I am trying to ssh over my university's proxy server, to one of our lab's servers. The goal is to automate it with paramiko, but I am trying to first understand what's happening in the terminal level.
I tried
ssh -o ProxyCommand='ssh eran#proxy_server nc inner_server 22' eran#inner_server
And got
*** forbidden char/command over SSH: "nc inner_server 22"
This incident has been reported.
ssh_exchange_identification: Connection closed by remote host
Which I guess means the server does not allow the ProxyCommand.
Any way to achieve this in a different way?
Just to be clear, ssh to proxy_server, and then to inner_server, works fine, but doesn't produce a paramiko SSHClient instance, which is what I'm aiming for.
Do not use netcat. It is probably not allowed on the proxy server. Use -W switch:
ssh -o ProxyCommand='ssh -W %h:%p eran#proxy_server' eran#inner_server
Related
I'm just trying to use PuTTY to get an SSH connection to my servers.
These servers allow incoming SSH connection only from another specific server ("MySshProxyingServer" in example below).
Using Linux this is no problem with the ssh -W command.
In PuTTY I can't find the options to create such a connection.
Example under Linux (~/.ssh/config):
Host MyHostToConnectTo
Hostname xx.xx.xx.xx
User root
Identityfile ~/.ssh/id_rsa
ProxyCommand ssh MySshProxyServer -W %h:%p
Anyone knows how to use such a config in PuTTY?
If you want to "jump a host", then using "local proxy command" is an overkill. Recent versions of PuTTY have this build-in. Go to Connection > Proxy, and in "Proxy type", select "SSH to proxy and use port forwarding". Then specify the details of the intermediate server below (like Hostname, Port, Username, Password [or load your private key to Pageant]).
(It's actually an overkill for OpenSSH too, as it has more user friendly options for this purpose too, see Does OpenSSH support multihop login?)
To answer your literal question: The equivalent in PuTTY is "local proxy command". You can use the plink.exe with the -nc switch instead of the ssh with the -W switch:
The "local proxy command" is:
plink.exe %user#%proxyhost -P %proxyport -nc %host:%port
An alternative is to open a tunnel via the "MySshProxyServer" first using another instance of PuTTY (or Plink).
See for example:
How to create SSH tunnel using PuTTY in Windows?
My guide for tunneling SFTP/SCP session. It's for WinSCP, but just use PuTTY instead of WinSCP in section Connecting through the tunnel.
Just in case you still use password for your jumphost is the option for that with an example.
plink.exe %user#%proxyhost -pw %pass -P %proxyport -nc %host:%port
When you want to start putty.exe from commandline it works this way:
putty.exe -proxycmd "plink.exe user#jumphost -P 22 -nc targethost:targetport" user#foo
According to the docs it uses stdin/stout of the proxycmd so "foo" is ok as target hostname here.
Suppose we want ssh to 172.16.0.21 via 8.8.8.8
login name in both hosts is john
path to private key is C:\users\john\.ssh\private.ppk
.
plink.exe -v -ssh %user#%proxyhost -P %proxyport -nc %host:%port -i "c:\Users\john\.ssh\private.ppk"
p.s.
If your private key has password protect then you must additionaly launch pageant and load your private key there
p.s.
if you want to use command line only then:
putty.exe -proxycmd "plink.exe john#8.8.8.8 -P 22 -nc 172.16.0.21:22 -i c:\Users\john\.ssh\private.ppk " john#172.16.0.21 -i c:\Users\john\.ssh\private.ppk
In macOS 10.12.6
When ssh to a server use the follow command:
ssh -i ~/key.pem ubuntu#123.111.222.101
the connection will keep until I disconnect it manually or the computer fall asleep.
However, when I ssh to the server behind a proxy:
ssh -i ~/key.pem -o ProxyCommand='/usr/bin/nc -x 127.0.0.1:1080 %h %p' ubuntu#123.111.222.101
the connection will disconnect if I don't type any word in the terminal after 30 seconds.
Why this will happen and how to keep the connection?
P.S.: the protocol of my proxy is socks5
Add this option. This should keep the connection open
-o ServerAliveInterval=15
I am running Ansible on my machine. And my machine does not have ssh access to the remote machine. Port 22 connection originating from local machine are blocked by the institute firewall. But I have access to a machine (ssh-tunnel), through which I can login to the remote machine. Now is there a way we can run ansible playbook from local machine on remote hosts.
