Create a config file for ssh command - ssh

I have a ssh command as below:
ssh -o ProxyCommand="ssh ubuntu#ip_addr -W %h:%p" ubuntu#ip_addr2 -L port:ip_addr3:port
I want to create a config file for this command, but I don't know what is the option of -L, here is my config file so far:
Host cassandra-khatkesh
User ubuntu
Hostname ip_addr2
ProxyCommand ssh ubuntu#ip_addr -W %h:%p
Anyone knows how can I add -L to config file?

-L corresponds to the LocalForward keyword.
Host cassandra-khatkesh
User ubuntu
Hostname ip_addr2
ProxyCommand ssh ubuntu#ip_addr -W %h:%p
LocalForward port ip_addr3:port
Note that the local and remote endpoints are specified separately, not as single :-delimited string.

Related

How to: scp over Jumphost, each with privatekeys

I want to have an scp command over a Jumphost to the targetserver. Both, the Jumphost and the targetserver, require an key for the login.
If there would be no key required, I think this command would work:
scp -o ProxyJump=usernameJumpserver#ipJumpserver filename usernameTargetserver#ipTargetserver:/path/filename
So, including a key, I get to this command:
scp -i /pathOnMyClient/key -o ProxyJump=usernameJumpserver#ipJumpserver filename usernameTargetserver#ipTargetserver:/path/filename
Then I get the error "usernameTargetServer#ipTargetserver: Permission denied (publickey)."
I can't add the (probably?) required -i /pathJumpserver/key to it. How does it work?
as you cannot enter the password of your ssh key at the jumphost I suggest to load your key into your local ssh-agent and then use one of:
> scp -o ProxyJump=user#jump.host localfile user#target.host:
> scp -o ProxyJump=user#jump.host user#target.host:file localdir
this works for me!
HTH
Stefan K.
So we have:
LocalHost
JumpHost
DestinationHost
On LocalHost, in ~/.ssh/config add:
Host JumpHost
User JumpHostUser
IdentityFile ~/.ssh/id_rsa
# other optional settings:
# Port 2222
# HostName 192.168.0.1
Host DestinationHost
User DestinationHostUser
IdentityFile ~/.ssh/id_rsa_jumphost
And you can use what #StefanKaerst suggested:
scp -o ProxyJump=JumpHost DestinationHost:/file /LocalFile
scp -o ProxyJump=JumpHost /Localile DestinationHost:/File
I have it aliased as
scpj='scp -o ProxyJump=JumpHost'
So I only type:
scpj DestinationHost:/file /LocalFile
You need to have all the keys in place though, both from local to jump, from jump to destination and from local to destination.
I could not get this working with ProxyJump, so I fell back to the more verbose ProxyCommand instead. This works for me for copying from A to C through B:
scp -i <path on A to key for C> \
-oProxyCommand="ssh -i <path on A to key for B> -W %h:%p <user>#B" \
/path/to/my/file <user>#C:~/
That worked for me:
scp -o ProxyJump=USER_NAME#35.1.2.3 local-File.txt 10.1.2.3:~/
Advanced ssh from windows, not much fun at all.
I've found this working.
Create a C:\Users\u.username\.ssh\config file like:
Host jumphost.server
HostName jumphost.server
User u.username
ForwardAgent yes
IdentityFile C:\Users\u.username\.ssh\id_rsa
Host * !jumphost.server
ProxyCommand ssh.exe u.username#jumphost.server -W %h:%p
IdentityFile C:\Users\u.username\.ssh\id_rsa
(replace your data for jumphost.server, as well as your username and path to ssh private key)
Then scp from final target.server is working that way (from powershell):
scp -F .\.ssh\config u.username#target.server:/path/to/file C:\Users\u.username\
or from local windows to target linux:
scp -F .\.ssh\config C:\Users\u.username\file u.username#target.server:/path/to/file
The flag -F is loading predefined config.

How to remotely capture traffic across multiple SSH hops?

