[clug] Cool ssh hack

Nathan Rickerby rickerby at gmail.com
Wed Jun 13 16:49:49 MDT 2012

On Sun, Jun 10, 2012 at 03:16:04PM +1000, Michael Still wrote:
> I saw this recently, and its super cool. Perhaps other people would find
> it useful. I have many machines at home, and a single ssh jumphost which
> has external DNS and a routable IP. Here's how I can ssh to an internal
> machine called zii.home.stillhq.com or another machine named
> cat.home.stillhq.com by magic wherever I may be...
> $ cat ~/.ssh/config
> Host cat.home zii.home
>   ProxyCommand ssh jumphost.stillhq.com nc -q0 %h %p
> So, when I ssh to zii.home.stillhq.com, ssh actually connects to
> jumphost.stillhq.com. It then runs netcat, and pushes ssh traffic to it.
> So, there are two ssh authentications, but because I use key based
> authentication I don't even notice.
> I figured maybe this might be useful to others?
> Mikal

OpenSSH 5.4 and later have the following option:

  -W host:port
          Requests that standard input and output on the
          client be forwarded to host on port over the secure
          channel. ...

Which can be used in place of 'ssh host nc ...'. The previous example

  $ cat ~/.ssh/config
  Host cat.home zii.home
    ProxyCommand ssh -W %h:%p jumphost.stillhq.com

It can also be useful to chain ProxyCommands together. If zii was
only accessible from cat and jumphost.stillhq.com was only accessible
from trusted.example.com. With the following configuration, a
connection to zii would automatically connect via the three other

  $ cat ~/.ssh/config
  Host jumphost.stillhq.com
    ProxyCommand ssh -W %h:%p trusted.example.com

  Host cat.home
    ProxyCommand ssh -W %h:%p jumphost.stillhq.com

  Host zii.home
    ProxyCommand ssh -W %h:%p cat.home

With chained connections it can take a few seconds to get to the
final host. To improve this for following connections you might
consider enabling connection reuse by setting ControlMaster and
ControlPath. Now new connections to other hosts within 'home' will
reuse an existing connection to jumphost.


More information about the linux mailing list