I discussed today with a web developper who needed to reach a machine through ssh but not directly accessible from the wild Internet. In fact, she told me that she takes a shell on each hop with ssh agent forwarding and so from that shell launch another ssh session. Well, of course that works but my question was "Why don't you just simply use a ProxyCommand in your \~/.ssh/config for that host ?". I discussed with quite some people in the last months not knowing that ProxyCommand feature in OpenSSH so once again it was time to at least blog about it

From man ssh_config :

ProxyCommand
Specifies the command to use to connect to the server ...

The man page has an example but what I do is using ssh itself as a ProxyCommand. Just an example : suppose you need to reach HostB (not reachable from where you are) but that you can reach HostA (and that HostA can reach HostB). You can configure your \~/.ssh/config like this :

Host HostB  
  Hostname the.known.fqdn.as.resolvable.by.HostA  
  User arrfab  
  ForwardAgent yes  
  Port 22  
  ProxyCommand ssh remoteuser@HostA.with.ssh.access nc %h %p*

And what if you need to reach HostC, which itself is only reachable by HostB ? Let's just define a new Host section in the \~/.ssh/config and another ProxyCommand !

Host HostC  
  Hostname the.known.fqdn.as.resolvable.by.HostB  
  User arrfab  
  ForwardAgent yes  
  Port 22  
  ProxyCommand ssh remoteuser@HostB nc %h %p*

You can now directly use the ssh HostC from your laptop/workstation and have a direct shell on HostC even if it has to open a connection to HostA and from

there to HostB to finish to HostC.That works also for scp/sftp so you can directly copy/retrieve files to/from HostC instead of copy from one host to the next hop. More informations about those features and the correct syntax in man ssh_config.

Hope that you can find that useful if you didn't know that already