I want to debug another machine on my network but have to pass through one or more SSH tunnels to get there.
Currently:
# SSH into one machine
ssh -p 22 me#some_ip -i ~/.ssh/00_id_rsa
# From there, SSH into the target machine
# Note that this private key lives on this machine
ssh -p 1234 root#another_ip -i ~/.ssh/01_id_rsa
# Capture debug traffic on the target machine
tcpdump -n -i eth0 -vvv -s 0 -XX -w tcpdump.pcap
But then it's a pain to successively copy that .pcap out. Is there a way to write the pcap directly to my local machine, where I have wireshark installed?
You should use ProxyCommand to chain ssh hosts and to pipe output of tcpdump directly into wireshark. To achieve that you should create the following ssh config file:
Host some_ip
IdentityFile ~/.ssh/00_id_rsa
Host another_ip
Port 1234
ProxyCommand ssh -o 'ForwardAgent yes' some_ip 'ssh-add ~/.ssh/01_id_rsa && nc %h %p'
I tested this with full paths, so be carefull with ~
To see the live capture you should use something like
ssh another_ip "tcpdump -s0 -U -n -w - -i eth0 'not port 1234'" | wireshark -k -i -
If you want to just dump pcap localy, you can redirect stdout to filename of your choice.
ssh another_ip "tcpdump -n -i eth0 -vvv -s 0 -XX -w -" > tcpdump.pcap
See also:
https://serverfault.com/questions/337274/ssh-from-a-through-b-to-c-using-private-key-on-b
https://serverfault.com/questions/503162/locally-examine-network-traffic-of-remote-machine/503380#503380
How can I have tcpdump write to file and standard output the appropriate data?

SSH to jump host, to final host, then tmux

In my ssh config, I have
Host jumpHostNick
HostName jumphost.com
User username
Host finalHostNick
User username
ProxyCommand ssh jumpHostNick nc finalHostURL 22
I would like to supplement this by having it run tmux attach -d when it gets to the final host. Is that possible?
Use -W rather then the netcat:
Host jumpHostNick
HostName jumphost.com
User username
Host finalHostNick
User username
ProxyCommand ssh -W finalHostURL:22 jumpHostNick
If you want to run tmux attach -d, you should also add to the finalHostNick:
RequestTTY yes
and then connect using ssh finalHostNick -t tmux attach -d, or just setup bash alias:
alias ssh-final='ssh finalHostNick -t tmux attach -d'
in your ~/.bashrc

ssh -F configfile and ProxyCommand

I would like to use a ssh_config file instead of the traditional ~/.ssh/config. I have a simple configuration for accessing hosts through a bastion host (on port 23 for example).
ssh_config :
host bastion
hostname bastion.mydomain.com
port 23
host *.server
proxycommand ssh -W %h:%p bastion
ssh -F ssh_config test.server is not working and throw me "ssh: Could not resolve hostname bastion: Name or service not known".
But, if put this config in ~/.ssh/config, then ssh test.server works.
As I understand it, the proxycommand is unable to use the config file given in the command line.
If I want my command line config file to work, I need to put
proxycommand ssh -W %h:%p bastion.mydomain.com -p 23
but this seems to violate a simple DRY principle (the port and the domain are repeated). The config file I'm willing to build is much much longer and complex.
Is there a good way to achieve what I want, i.e. a simple, non-repeating, config file usable in command line for which proxycommand works ?
Half of an answer:
Rather than using the config file recursively, try not relying on the config at all for the proxy command.
host *.server
proxycommand ssh -W %h:%p bastion.mydomain.com -p 23
This allows it to be portable, but doesn't solve your other issue of having to do this on every line, and makes changing the bastion host address a difficult process.
you need to pass proxycommand ssh -W %h:%p bastion -F [your custom ssh config]

