I know how to forward SOCKS proxy on the command like below
ssh -D port_number user#host
This works well but I want to be able to put that forwarding into my SSH config file. But I am not able to locate any useful information or tutorial about.
I have bunch of normal SSH profiles in the config so I prefer to have the forwardings attached to the SSH profiles.
Use the config setting "DynamicForward" Here is a quick example of what it should look like:
Host example.com
User username
DynamicForward 8080
If the DynamicForward option is only given a port number, then it will bind to localhost:port.
You can add a specific IP to get it to bind to an address other than the localhost. Using "*:8080" will bind the proxy to all IP addresses on the box.
To use an IPv6 address enclose the address in square brackets:
[2001:0db8:85a3:0000:0000:8a2e:0370:7334]:8080
For details, please see the ssh_config man page (type man ssh_config).
I do not recommend use socat because it only support socks4
But you can use ncat
install ncat
add this in your ssh config file ProxyCommand ncat --proxy-type socks5 --proxy 127.0.0.1:1080 %h %p
You may need to check ncat options if it does not work.
This is how it is done:
Host server-fwd
Hostname a.b.c.d
User username
Port 22
LocalForward localhost:AAAA localhost:DD
LocalForward localhost:BBBB localhost:EEE
LocalForward localhost:CCCC localhost:FFFF
Change the "server-fwd" to whatever name you like, change "a.b.c.d" to the IP you're connecting to, change "username" to whatever your account is, maybe change the port number if necessary.
The LocalForward lines are the ones you have been looking for. The middle column (i.e. AAAA, BBBB and CCCC) are the ports on the system you are running the ssh command from. The right column (i.e. DD, EEE and FFFF) are the ports on the server you're connecting to. It's localhost in both cases because in the first case it's when the ssh command is run locally and in the second case it is relative to the server you just logged into.
Yes, I use this a lot. ;)
Related
i have a question regarding port forwarding in combination with proxy jump in my ssh config:
Is it possible to make use of DynamicForward from the host used as proxy? Here's my config:
Host proxy
HostName proxy.private.com
User user
IdentityFile ~/path/to/file
DynamicForward 3000
Host target
HostName target.somewhere.com
User user
IdentityFile ~/path/to/file
ProxyJump proxy
It does not work with this config, but this would be exactly what i need.
Any tips on how to get it to work?
If there is nothing preventing you from using ProxyCommand you can most likely use this approach:
In your ~/.ssh/config file:
Host target
HostName target.somewhere.com
User target-user
IdentityFile ~/path/to/target-user-file
ProxyCommand ssh -A <proxy-user>#<proxy-host> -i <proxy-user-key> -W %h:%p
DynamicForward 3000
You can then run this command on your local machine:
ssh target -D 3000
I was able to test this by running this command locally and retreiving public IP of the target host:
curl -x socks5h://localhost:3000 https://ifconfig.me/
Usefull links I read:
More details on these use cases can be found here
Detail on this very approach can be found on this site (sadly not in english nor HTTPS)
You can probably define another Host on top to avoid having to mess with ssh parameter each time. This would be done by using CanonicalizeHostname, but I couldn't manage to it. An alias might be more interesting at that point ?
I have PyCharm pro and I need to set up a remote repo on it via ssh. There are instructions available for doing this but my requirements are slightly different than what I have seen available. My organisation has ssh set up via cloudfare and all those configs are already put in .ssh/config. It includes hostname, IdentityFile, username, and so on. If I need to access my remote machine, I just do ssh <HOST-NAME> from the terminal. My config looks like this -
Host <HOST-NAME>
HostName <HOST-NAME>.<ORGANISATION>.net
ProxyCommand /usr/local/bin/cloudflared access ssh --hostname %h
IdentityFile ~/.ssh/id_rsa
User <USER-NAME>
The way to set up PyCharm usually includes instructions like specifying host, port, username etc so that PyCharm can essentially run
ssh username#host_ip_address. However, I just need it to run ssh <HOST-NAME> so that it can access everything else using the config file that is already set up.
