36

I'm trying to tunnel to a server via a bridge server. So far, I've been able to get it working from the command shell properly using the following command:

ssh -A -t [email protected] ssh -A [email protected]

But I've been trying to wrap this into my ~/.ssh/config file and I have troubles. I've tried:

Host axp
  User          remote_userid
  HostName      remoteserver.com
  IdentityFile  ~/.ssh/id_rsa.eric
  ProxyCommand ssh -A -t bridge_userid@bridge_userid.com ssh -A remote_userid@%h

But when I do, I get the following error message from remoteserver.com and I'm not sure what is causing it:

ksh: SSH-2.0-OpenSSH_6.8^M: not found

I know that when I log into remoteserver.com , my shell is /usr/bin/ksh.

I've tried to add path arguments to the ssh commands in the config file, but it made no difference.

Any ideas what it can be?

GabLeRoux
  • 885
  • 9
  • 17
Eric B.
  • 635
  • 2
  • 7
  • 11
  • That's just not how `ProxyCommand` is meant to be used. Typically it is used with netcat where ssh is piping its output through it and netcat is acting as the tunnel to the _remoteserver_ SSH port. You need a ProxyCommand something like `ssh -W %h:%p [email protected]` if you want to use that feature. – DanSut Oct 09 '15 at 01:17
  • Unfortunately my bridge server does not have netcat installed on it, so I'm trying to get this to work some other way. I figured if it could work from the command line, there should be a way to put the info in a config file. – Eric B. Oct 09 '15 at 01:25
  • In your command line usage that works you are giving `ssh -A [email protected]` as a command to run on the bridge machine, config does not give you a way of supplying default commands. What you attempt to do `works` in itself but then ssh tries to use your `ProxyCommand` as a tunnel and starts firing SSH protocol down it where there is a shell waiting at the other end rather than an sshd listening for SSH protocol. – DanSut Oct 09 '15 at 12:10
  • @dansut worked great. Thx! – Eric B. Oct 09 '15 at 13:14

2 Answers2

53

Jakuje's answer is right, but since OpenSSH 7.3, you can now use -J ProxyJump which is easier. See my notes:

OpenSSH 7.3 or above

Use ProxyJump. As explained in the manual:

-J [user@]host[:port]
Connect to the target host by first making an ssh connection to the jump host and then establishing a TCP forwarding to the ultimate destination from there. Multiple jump hops may be specified separated by comma characters. This is a shortcut to specify a ProxyJump configuration directive.

ProxyJump ~/.ssh/config example

~/.ssh/config

Host server1
  Hostname server1.example.com
  IdentityFile ~/.ssh/id_rsa

Host server2_behind_server1
  Hostname server2.example.com
  IdentityFile ~/.ssh/id_rsa
  ProxyJump server1

Connect with

ssh server2_behind_server1 -v

Add -v for verbose output

ProxyJump -J Command line example

~/.ssh/config

Host server1
  Hostname server1.example.com
  IdentityFile ~/.ssh/id_rsa

Host server2
  Hostname server2.example.com
  IdentityFile ~/.ssh/id_rsa

Connect with

ssh server2 -J server1 -v

Or use -o

ssh server2 -o 'ProxyJump server1' -v

OpenSSH 5.4 or above

Use ProxyCommand with -W

~/.ssh/config

Host server1
  Hostname server1.example.com
  IdentityFile ~/.ssh/id_rsa

Host server2
  Hostname server2.example.com
  IdentityFile ~/.ssh/id_rsa
  ProxyCommand ssh server1 -W %h:%p

Connect with

ssh server2 -v

Or use -o

ssh server2 -o 'ProxyCommand ssh server1 -W %h:%p' -v

OpenSSH bellow 5.4

~/.ssh/config

Host server1
  Hostname server1.example.com
  IdentityFile ~/.ssh/id_rsa

Host server2
  Hostname server2.example.com
  IdentityFile ~/.ssh/id_rsa
  ProxyCommand ssh server1 nc %h %p 2> /dev/null

Connect with:

ssh server2 -v

Or use -o

ssh server2 -o 'ProxyCommand ssh server1 nc %h %p 2> /dev/null' -v

Sources

-J added in OpenSSH 7.3

  • ssh(1): Add a ProxyJump option and corresponding -J command-line flag to allow simplified indirection through a one or more SSH bastions or "jump hosts".

-W added in OpenSSH 5.4

  • Added a 'netcat mode' to ssh(1): "ssh -W host:port ..." This connects stdio on the client to a single port forward on the server. This allows, for example, using ssh as a ProxyCommand to route connections via intermediate servers. bz#1618
kenorb
  • 20,250
  • 14
  • 140
  • 164
GabLeRoux
  • 885
  • 9
  • 17
3

You don't need netcat on your bridge. As DanSut proposed in the comments you can use the ssh -W command line option instead, this configuration should work for you:

Host axp
  User          remote_userid
  HostName      remoteserver.com
  IdentityFile  ~/.ssh/id_rsa.eric
  ProxyCommand ssh -AW %h:%p bridge_userid@bridge_userid.com
GabLeRoux
  • 885
  • 9
  • 17
Jakuje
  • 20,974
  • 7
  • 51
  • 70
  • It worked. Thanks. Not sure why, but am sure I had tried it once already in failure, but I tried again with success. Thanks. – Eric B. Oct 09 '15 at 13:13