Connect with SSH through a proxy

I have no real idea what I'm doing here so please bear that in mind if you can help me!
I am trying to connect to my virtual server through a proxy but I can't connect, it just hangs. I'm assuming this is because it's not getting through our proxy.
I have tried exactly the same thing at home and it works perfectly. I'm on OSX using Terminal to connect.
Can anyone advise me how I can get through the proxy with SSH?
Here's how to do Richard Christensen's answer as a one-liner, no file editing required (replace capitalized with your own settings, PROXYPORT is frequently 80):
ssh USER#FINAL_DEST -o "ProxyCommand=nc -X connect -x PROXYHOST:PROXYPORT %h %p"
You can use the same -o ... option for scp as well, see my superuser answer.
If you get this in OS X:
nc: invalid option -- X
Try `nc --help' for more information.
it may be that you're accidentally using the homebrew version of netcat (you can see by doing a which -a nc command--/usr/bin/nc should be listed first). If there are two then one workaround is to specify the full path to the nc you want, like ProxyCommand=/usr/bin/nc ...
For CentOS nc has the same problem of invalid option --X. connect-proxy is an alternative, easy to install using yum and works --
ssh -o ProxyCommand="connect-proxy -S PROXYHOST:PROXYPORT %h %p" USER#FINAL_DEST
If your SSH proxy connection is going to be used often, you don't have to pass them as parameters each time. you can add the following lines to ~/.ssh/config
Host foobar.example.com
ProxyCommand nc -X connect -x proxyhost:proxyport %h %p
ServerAliveInterval 10
then to connect use
ssh foobar.example.com
Source here
I use -o "ProxyCommand=nc -X 5 -x proxyhost:proxyport %h %p" ssh option to connect through socks5 proxy on OSX.
Just a remark to #rogerdpack's answer: for windows platform it is really hard to find a nc.exe with -X(http_proxy), however, I have found nc can be replaced by ncat, full example as follows:
Host github.com
HostName github.com
#ProxyCommand nc -X connect -x 127.0.0.1:1080 %h %p
ProxyCommand ncat --proxy 127.0.0.1:1080 %h %p
User git
Port 22
IdentityFile D:\Users\Administrator\.ssh\github_key
and ncat with --proxy can work perfectly.
For windows, #shoaly parameters didn't completely work for me. I was getting this error:
NCAT DEBUG: Proxy returned status code 501.
Ncat: Proxy returned status code 501.
ssh_exchange_identification: Connection closed by remote host
I wanted to ssh to a REMOTESERVER and the SSH port had been closed in my network. I found two solutions but the second is better.
To solve the problem using Ncat:
I downloaded Tor Browser, run and wait to connect.
I got Ncat from Nmap distribution and extracted ncat.exe into the current directory.
SSH using Ncat as ProxyCommand in Git Bash with addition --proxy-type socks4 parameter:
ssh -o "ProxyCommand=./ncat --proxy-type socks4 --proxy 127.0.0.1:9150 %h %p" USERNAME#REMOTESERVER
Note that this implementation of Ncat does not support socks5.
THE BETTER SOLUTION:
Do the previous step 1.
SSH using connect.c as ProxyCommand in Git Bash:
ssh -o "ProxyCommand=connect -a none -S 127.0.0.1:9150 %h %p"
Note that connect.c supports socks version 4/4a/5.
To use the proxy in git commands using ssh (for example while using GitHub) -- assuming you installed Git Bash in C:\Program Files\Git\ -- open ~/.ssh/config and add this entry:
host github.com
user git
hostname github.com
port 22
proxycommand "/c/Program Files/Git/mingw64/bin/connect.exe" -a none -S 127.0.0.1:9150 %h %p
$ which nc
/bin/nc
$ rpm -qf /bin/nc
nmap-ncat-7.40-7.fc26.x86_64
$ ssh -o "ProxyCommand nc --proxy <addr[:port]> %h %p" USER#HOST
$ ssh -o "ProxyCommand nc --proxy <addr[:port]> --proxy-type <type> --proxy-auth <auth> %h %p" USER#HOST
ProxyCommand nc -proxy xxx.com:8080 %h %p
remove -X connect and use -proxy instead.
Worked for me.
This is how I solved it, hoping to help others later.
