Use ProxyCommand for all SSH Connections

linux networking ssh openssh

12,958

Solution 1

The example above will make it recursive, that every connection will use a proxy command, which is again ssh with another proxy command. Good way to DOS your proxy.

You should exclude the proxy from the list, use -F /dev/null to ignore the configuration for the proxy command or just ignore the proxy command for the proxy ssh:

ProxyCommand ssh -oProxyCommand=none my_user@proxy_ssh.example.com netcat -w 120 %h %p

Solution 2

Add an entry to the config for the jump host that overrides the proxy command:

Host proxy_ssh.example.com
  ProxyCommand none

Otherwise it will try to use the proxy command to get to the jump host itself.

12,958

latz

Started as a child with QBasic quickly got to known Turbo Pascal and jumped quite quickly after that to Java. At quite an early age I got introduce to the world of Linux. Starting with Slackware 3.6 and quickly migrating to Red Hat at the time I had a lot new ground to cover, and new experiences to gather such as Bash, perl and php. Later in my life I adopted to languages such as python and go with the later being some sort of a hobby at the moment. Currently I am working in Luxembourg as a Backend Developer/Sysadmin working mostly with python and Linux.

Updated on September 18, 2022

Comments

latz over 1 year
I was playing around with the idea of having a SSH Proxy Server or otherwise called Jump Host, which I would use to connect to all of my "hidden" Servers. So basically I have the following setup. Please note I intentionally use IP addresses here instead of hostname.
```
<client> ---> <proxy_ssh> ---> <192.168.0.*>
```
My intention is that it should be as transparent for the users as possible. So ideally the users should only have to execute the following command
```
# ssh [email protected]
```
To get this working I've created the following .ssh/config.
```
Host *                                                                                                                                                                           
    ServerAliveInterval 240                                                                                                                                                      
    Compression yes                                                                                                                                                              
    ForwardAgent yes                                                                                                                                                             
    ForwardX11 yes                                                                                                                                                               

Host 192.168.0.*                                                                                                                                                                   
    ProxyCommand ssh my_user@proxy_ssh.example.com netcat -w 120 %h %p
```
This works fine. But it is kind of tedious if I would have more networks to work with behind my proxy_ssh server. So I've tried simply adding the ProxyCommand to the Host * section which did not work.

I've wanted to make this more transparent for the end user, and changed the ssh config to the following, simply leaving out the specific Host definition.
```
Host *
    ServerAliveInterval 240                                                                                                                                                      
    Compression yes                                                                                                                                                              
    ForwardAgent yes                                                                                                                                                             
    ForwardX11 yes                                                                                                                                                               
    ProxyCommand ssh my_user@proxy_ssh.example.com netcat -w 120 %h %p
```
This had the impact that I was not able to connect any longer to the endhost. The connection simply timed out!

So hence my question is there any way of having this more transparent in such a way that all of my SSH connection would use the proxy_ssh host?
- Jakuje over 7 years
  
  which did not work. ... what errors you get? How the configuration looked like?
- latz over 7 years
  
  Added the example I've actually tried
- Jakuje over 7 years
  
  The example above will make it recursive, that every connection will use a proxy command, which is ssh with just another proxy commmand. Good way to DOS your proxy. You should exclude the proxy from the list or use -F /dev/null to ignore the configuration for the proxy command.
- latz over 7 years
  
  By specifying -F /dev/null I will overwrite the config all together If I understand the man page correctly. That's not what I want.
- Jakuje over 7 years
  
  Only in the ProxyCommand ssh. The other possibility is to overwrite only the ProxyCommand using -oProxyCommand=none.
- latz over 7 years
  
  Ok Perfect that works like a charm. So I've edited the line ProxyCommand .ssh/config to the following ProxyCommand ssh -oProxyCommand=none my_user@proxy_ssh.example.com netcat -w 120 %h %p . So in fact you can post exactly that as answer :)
- Anthony over 6 years
  
  More importantly, if you have these sort of wildcard configurations, have them appear later in your .config, after the more specific entries. According to man.openbsd.org/OpenBSD-current/man5/ssh_config.5 the first encountered value for a specific value is the one used, so a later "override" will be ignored.