Problem: - ssh-Agent (ssh -A) on hop-hosts can be hacked by root - ssh chaining/nesting (ssh h1 'ssh h2 "ssh h3"') - temporary decrypts on h1 + h2 (clear data at all hops) - no scp via nested ssh (ssh -t galileo ssh tina) Solution ssh stacking (ssh -o ProxyCommand): - SSH option ProxyCommand: Instead of creating a TCP connection, SSH will communicate using the proxy program's standard input and output streams. # minimal: cat >> .ssh/config << EOF Host dest ProxyCommand ssh userx@dest.example.com nc -w 1 %h %p EOF # since ssh-v5.3 nc can be replaced by option: -W %h:%p (untested, please give feedback) # -w 1 timeout in seconds ??? # %h = hostname(dest[.example.com?]) %p = port(22) # comfortable: cat >> .ssh/config << EOF Host *.example.com wall dest User userx Port 22 IdentityFile ~/.ssh/id_firma ServerAliveInterval 240 Host dest HostName dest.example.com #ProxyCommand ssh wall socket -q %h %p ProxyCommand ssh userx@dest.example.com nc %h %p ## additional forward localhost:33306 to dest:3306 # LocalForward 33306 localhost:3306 Host wall HostName wall.example.com EOF ssh -v dest debug1: Reading configuration data /home/userx/.ssh/config debug1: Applying options for dest debug1: Applying options for * debug1: Executing proxy command: exec ssh wall socket -q dest.example.com 22 localpc --- (ssh wall nc..) --- wall --- (nc bar 22) --- dest:22 \ / ---- (ssh dest via stdin of ssh wall nc) ----- Useful for: - scp dest:file . # where dest is behind a firewall - CVSROOT=dest && CVS_RSH=ssh - further nesting - ssh -X dest - ssh -L3128:proxy.example.com:3128 dest Advantage: - more secure than chaining Disadvantage: - n-fold encryption load on one endpoint (no scaling with num hops) Winscp: - Fill in the hostname and user name for the final destination host. - Check the "Advanced options" box in the login dialog. - Select the Connection - Tunnel page. - Check the "Connect through SSH tunnel" box. - Fill in the Host name and user name of the intermediate host. - first ask password belongs to the intermediate host securing: - use SSH PubKeys/Identities, including the 'command=' option for intermediate hosts Errors: - debug1: Next authentication method: password dest's password: debug2: we sent a password packet, wait for reply Write failed: Broken pipe # if using option -w 5 for /usr/bin/nc (25864B) of CentOS 5.4 Solution ssh stacking (ssh port forwarding): $ ssh -f wall -L 9999:dest:22 sleep +1d $ ssh -o HostKeyAlias=dest localhost -p 9999 Disadvantage: - need two (more complex) commands instead of one - further ports (9999) needed for further connections Other solutions: - ProxyCommand ssh {gw} 'exec 3<>/dev/tcp/{host}/22;(cat <&3 & );cat >&3' -- - when netcat is not installed on the gateway: ProxyCommand ssh {gw} 'exec 3<>/dev/tcp/{host}/22; cat <&3 & cat >&3;kill $!' (+close?: exec 3>&-;) Sources: [1] netcat (nc) 0.7.1 Jan2004 GPL 088def25efe04dcdd1f8369d8926ab34 netcat-0.7.1.tar.gz [2] Bulbous - Multihop SSH [3] ssh_config manpage [4] http://www.rschulz.eu/2008/09/ssh-proxycommand-without-netcat.html Please give feedback if you want changes on this website.