headers
Michael Still | 10 Jun 2012 07:16
Favicon
Gravatar

[clug] Cool ssh hack

I saw this recently, and its super cool. Perhaps other people would find
it useful. I have many machines at home, and a single ssh jumphost which
has external DNS and a routable IP. Here's how I can ssh to an internal
machine called zii.home.stillhq.com or another machine named
cat.home.stillhq.com by magic wherever I may be...

$ cat ~/.ssh/config
Host cat.home zii.home
  ProxyCommand ssh jumphost.stillhq.com nc -q0 %h %p

So, when I ssh to zii.home.stillhq.com, ssh actually connects to
jumphost.stillhq.com. It then runs netcat, and pushes ssh traffic to it.
So, there are two ssh authentications, but because I use key based
authentication I don't even notice.

I figured maybe this might be useful to others?

Mikal
--

-- 
linux mailing list
linux@...
https://lists.samba.org/mailman/listinfo/linux
Permalink | Reply |
headers
Martin Schwenke | 10 Jun 2012 22:56
Favicon

Re: [clug] Cool ssh hack

On Sun, 10 Jun 2012 15:16:04 +1000, Michael Still <mikal@...>
wrote:

> I saw this recently, and its super cool. Perhaps other people would find
> it useful. I have many machines at home, and a single ssh jumphost which
> has external DNS and a routable IP. Here's how I can ssh to an internal
> machine called zii.home.stillhq.com or another machine named
> cat.home.stillhq.com by magic wherever I may be...
> 
> $ cat ~/.ssh/config
> Host cat.home zii.home
>   ProxyCommand ssh jumphost.stillhq.com nc -q0 %h %p
> 
> So, when I ssh to zii.home.stillhq.com, ssh actually connects to
> jumphost.stillhq.com. It then runs netcat, and pushes ssh traffic to it.
> So, there are two ssh authentications, but because I use key based
> authentication I don't even notice.

If you want a bit more transparency, can identify your network by its
IP range, and are happy to put up with the overhead of an extra netcat
process when at home, then you can do this:

Host    cat zii *.home
        ProxyCommand            ssh_proxy_home %h %p

The script ssh_proxy_home looks like this:

$ cat bin/ssh_proxy_home
#!/bin/sh
(Continue reading)

Permalink | Reply |
headers
Nathan Rickerby | 14 Jun 2012 00:49
Picon

Re: [clug] Cool ssh hack

On Sun, Jun 10, 2012 at 03:16:04PM +1000, Michael Still wrote:
> I saw this recently, and its super cool. Perhaps other people would find
> it useful. I have many machines at home, and a single ssh jumphost which
> has external DNS and a routable IP. Here's how I can ssh to an internal
> machine called zii.home.stillhq.com or another machine named
> cat.home.stillhq.com by magic wherever I may be...
> 
> $ cat ~/.ssh/config
> Host cat.home zii.home
>   ProxyCommand ssh jumphost.stillhq.com nc -q0 %h %p
> 
> So, when I ssh to zii.home.stillhq.com, ssh actually connects to
> jumphost.stillhq.com. It then runs netcat, and pushes ssh traffic to it.
> So, there are two ssh authentications, but because I use key based
> authentication I don't even notice.
> 
> I figured maybe this might be useful to others?
> 
> Mikal

OpenSSH 5.4 and later have the following option:

  -W host:port
          Requests that standard input and output on the
          client be forwarded to host on port over the secure
          channel. ...

Which can be used in place of 'ssh host nc ...'. The previous example
becomes:
(Continue reading)

Permalink | Reply |

Gmane