I am fond of mosh but I have problem connecting via two-level ssh. Consider this scenario:
host machine running FreeBSD which has closed all ports from outside
first jail having ssh port 2222 open from the outside is on public IP let's say door.example.com
second jail with private IP address named DEV.example.com that can be ssh-ed from door.example.com on port 2222 as well
redirection is set up to forward udp port 60000 from door.example.com to DEV.example.com
There is generaly some problem with ttys and jails, but I am able to connect this way:
ssh -t -t -p2222 door.example.com -- ssh -p2222 DEV.example.com
being asked for both password to door.example.com and DEV.example.com afterwards.
I have tried this mosh command (also tried all variations with and without -t -t params):
mosh --port 60000 \
--ssh "ssh -t -t -p2222" \
--server "ssh -t -t -p2222 DEV.example.com mosh-server" \
door.example.com
but I always get hanging on password authentication to the second jail with no password prompt.
Funny thing is that from android mosh-flavored irssi connect bot this works when I set up mosh port to 60000 and as mosh server I fill in ssh -t -t -p2222 DEV.example.com mosh-server
I know there are ways to set-up ssh proxy but I don't want to have things like netcat on the door jail. This should work somehow especially because it already works from my phone.
Is there a reason the mosh-server needs to be at the end point (dev) rather than at the entry (door)?
I use something like:
mosh --port 60000 \
--ssh "ssh -t -t -p2222" \
-- door.example.com ssh -t -t -p2222 dev.example.com
For my setup at home.
FWIW, I use something like this for irssi:
mosh --ssh="ssh -p2222" \
-- user#dmz.example.com ssh -q -t user#irssi.example.com \
screen -c /home/user/.screen.irc -UxaA irc
Both my servers are FreeBSD and clients are either MacBook Air or a laptop running Ubuntu. I had gone with a dmz host with host based firewall, to overcome the limited forwards available on my current router.
Related
I am currently using the following cmd to login to a ec2 instance using a jumphost -
ssh -J jumphost:2222 some_ip
I have installed csshX as I need to login to multiple instances simultaneously. I am not sure how to specify a jumphost in csshX.
Regards,
Aditya
You can use an ssh config, the default location being ~/.ssh/config which has a similar configuration, and ssh client honours it.
Host 192.168.*.*
ProxyCommand ssh jumphost -W %h:%p
and when you do csshX 192.168.0.10, it will go through the jumphost. (Tested and working from a mac.)
I want to debug another machine on my network but have to pass through one or more SSH tunnels to get there.
Currently:
# SSH into one machine
ssh -p 22 me#some_ip -i ~/.ssh/00_id_rsa
# From there, SSH into the target machine
# Note that this private key lives on this machine
ssh -p 1234 root#another_ip -i ~/.ssh/01_id_rsa
# Capture debug traffic on the target machine
tcpdump -n -i eth0 -vvv -s 0 -XX -w tcpdump.pcap
But then it's a pain to successively copy that .pcap out. Is there a way to write the pcap directly to my local machine, where I have wireshark installed?
You should use ProxyCommand to chain ssh hosts and to pipe output of tcpdump directly into wireshark. To achieve that you should create the following ssh config file:
Host some_ip
IdentityFile ~/.ssh/00_id_rsa
Host another_ip
Port 1234
ProxyCommand ssh -o 'ForwardAgent yes' some_ip 'ssh-add ~/.ssh/01_id_rsa && nc %h %p'
I tested this with full paths, so be carefull with ~
To see the live capture you should use something like
ssh another_ip "tcpdump -s0 -U -n -w - -i eth0 'not port 1234'" | wireshark -k -i -
If you want to just dump pcap localy, you can redirect stdout to filename of your choice.
ssh another_ip "tcpdump -n -i eth0 -vvv -s 0 -XX -w -" > tcpdump.pcap
See also:
https://serverfault.com/questions/337274/ssh-from-a-through-b-to-c-using-private-key-on-b
https://serverfault.com/questions/503162/locally-examine-network-traffic-of-remote-machine/503380#503380
How can I have tcpdump write to file and standard output the appropriate data?
I am trying to ssh over my university's proxy server, to one of our lab's servers. The goal is to automate it with paramiko, but I am trying to first understand what's happening in the terminal level.
I tried
ssh -o ProxyCommand='ssh eran#proxy_server nc inner_server 22' eran#inner_server
And got
*** forbidden char/command over SSH: "nc inner_server 22"
This incident has been reported.
ssh_exchange_identification: Connection closed by remote host
Which I guess means the server does not allow the ProxyCommand.
Any way to achieve this in a different way?
Just to be clear, ssh to proxy_server, and then to inner_server, works fine, but doesn't produce a paramiko SSHClient instance, which is what I'm aiming for.
Do not use netcat. It is probably not allowed on the proxy server. Use -W switch:
ssh -o ProxyCommand='ssh -W %h:%p eran#proxy_server' eran#inner_server
I want to send files from machineA which has opened a reverse tunnel with a server. The reverse tunnel connects port 22 on machineA with port 2222 on the server:
autossh -M 0 -q -f -N -o "ServerAliveInterval 120" -o "ServerAliveCountMax 1" -R 2222:localhost:22 userserver#server.com
If I do:
scp file userserver#server.com:.
then SCP sends the file with a new login over SSH, in my case using public/private key.
But if I do:
scp -P 2222 file userserver#localhost:.
I get a "connection refused" message. The same happens if I replace 2222 above with the port found with:
netstat | grep ssh | grep ESTABLISHED
How I can send files without opening a new ssh connection (without handshake)?
You can use ControlMaster option in your ssh_config (~/.ssh/config), which will create persistent connection for further ssh/scp/sftp sessions. It is easy as pie:
Host yourhost
Hostname fqdn.tld
Port port_number # if required, but probably yes, if you do port-forwarding
ControlMaster auto
ControlPath ~/.ssh/master-%r#%h
ControlPersist 5m
I have been struggling with setting up a ProxyCommand to ssh through multiple hops. The issue I am having is integrating arguments in my normal ssh statement into the config file. I want to connect to IP2 via IP1. My username is greg and I am connecting using rsa. This is the one liner that will connect me:
ssh -A -t -p 22 -i ~/.ssh/private_key greg#IP1 ssh -A -t greg#IP2
I have tried a bunch of different config set ups and currently I am using:
Host ezConnect
ProxyCommand ssh %h nc IP2 22
HostKeyAlias IP2
HostName IP1
User greg
I know the issue is that it does not include the arguments I need, but wherever I try to put them it seems to break.
The reason I'm doing this is because I need to use a db GUI (navicat) to connect through a gateway server and the UI doesn't support a strait up ssh command.
Any help would be appreciated.
I figured it out so here is the correct config fie:
Host ezCon
Hostname **IP2**
User greg
ProxyCommand ssh -l greg -p 22 -i ~/.ssh/private_key **IP1** -W %h:%p