scp -S, sftp -S

Darren Tucker dtucker at zip.com.au
Fri Aug 5 01:59:45 EST 2005


Frederik Eaton wrote:
[...]
> (b) Ports can be specified in the host name (with "=" or ":"), and a
> string of hosts can be specified by joining them with "+". This is
> quite useful for logging onto hosts which live behind a firewall.
> (Below, the ofb.net admins didn't want to make the forwarded port
> externally accessible)

If you have "connect" or "nc" on the intermediate host(s), this can also 
be accompished via ssh_config.

For example, imagine you have host "internalhost" behind host 
"firewall".  You can construct ~/.ssh/config like so:

Host internalhost
	ProxyCommand ssh firewall connect %h %p

These are "stackable".   If you were to have another host 
"reallyinternal" that was only reachable from "internalhost" then you 
could simply add:

Host reallyinternal
	ProxyCommand ssh internalhost connect %h %p

The proxycommand can also be a shell script that behaves differently 
under different conditions.  (I have one that knows which proxies to use 
for the various networks I inhabit.)

If you have pubkey auth then it's pretty much transparent.

You pay a price in multiple encryption (although you can mitigate this 
by specifying a fast cipher like arcfour for the intermediate hops.)

One day I'd like ssh to learn how to establish a single port forward and 
pass the traffic to and from stdin/stdout, which would remove the need 
to have connect/nc on the intermediate hosts (and the modified ssh would 
only be required on the client end).

[...]
> All of this makes it possible for me to use things like cvs and rsync
> rather transparently across tunnels and firewalls just by configuring
> the appropriate environment variables (CVS_RSH, RSYNC_RSH). However,
> as noted above, there are still some wrinkles that I would like to
> smooth out.

Yeah, at a previous employer we used to run rsync and cvs over the above 
   on networks where there was no end-to-end route (and sometimes not 
even end-to-middle routes :-).

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
     Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.




More information about the openssh-unix-dev mailing list