scp -S, sftp -S
Darren Tucker
dtucker at zip.com.au
Fri Aug 5 01:59:45 EST 2005
Frederik Eaton wrote:
[...]
> (b) Ports can be specified in the host name (with "=" or ":"), and a
> string of hosts can be specified by joining them with "+". This is
> quite useful for logging onto hosts which live behind a firewall.
> (Below, the ofb.net admins didn't want to make the forwarded port
> externally accessible)
If you have "connect" or "nc" on the intermediate host(s), this can also
be accompished via ssh_config.
For example, imagine you have host "internalhost" behind host
"firewall". You can construct ~/.ssh/config like so:
Host internalhost
ProxyCommand ssh firewall connect %h %p
These are "stackable". If you were to have another host
"reallyinternal" that was only reachable from "internalhost" then you
could simply add:
Host reallyinternal
ProxyCommand ssh internalhost connect %h %p
The proxycommand can also be a shell script that behaves differently
under different conditions. (I have one that knows which proxies to use
for the various networks I inhabit.)
If you have pubkey auth then it's pretty much transparent.
You pay a price in multiple encryption (although you can mitigate this
by specifying a fast cipher like arcfour for the intermediate hops.)
One day I'd like ssh to learn how to establish a single port forward and
pass the traffic to and from stdin/stdout, which would remove the need
to have connect/nc on the intermediate hosts (and the modified ssh would
only be required on the client end).
[...]
> All of this makes it possible for me to use things like cvs and rsync
> rather transparently across tunnels and firewalls just by configuring
> the appropriate environment variables (CVS_RSH, RSYNC_RSH). However,
> as noted above, there are still some wrinkles that I would like to
> smooth out.
Yeah, at a previous employer we used to run rsync and cvs over the above
on networks where there was no end-to-end route (and sometimes not
even end-to-middle routes :-).
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
More information about the openssh-unix-dev
mailing list