I discussed today with a web developper who needed to reach a machine through ssh but not directly accessible from the wild Internet. In fact, she told me that she takes a shell on each hop with ssh agent forwarding and so from that shell launch another ssh session. Well, of course that works but my question was "Why don't you just simply use a ProxyCommand in your \~/.ssh/config for that host ?". I discussed with quite some people in the last months not knowing that ProxyCommand feature in OpenSSH so once again it was time to at least blog about it
man ssh_config :
Specifies the command to use to connect to the server ...
The man page has an example but what I do is using ssh itself as a ProxyCommand. Just an example : suppose you need to reach HostB (not reachable from where you are) but that you can reach HostA (and that HostA can reach HostB). You can configure your \~/.ssh/config like this :
Host HostB Hostname the.known.fqdn.as.resolvable.by.HostA User arrfab ForwardAgent yes Port 22 ProxyCommand ssh remoteuser@HostA.with.ssh.access nc %h %p*
And what if you need to reach HostC, which itself is only reachable by HostB ? Let's just define a new Host section in the \~/.ssh/config and another ProxyCommand !
Host HostC Hostname the.known.fqdn.as.resolvable.by.HostB User arrfab ForwardAgent yes Port 22 ProxyCommand ssh remoteuser@HostB nc %h %p*
You can now directly use the
ssh HostC from your laptop/workstation
and have a direct shell on HostC even if it has to open a connection to
HostA and from
there to HostB to finish to HostC.That works also for scp/sftp so you
can directly copy/retrieve files to/from HostC instead of copy from one
host to the next hop. More informations about those features and the
correct syntax in
Hope that you can find that useful if you didn't know that already