Is there a way to make this happen?
I use Pycharm Pro with my own .ssh/config and Jump Proxy pseudo hostname and certificates so slightly different. I "ssh pseudo-hostname" so no user as well.
In Pycharm I set a valid username and port (default 22) cause in my case it will get passed on.
Your setup ignore username and port no? If so you can use BS values?
I'm testing out Ansible and am already stuck on a fairly simple thing. I configured my /etc/ansible/hosts to contain the IP of my server:
[web]
1.2.3.4
Now, connecting to it with ansible all -vvvv -m ping fails since my ~/.ssh/config for the specified server uses a custom port, a key file not in the default location, etc. How do I tell Ansible to reuse my SSH configuration for the connection?
It's a little esoteric, so it's understandable you missed it. This is from the Ansible Inventory page:
If you have hosts that run on non-standard SSH ports you can put the port number after the hostname with a colon. Ports listed in your SSH config file won’t be used with the paramiko connection but will be used with the openssh connection.
To make things explicit, it is suggested that you set them if things are not running on the default port
So, in your case:
[web]
1.2.3.4:9000
(Using 9000 as your alt port, of course)
Ansible uses paramiko on systems with a dated version of ssh, such as CentOS/RHEL.
What tedder42 said plus there are other slightly more advanced ways of defining your ssh config on a per host basis.
[web]
1.2.3.4 ansible_ssh_port=9000
This only makes sense if you're also using the other ansible_ssh special variables like ansible_ssh_user and ansible_ssh_host.
ansible_ssh_host is helpful if you want to be able to refer to a server by a name of your choosing instead of its IP.
[web]
apache ansible_ssh_host=1.2.3.4 ansible_ssh_port=9000
If you end up with multiple hosts with the same alternative ssh port you can makes use of Ansible's group variable function.
[web]
1.2.3.4
5.6.7.8
9.10.11.12
[web:vars]
ansible_ssh_port=9000
Now Ansible will use port 9000 on all three of the hosts In the web group.
Understanding how to organize your inventory data goes a long way to your success with Ansible.
How do I do multiple port forwarding in a .ssh/config file? On the command line, I can do:
ssh 10.0.0.10 -L 8080:127.0.0.1:8080 -L 8443:127.0.0.1:443
but when I do:
LocalForward 8080 127.0.0.1:8080
LocalForward 8443 127.0.0.1:443
in .ssh/config, it doesn't work.
The ssh_config man page says:
Multiple forwardings may be specified, and additional forwardings can be
given on the command line. Only the superuser can forward privileged ports.
Perhaps the problem is with the permissions, are you using the same user for both commands?
In my case, Host was wrongly mentioned instead of Hostname.
I am trying to setup an SSH tunnel to access Beanstalk (to bypass an annoying proxy server).
I can get this to work, but with one caveat: I have to map my Beanstalk host URL (username.svn.beanstalkapp.com) in my hosts file to 127.0.0.1 (and use the ip in place of the domain when setting up the tunnel).
The reason (I think) is that I am creating the tunnel using the local SSH instance (on Snow Leopard) and if I use localhost or 127.0.0.1 when talking to Beanstalk, it rejects the authorisation credentials. I believe this is because Beanstalk use the hostname specified in a request to determine which account the username / password combination should be checked against. If localhost is used, I think this information is missing (in some manner which Beanstalk requires) from the requests.
At the moment I dig the IP for username.svn.beanstalkapp.com, map username.svn.beanstalkapp.com to 127.0.0.1 in my hosts file, then for the tunnel I use the command:
ssh -L 8080:ip:443 -p 22 -l tom -N 127.0.0.1
I can tell Subversion that the repo. is located at:
https://username.svn.beanstalkapp.com:8080/repo-name
This uses my tunnel and the username and password are accepted.
So, my question is if there is an option when setting up the SSH tunnel which would mean I wouldn't have to use my hosts file workaround?
I would add an entry to your hosts file that maps 127.0.0.1 to the hostname you need and then use the hostname to connect to your tunnel.
Update
The hosts file is IMO your best option.