i have a question regarding port forwarding in combination with proxy jump in my ssh config:
Is it possible to make use of DynamicForward from the host used as proxy? Here's my config:
Host proxy
HostName proxy.private.com
User user
IdentityFile ~/path/to/file
DynamicForward 3000
Host target
HostName target.somewhere.com
User user
IdentityFile ~/path/to/file
ProxyJump proxy
It does not work with this config, but this would be exactly what i need.
Any tips on how to get it to work?
If there is nothing preventing you from using ProxyCommand you can most likely use this approach:
In your ~/.ssh/config file:
Host target
HostName target.somewhere.com
User target-user
IdentityFile ~/path/to/target-user-file
ProxyCommand ssh -A <proxy-user>#<proxy-host> -i <proxy-user-key> -W %h:%p
DynamicForward 3000
You can then run this command on your local machine:
ssh target -D 3000
I was able to test this by running this command locally and retreiving public IP of the target host:
curl -x socks5h://localhost:3000 https://ifconfig.me/
Usefull links I read:
More details on these use cases can be found here
Detail on this very approach can be found on this site (sadly not in english nor HTTPS)
You can probably define another Host on top to avoid having to mess with ssh parameter each time. This would be done by using CanonicalizeHostname, but I couldn't manage to it. An alias might be more interesting at that point ?
Related
I have a dd-wrt router where I setup a ssh port-forwarding rule to redirect each WAN request towards a host in the private LAN that at the moment is unavailable. Is it possible to avoid the firewall redirection with a ssh parameter and connect directly to the router via ssh ? Note: At the moment I haven't direct access to the router.
One effective solution is to setup a single SSH port forward to one host on the network, and then use SSH forwarding via that host to the others.
This can be added easily to the client ssh config:
host AnyNameYouLike
Hostname remoteHostnameOrIp
Proxycommand ssh -q proxyuser#proxyhostname.remotely.accessible nc -q0 %h %p
User remoteHostnameOrIpUser
IdentityFile ~/.ssh/remoteHostnameOrIp_id_rsa
You can omit the IdentityFile line if you prefer alternative authentication. If you set up an entry for proxyuser#proxyhostname.remotely.accessible too you can have completely passwordless and transparent proxying.
Further, you can use wildcards, and have ssh automatically ssh via the proxy for any matching host, eg:
host 10.10.10.*
proxycommand ssh -q proxyuser#proxyhostname.remotely.accessible nc -q0 %h %p
I've looked [to faq][1] , but there is no answer for my task.
How can I access to bastion (jump box) host using password with Ansible? We do not consider using SSH keys. How will SSH config (or Ansible config) be look like for this situation?
For instance using SSH keys, the configuration looks like this:
ansible_ssh_common_args: '-o ProxyCommand="ssh -W %h:%p -q user#gateway.example.com"'
How to achieve the same result by using password?
You can use the ProxyJump ssh option which does not require netcat/nc to be installed on the jump host.
So in the ~/.ssh/config file of the user you are using to run the Ansible commands, add something like this
Host jumphost
HostName 1.1.1.1 # use actual ip address or fqdn
Host *
ProxyJump jumphost
In my ~/.ssh/config file, I have configured the bastion host like this:
##### Private hosts access through bastion host #####
Host bastion-host
HostName 52.13.2.54
ForwardAgent yes
Host 10.10.*
ProxyCommand ssh -q bastion-host nc -q0 %h %p
Then I can directly run the Ansible over the hosts in private subnet. Hope that might help you
I have some problems with the ssh proxycommand. The authentication on the proxy works fine, but when i want to login to the remote-host it fails. The problem seems to be, that the proxy tries to login with my local rsa_key and not with the key stored on the proxy. Is there a way to fix this?
This is what I want:
Local -- local rsa --> Proxy -- proxy rsa --> host
The Config-file I use:
Host 192.168.178.32
HostName 192.168.178.32
User user
Port 22
IdentityFile ~/.ssh/id_rsa.pub
Host 192.168.178.30
HostName 192.168.178.30
User user
Port 22
IdentityFile home/user/.ssh/id_rsa.pub
ProxyCommand ssh -W %h:%p -F ssh_config -p 22 192.168.178
The problem seems to be, that the proxy tries to login with my local rsa_key and not with the key stored on the proxy.
Yes. It does. It is by design. You don't want to copy private keys over to the proxies. Proxy command will always authenticate from your local host.
There are twa ways out:
Copy the key to your local host and configure it to be used.
Don't use ProxyCommand and do the simple ssh:
ssh -t proxy ssh host
it will use the authentication from the second host
I would like to use a ssh_config file instead of the traditional ~/.ssh/config. I have a simple configuration for accessing hosts through a bastion host (on port 23 for example).
ssh_config :
host bastion
hostname bastion.mydomain.com
port 23
host *.server
proxycommand ssh -W %h:%p bastion
ssh -F ssh_config test.server is not working and throw me "ssh: Could not resolve hostname bastion: Name or service not known".
But, if put this config in ~/.ssh/config, then ssh test.server works.
As I understand it, the proxycommand is unable to use the config file given in the command line.
If I want my command line config file to work, I need to put
proxycommand ssh -W %h:%p bastion.mydomain.com -p 23
but this seems to violate a simple DRY principle (the port and the domain are repeated). The config file I'm willing to build is much much longer and complex.
Is there a good way to achieve what I want, i.e. a simple, non-repeating, config file usable in command line for which proxycommand works ?
Half of an answer:
Rather than using the config file recursively, try not relying on the config at all for the proxy command.
host *.server
proxycommand ssh -W %h:%p bastion.mydomain.com -p 23
This allows it to be portable, but doesn't solve your other issue of having to do this on every line, and makes changing the bastion host address a difficult process.
you need to pass proxycommand ssh -W %h:%p bastion -F [your custom ssh config]
I know how to forward SOCKS proxy on the command like below
ssh -D port_number user#host
This works well but I want to be able to put that forwarding into my SSH config file. But I am not able to locate any useful information or tutorial about.
I have bunch of normal SSH profiles in the config so I prefer to have the forwardings attached to the SSH profiles.
Use the config setting "DynamicForward" Here is a quick example of what it should look like:
Host example.com
User username
DynamicForward 8080
If the DynamicForward option is only given a port number, then it will bind to localhost:port.
You can add a specific IP to get it to bind to an address other than the localhost. Using "*:8080" will bind the proxy to all IP addresses on the box.
To use an IPv6 address enclose the address in square brackets:
[2001:0db8:85a3:0000:0000:8a2e:0370:7334]:8080
For details, please see the ssh_config man page (type man ssh_config).
I do not recommend use socat because it only support socks4
But you can use ncat
install ncat
add this in your ssh config file ProxyCommand ncat --proxy-type socks5 --proxy 127.0.0.1:1080 %h %p
You may need to check ncat options if it does not work.
This is how it is done:
Host server-fwd
Hostname a.b.c.d
User username
Port 22
LocalForward localhost:AAAA localhost:DD
LocalForward localhost:BBBB localhost:EEE
LocalForward localhost:CCCC localhost:FFFF
Change the "server-fwd" to whatever name you like, change "a.b.c.d" to the IP you're connecting to, change "username" to whatever your account is, maybe change the port number if necessary.
The LocalForward lines are the ones you have been looking for. The middle column (i.e. AAAA, BBBB and CCCC) are the ports on the system you are running the ssh command from. The right column (i.e. DD, EEE and FFFF) are the ports on the server you're connecting to. It's localhost in both cases because in the first case it's when the ssh command is run locally and in the second case it is relative to the server you just logged into.
Yes, I use this a lot. ;)