ssh hack: connect directly to machine via a firewall box
UPDATED 23/03/2009: added “-q0″ option to clean up netcat after session terminates, and left another useful ssh tip in the comments.
It’s common to have to ssh to firewall / gateway machine, then ssh to the machine you want to work on within a server network.
Typically you’d do this from your local machine:
$ ssh firewall.example.com
Password:
$ ssh my-private-host
I finally got bored of doing this, and created the following file, /usr/bin/sssh
#!/bin/bash ssh -oproxycommand="ssh -q firewall.example.com nc -q0 %h %p" $*
Now I can use the sssh command to connect to hosts using the firewall machine as a proxy. Like most good hacks, this uses netcat.
Eg:
$ sssh 10.1.2.3
Will connect me directly to a machine on the server network, via the firewall box. Seeing as it passes all parameters to ssh (the $* bit) you can do port forwards and X-forwarding as usual too:
$ sssh -L 5432:localhost:5432 my-vm
This lets me tunnel the port for a PostgreSQL running on my development vm (my-vm) in a single command. I have all my keys installed, so no passwords needed - I estimate this will save me about 60 seconds every day.
7 Comments to ssh hack: connect directly to machine via a firewall box
Leave a comment
About Me
Tags
bash c cnode comet databases dht driver ejabberd erlang hack hashing http irc java kernel ketama last.fm libevent memcached mnesia mochiweb netcat networking php ssh streaming tcp thrift xmpp yawsRecent Posts
- Anti-RDBMS: A list of distributed key-value stores
- How we use IRC at Last.fm
- Getting to know ejabberd and writing modules
- ssh hack: connect directly to machine via a firewall box
- A Million-user Comet Application with Mochiweb, Part 3
- A Million-user Comet Application with Mochiweb, Part 2
- A Million-user Comet Application with Mochiweb, Part 1
- On bulk loading data into Mnesia
- Updated bash PS1
- Transcoding HTTP mp3 streaming proxy in bash
A simpler version http://vafer.org/blog/20061004103219 enough for most things.
Torsten, thanks, that is indeed simpler if you just need a shell.
The -oproxycommand method will transparently deal with port forwards etc for you tho, which is nice. I can still pass any of the -X, -L, -R options and it just works.
scp will work in the same way, so you can create another file “/usr/bin/sscp” and be able to copy files from remote hosts direct to your desktop via a firewall machine.
The only times I don’t have a VPN is on a Windows machine. I wish putty did this…
Nice will be tring this out as well !
thanks for the tip
John
See also the ProxyCommand ssh config option. Saves the need for the script and the little mental step of deciding to use a different ssh/scp/sftp call :)
$ cat ~/.ssh/config
Host gateway.company.com
ProxyCommand none
Host *.company.com my-private-host
ProxyCommand ssh myuser@gateway.company.com nc -q0 %h %p
$
(by which I mean, it’s kinda cute to have that option in your config file - I appreciate it’s functionally the same as what you have)
Another useful trick is “ssh -tt” which forces tty allocation, so instead of the above you can do the following:
ssh -tt firewall.example.com ssh -tt my-vm
this opens an ssh terminal to the remote machine. You can also pass commands, so to reattach to a remote screen session you can do:
ssh -tt firewall.example.com ssh -tt my-vm screen -x