[Cialug] SSH Trickery

Aaron Porter atporter at gmail.com
Mon Nov 21 17:27:23 CST 2005


A friend recently pointed this method out to me, and it's too handy not to
pass on.

I've got two networks (work and home) that severly limit inbound connections
(nat at home, restrictive firewall/IDS/etc at work). On both ends, there are
"bastion" hosts that allow inbound ssh. From that host, I can connect on to
anywhere on the network. Works fine, but can be a PITA when I want to say
rsync a copy of the x-org debs from the mirror at work to the fileserver at
home. I used to have a nasty ad-hoc port-forwarding mess. Nasty. That and
ssh listening on odd ports on my nat box to reach inside hosts... hard to
maintain, didn't always work nice with scp/rsync/X/etc. Enter the OpenSSH
ProxyCommand option.... I put the stanzas below into ~/.ssh and life is
good. It assumes you've got netcat installed on your bastion host, and I
think the -q option to nc might be a debian-ism, but oh so nice.


Host *.work.gov
ProxyCommand ssh -a -x ip.of.bastion.host nc -q 1 %h %p
Protocol 2
Cipher blowfish-cbc
Compression yes
Ciphers
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc
EscapeChar ~
Host *.home.org
ProxyCommand ssh -a -x ip.of.home.gateway nc -q 1 %h %p
Protocol 2
Cipher blowfish-cbc
Compression yes
Ciphers
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc
EscapeChar ~
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://cialug.org/pipermail/cialug/attachments/20051121/da45ef2b/attachment.html


More information about the Cialug mailing list