In a way is it possible to make Ansible/ssh connect to the remote machine, via ssh-tunnel. But not exactly login to ssh-tunnel. The connection will pass through the tunnel.
Other way is I can install ansible on ssh-tunnel, but that is not the desired and run plays from there. But that would not be a desired solution.
Please let me know if this is possible.
There are two ways to achieve this without install the Ansible on the ssh-tunnel machine.
Solution#1:
Use these variables in your inventory:
[remote_machine]
remote ansible_ssh_host=127.0.0.1 ansible_ssh_port=2222 ansible_ssh_user='username' ansible_ssh_private_key_file='/home/user/private_key'
hope you understand above parameters, if need help please ask in comments
Solution#2:
Create ~/.ssh/config file and add the following parameters:
####### Access to the Private Server through ssh-tunnel/bastion ########
Host ssh-tunnel-server
HostName x.x.x.x
StrictHostKeyChecking no
User username
ForwardAgent yes
Host private-server
HostName y.y.y.y
StrictHostKeyChecking no
User username
ProxyCommand ssh -q ssh-tunnel-server nc -q0 %h %p
Hope that help you, if you need any help, feel free to ask
No request to install ansible on the jump and remote servers, ansible is ssh service only tool :-)
First make sure you can work it directly with SSH Tunnel.
On local machine (Local_A), you can login to Remote machine (Remote_B) via jump box (Jump_C).
login server Local_A
ssh -f user#remote_B -L 2000:Jump_C:22 -N
The other options are:
-f tells ssh to background itself after it authenticates, so you don't have to sit around running something on the remote server for the tunnel to remain alive.
-N says that you want an SSH connection, but you don't actually want to run any remote commands. If all you're creating is a tunnel, then including this option saves resources.
-L [bind_address:]port:host:hostport
Specifies that the given port on the local (client) host is to be forwarded to the given host and port on the remote side.
There will be a password challenge unless you have set up DSA or RSA keys for a passwordless login.
There are lots of documents teaching you how to do the ssh tunnel.
Then try below ansible command from Local_A:
ansible -vvvv remote_B -m shell -a 'hostname -f' --ssh-extra-args="-L 2000:Jump_C:22"
You should see the remote_B hostname. Let me know the result.
Let's say you can ssh into x.x.x.x from your local machine, and ssh into y.y.y.y from x.x.x.x, while y.y.y.y is the target of your ansible playbook.
inventory:
[target]
y.y.y.y
playbook.yml
---
- hosts: target
tasks: ...
Run:
ansible-playbook --ssh-common-args="-o ProxyCommand='ssh -W %h:%p root#x.x.x.x'" -i inventory playbook.yml
I tried to use ssh command to connect to another remote host.
ssh -p 21098 -i $OPENSHIFT_DATA_DIR/.ssh/host_key user#domain.com
The authenticity of host '[domain.com]:21098 ([124.219.148.93]:21098)' can't be established.
RSA key fingerprint is 12:15:79:55:c6:2a:66:1e:82:94:da:19:e1:ca:21:3d.
Are you sure you want to continue connecting (yes/no)?yes
Failed to add the host to the list of known hosts (/var/lib/openshift/541b685c5973cae7bbf006f4/.ssh/known_hosts).
Connection closed by 124.219.148.93
I suppose we do not have access to home/.ssh. So how to solve this problem?
One can pass options to SSH on command line, like this:
ssh -o UserKnownHostsFile=/tmp/known_host_file -p 21098 -i $OPENSHIFT_DATA_DIR/.ssh/host_key user#domain.com
Here is related answer: ssh use known_hosts other than $HOME/.ssh/known_hosts
I'm trying to use rsync to connect to an Rsync server. However, our company firewall blocks the 873 port used by rsync.
Using the following proxy configuration with corkscrew in the ~/.ssh/config file, I can bypass the firewall and connect to remote servers with SSH:
ProxyCommand /usr/local/bin/corkscrew our-http-proxy.domain.name 8080 %h %p
Thus, with the above configuration, I use ssh the following way, which lets me connect to a remote machine with no problem:
ssh -L 8080:localhost:80 username#remote.machine.name -p 443
My question is, can I use rsync to utilize such ssh tunnel, and connect to the Rsync server?
I so far tried a few ways to have rsync utilize the same ssh proxy configuration. One of them is as follows, which always results in ssh_exchange_identification: Connection closed by remote host:
rsync -CaLvz -e "ssh -L 873:remote.rsync-server.name:443" remote.rsync-server.name::remote-source-directory /local/target/directory/
Any ideas?