Problem:
- ssh-Agent (ssh -A) on hop-hosts can be hacked by root
- ssh chaining/nesting (ssh h1 'ssh h2 "ssh h3"')
- temporary decrypts on h1 + h2 (clear data at all hops)
- no scp via nested ssh (ssh -t galileo ssh tina)
Solution ssh stacking (ssh -o ProxyCommand):
- SSH option ProxyCommand:
Instead of creating a TCP connection, SSH will communicate using the
proxy program's standard input and output streams.
# minimal:
cat >> .ssh/config << EOF
Host dest
ProxyCommand ssh userx@dest.example.com nc -w 1 %h %p
EOF
# since ssh-v5.3 nc can be replaced by option: -W %h:%p (untested, please give feedback)
# -w 1 timeout in seconds ???
# %h = hostname(dest[.example.com?]) %p = port(22)
# comfortable:
cat >> .ssh/config << EOF
Host *.example.com wall dest
User userx
Port 22
IdentityFile ~/.ssh/id_firma
ServerAliveInterval 240
Host dest
HostName dest.example.com
#ProxyCommand ssh wall socket -q %h %p
ProxyCommand ssh userx@dest.example.com nc %h %p
## additional forward localhost:33306 to dest:3306
# LocalForward 33306 localhost:3306
Host wall
HostName wall.example.com
EOF
ssh -v dest
debug1: Reading configuration data /home/userx/.ssh/config
debug1: Applying options for dest
debug1: Applying options for *
debug1: Executing proxy command: exec ssh wall socket -q dest.example.com 22
localpc --- (ssh wall nc..) --- wall --- (nc bar 22) --- dest:22
\ /
---- (ssh dest via stdin of ssh wall nc) -----
Useful for:
- scp dest:file . # where dest is behind a firewall
- CVSROOT=dest && CVS_RSH=ssh
- further nesting
- ssh -X dest
- ssh -L3128:proxy.example.com:3128 dest
Advantage:
- more secure than chaining
Disadvantage:
- n-fold encryption load on one endpoint (no scaling with num hops)
Winscp:
- Fill in the hostname and user name for the final destination host.
- Check the "Advanced options" box in the login dialog.
- Select the Connection - Tunnel page.
- Check the "Connect through SSH tunnel" box.
- Fill in the Host name and user name of the intermediate host.
- first ask password belongs to the intermediate host
securing:
- use SSH PubKeys/Identities, including the 'command=' option
for intermediate hosts
Errors:
- debug1: Next authentication method: password
dest's password:
debug2: we sent a password packet, wait for reply
Write failed: Broken pipe
# if using option -w 5 for /usr/bin/nc (25864B) of CentOS 5.4
Solution ssh stacking (ssh port forwarding):
$ ssh -f wall -L 9999:dest:22 sleep +1d
$ ssh -o HostKeyAlias=dest localhost -p 9999
Disadvantage:
- need two (more complex) commands instead of one
- further ports (9999) needed for further connections
Other solutions:
- ProxyCommand ssh {gw} 'exec 3<>/dev/tcp/{host}/22;(cat <&3 & );cat >&3' --
- when netcat is not installed on the gateway:
ProxyCommand ssh {gw} 'exec 3<>/dev/tcp/{host}/22; cat <&3 & cat >&3;kill $!'
(+close?: exec 3>&-;)
Sources:
[1] netcat (nc) 0.7.1 Jan2004 GPL
088def25efe04dcdd1f8369d8926ab34 netcat-0.7.1.tar.gz
[2] Bulbous - Multihop SSH
[3] ssh_config manpage
[4] http://www.rschulz.eu/2008/09/ssh-proxycommand-without-netcat.html
Please give feedback if you want changes on this website.