute the following command
# ssh [email protected]
To get this working I've created the following
.ssh/config
.Host * ServerAliveInterval 240 Compression yes ForwardAgent yes ForwardX11 yes Host 192.168.0.* ProxyCommand ssh my_user@proxy_ssh.example.com netcat -w 120 %h %p
This works fine. But it is kind of tedious if I would have more networks to work with behind my
proxy_ssh
server. So I've tried simply adding theProxyCommand
to theHost *
section which did not work.I've wanted to make this more transparent for the end user, and changed the ssh config to the following, simply leaving out the specific Host definition.
Host * ServerAliveInterval 240 Compression yes ForwardAgent yes ForwardX11 yes ProxyCommand ssh my_user@proxy_ssh.example.com netcat -w 120 %h %p
This had the impact that I was not able to connect any longer to the endhost. The connection simply timed out!
So hence my question is there any way of having this more transparent in such a way that all of my SSH connection would use the
proxy_ssh
host?-
Jakuje over 7 yearswhich did not work. ... what errors you get? How the configuration looked like?
-
latz over 7 yearsAdded the example I've actually tried
-
Jakuje over 7 yearsThe example above will make it recursive, that every connection will use a proxy command, which is ssh with just another proxy commmand. Good way to DOS your proxy. You should exclude the proxy from the list or use
-F /dev/null
to ignore the configuration for the proxy command. -
latz over 7 yearsBy specifying
-F /dev/null
I will overwrite the config all together If I understand the man page correctly. That's not what I want. -
Jakuje over 7 yearsOnly in the
ProxyCommand
ssh. The other possibility is to overwrite only theProxyCommand
using-oProxyCommand=none
. -
latz over 7 yearsOk Perfect that works like a charm. So I've edited the line ProxyCommand
.ssh/config
to the followingProxyCommand ssh -oProxyCommand=none my_user@proxy_ssh.example.com netcat -w 120 %h %p
. So in fact you can post exactly that as answer :) -
Anthony over 6 yearsMore importantly, if you have these sort of wildcard configurations, have them appear later in your
.config
, after the more specific entries. According to man.openbsd.org/OpenBSD-current/man5/ssh_config.5 the first encountered value for a specific value is the one used, so a later "override" will be ignored.
-