SSH – Fix Bad Stdio Forwarding Specification ‘%h:%p’ on macOS

macmacosssh

I am on macOS Sierra, and my SSH version is :
OpenSSH_7.5p1, OpenSSL 1.0.2l 25 May 2017

I have this content in my .ssh/config :

Host db
  User user
  HostName 192.168.1.111
  ProxyCommand ssh user@db -W %h:%p

Host website
  User user
  HostName 192.168.1.100
  ProxyCommand ssh user@Website -W %h:%p

I also have a server with a public IP, that has direct connection with these two servers, I want to forward my SSH connection through this public server to my private servers (db and website).

When I use this command:

ssh user@db -W %h:%p

I get this error:

Bad stdio forwarding specification '%h:%p'

Now, what should I do to solve this problem and connect my macOS host to my private servers?

Best Answer

Your config file as well as the command are wrong.

The ProxyCommand line should contain the JumpHost's user/hostname but not the final destination.

Config file:

Host db
  User dbuser
  HostName 192.168.1.111 #db host name/IP
  ProxyCommand ssh user_public_server@public_server -W %h:%p

Host website
  User websiteuser
  HostName 192.168.1.100 #website host name/IP
  ProxyCommand ssh user_public_server@public_server -W %h:%p

The command is then simply ssh db or ssh website because the user friendly Host's name (e.g. db) as defined in the config file is expanded to the HostName/IP (e.g. 192.168.1.111).

Heading

MacOS – Can’t use machine name to login using SSH anymore on Yosemite, how to fix

In your local network setup all services heavily rely on a properly working Bonjour service (dns-sd), because you have no local domain name service.

To detect propagated dns-sd services of a host use the following command (please replace "ip-address" below by the ip-address of your Mac named user-mbp; use ifconfig -a on that Mac to get it):

dig _services._dns-sd._udp.local ptr @ip-address -p 5353

The dig output of a well working Bonjour service of a host looks like this :

; <<>> DiG 9.8.5-P1 <<>> _services._dns-sd._udp.local ptr @192.168.177.9 -p 5353
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37167
;; flags: qr aa; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;_services._dns-sd._udp.local.  IN  PTR

;; ANSWER SECTION:
_services._dns-sd._udp.local. 10 IN PTR _ssh._tcp.local.
_services._dns-sd._udp.local. 10 IN PTR _sftp-ssh._tcp.local.

;; Query time: 4 msec
;; SERVER: 192.168.177.9#5353(192.168.177.9)
;; WHEN: Wed Jul 29 02:00:16 CEST 2015
;; MSG SIZE  rcvd: 94

As you can see I have only one service enabled: ssh (+ sftp-ssh)

To detect and get the names of all local hosts providing a special service (in my example ssh, check for more services here) use:

dns-sd -B _ssh._tcp local

If you want to skip detection after a while just enter ctrlC.

My output:

Browsing for _ssh._tcp.local
Timestamp     A/R Flags if Domain     Service Type              Instance Name
2:51:05.778  Add     2  4 local.      _ssh._tcp.                MyMac

If you don't get a similar results, your dns-sd is broken and all other tools like ping, nslookup (and consequently all tools relying on that like ssh) will not work in your namespace since you don't have a local DNS-server as alternative. The DNS-server in your router (usually a DNS caching only server) as well as the DNS-servers of your ISP and the superior root servers know nothing about your local network and namespace.

To temporarily fix this (check man dns-sd) the following - executed on user-mbp - should work:

dns-sd -R user-mbp _ssh._tcp. local 22

You may even propagate a user and a password (I didn't test that and i don't know how that should work or how secure it is):

dns-sd -R user-mbp _ssh._tcp. local 22 u=<username> p=<password>

To permanently fix this, first update to 10.10.4 with the Combo Updater, check the search domain settings of your router's DHCP-server, delete all caches (e.g. with Onyx or Yosemite Cache Cleaner), use a *.local name (e.g. user-mbp.local instead of user-mbp) where appropriate (e.g. Sharing Prefs, shell), don't use "local" as search domain in your network prefs and then repair your Bonjour service with several answers provided here at stackexchange or if nothing helps alternatively set-up dnsmasq.

P.S. You should always use the full Bonjour-name (e.g. user-mbp.local) to address a local host/device using dns-sd. The reason to do so is the following:

A lot of routers provide a search domain for easier configuration if on-board DHCP is enabled or propagate an ISP connection specific domain name. Examples: The default search domain of my Fritz!Box is "fritz.box", the default search domain for some DLink routers seems to be "local".

If your Mac uses DHCP to assign an IP, the default search domain will be applied also. In my case pinging "myothermac" automatically appends ".fritz.box" and the host myothermac.fritz.box will be probed. If you don't have a DNS-server in your local network with a primary zone "fritz.box." containing a host with the name "myothermac", the command ping myothermac will fail. Unlike to ping myothermac.local, which should work if Bonjour is set-up properly.

Since most routers aren't Bonjour-aware, change any default search domain settings containing "*.local" or "local" or apparently some DLink routers with an empty search domain to something else like "happy.home" to avoid any conflicts with the Bonjour service.

Best Answer

Related Solutions

MacOS – Mac OS X Server Mail services and Push Notifications to iOS devices

Heading

MacOS – Can’t use machine name to login using SSH anymore on Yosemite, how to fix

Related Question