Ssh – Determine the target of an SSH connection at runtime

ssh

I want to determine the target address of an SSH connection with a function call that generate the address to connect to. All of the examples using ProxyCommand that I can find online use the -W flag to hop to a second machine. I tried that with localhost for the second machine, and that worked but required SSH authentication twice which I didn't like.

I am trying to call ssh inside of the ProxyCommand without forwarding to second hop. Right now, I have in my .ssh/config file:

Host test
    ProxyCommand ssh user@address

When I do ssh test, it seems to connect okay but after connecting there is a blank prompt that does not respond to input, so it seems stdin/stdout must not be directed properly.

Related questions:

Use a dynamically obtained hostname with an ssh config entry

How to get HostName from executable script in SSH config file?

Dynamically generate SSH Host entries in ~/.ssh/config

Best Answer

Since you don't pass a command to ssh, it runs a shell, which expects commands on its standard input. But you aren't passing it shell commands, you're passing it SSH traffic. Hilarity ensues.

Tunnelling is the whole point of ProxyCommand. This example tunnels an SSH connection inside an SSH connection. If you don't want to tunnel, ProxyCommand is not what you're looking for.

Since OpenSSH 6.4, you can use a Match directive with the exec keyword to include blocks conditionally based on a run-time directive. A typical use case is to have different actual host names or proxy commands depending on where your laptop is. Each Match block replaces a Host block, and you can't use the output of the command to determine the host name, only the fact that it exited with status 0.

# Connection inside ACME network
Match host foo exec on-acme-network
HostName foo.acme.local

# Connection from outside ACME
Host foo
HostName foo.example.com

Proxying is another option. To make a connection to a host name and port that are determined at connection time, you can use netcat to set up the TCP connection.

Host foo
ProxyCommand nc $(determine-target-host-name) 22

If you want a fully dynamic .ssh/config, you can make it a named pipe and ensure that a process is always writing to it. Or put it on scriptfs.

1 - general case

Suppose you have two server in a company network.

From local server "L1" you have access to a remote server "R1" via ssh on port 22.

The server R1 host a web service, but firewall/NAT/whatever block direct access to port 80.
"R1" can't access "L1" directly due to NAT issue.

from L1 you connect using (same user on both host)

ssh -L 10080:localhost:80 -R 10022:localhost:22 R1

now,

-L 10080:localhost:80 local browsing on 10080 will be forward to distant host (R1), localhost (e.g. distant 127.0.0.1) on port 80, thus you could browse distant host (R1), while blocked by firewall/NAT.
-R 10022:localhost:22 remote use of port 10022 will be forwarded to localhost (L1) port 22, you can initiate scp/ssh from remote to localhost. (using scp -P 10022 file localhost: (note upper -P ) )

This is actually a command line I use from an Ubuntu (14.04) laptop to go to production server (I can firefox to localhost:10080 and use scp from server to localhost:10022 to bring back file )

now your IP are

192.168.1.1 L1
172.17.17.1 R1

you use

ssh -L 10080:172.17.17.3:80 -R 10022:192.168.1.5:22 \
     -L 192.168.1.9:8888:172.17.17.9:9999 R1

now

distant access to port 10022 (any IP) will be forwarded to local 192.168.1.5 ssh/scp.
local access to port 10080 (any IP) will be forwarded to distant host 172.17.17.3 port 80.
local access to port 8888 from 192.168.1.9 will be forwarded to port 9999 on 172.17.17.9 (192.168.1.9 is a local address in L1, using alias mecanism, this is not a firewall rule).

those setting can be used on putty/bitwise client

Ask Ubuntu question

what about

 -R 8000:localhost:80

this read as

-R remote
8000 port 8000 (remote port 8000 ... )
localhost (remote port 8000 goest to localhost .. )
80 ( remote port 8000 goes to localhost port 80 )

Ssh – iptables unable to block local ssh connection

Most probably, localhost resolves to an IPv6 address (::1) which is not filtered by iptables (use ip6tables).

The output of:

strace -e connect ssh localhost

will tell you what IP address and what protocol are used.

Best Answer

Related Solutions

Ssh – What does port forwarding mean in “SSH port forwarding”

1 - general case

Ask Ubuntu question

Ssh – iptables unable to block local ssh connection

Related Question