My system is debian 10, and minimal installation.
I also have the same problem like this.
git clone git#github.com:nothing/nothing.git
Cloning into 'nothing'...
nc: invalid option -- 'x'
nc -h for help
ssh_exchange_identification: Connection closed by remote host
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.
Or
git clone git#github.com:nothing/nothing.git
Cloning into 'nothing'...
/usr/bin/nc: invalid option -- 'X'
nc -h for help
ssh_exchange_identification: Connection closed by remote host
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.
So, I know the nc has different versions like openbsd-netcat and GNU-netcat, you can change the nc in debian to the openbsd version, but I choose to change the software like corkscrew, because the names of the two versions of nc in system are same, and many people don’t understand it well. My approach is as follows.
sudo apt install corkscrew
Then.
vim ~/.ssh/config
Change this file like this.
Host github.com
User git
ProxyCommand corkscrew 192.168.1.22 8118 %h %p
192.168.1.22 and 8118 is my proxy server's address and port, you should change it according to your server address.
It's work fine.
Thanks #han.
I use proxychains ssh user#host; from proxychains-ng.
By default it uses a socks4 proxy at 127.0.0.1:9050 but it can be changed in the conf file /etc/proxychains.conf or you can specify another conf file like this: proxychains -f custom.conf
The easiest way to do this after OpenSSH 7.3 is with ProxyJump:
ssh USERNAME#HOSTNAME -J PROXYHOSTNAME
which is short hand for the ProxyCommand below (which works on older clients):
ssh USERNAME#HOSTNAME -o "ProxyCommand=ssh PROXYHOSTNAME -W %h:%p"
Or in your ssh config file ($HOME/.ssh/config):
Host HOSTNAME
User USERNAME
ProxyCommand ssh PROXYHOSTNAME -W %h:%p
The oldest clients require the use of netcat. YMMV depending on the version of netcat and options supported (see other answers).
I was using the following lines in my .ssh/config (which can be replaced by suitable command line parameters) under Ubuntu
Host remhost
HostName my.host.com
User myuser
ProxyCommand nc -v -X 5 -x proxy-ip:1080 %h %p 2> ssh-err.log
ServerAliveInterval 30
ForwardX11 yes
When using it with Msys2, after installing gnu-netcat, file ssh-err.log showed that option -X does not exist. nc --help confirmed that, and seemed to show that there is no alternative option to handle proxies.
So I installed openbsd-netcat (pacman removed gnu-netcat after asking, since it conflicted with openbsd-netcat). On a first view, and checking the respective man pages, openbsd-netcat and Ubuntu netcat seem to very similar, in particular regarding options -X and -x.
With this, I connected with no problems.
to connect to SOCKS5 proxy, simply run
ssh user#destination -o "ProxyCommand=nc -X 5 -x proxyhost:proxyport %h %p"
OR add proxy settings to .ssh/config
Host destinaion_host
HostName destinaion_host
User ali
ProxyCommand nc -X 5 -x proxyhost:proxyport %h %p
ServerAliveInterval 60
ServerAliveCountMax 10
then you can simply run ssh destinaion_host
with special thanks to #maxim-k
In my case since I had a jump host or Bastion host on the way, and because the signatures on these bastion nodes had changed since they were imported into known_hosts file, I just needed to delete those entries/lines from the following file:
/Users/a.abdi-kelishami/.ssh/known_hosts
From above file, delete those lines referring to the bastion hosts.
Try -o "ProxyCommand=nc --proxy HOST:PORT %h %p" for command in question. It worked on OEL6 but need to modify as mentioned for OEL7.
If anybody on CentOS / RHEL get
nc: invalid option -- 'X'
use this ProxyCommand
ProxyCommand nc --proxy HOST:PORT --proxy-type http %h %p
edit config file in:
.ssh/config
Host github.com
HostName github.com
User git
Port 22
ProxyCommand nc -X 5 -x 192.168.49.1:8000 %h %p
and test:
ssh -T git#github.com
Hi [username]! You've successfully authenticated, but GitHub does not provide shell access.