Protocol Version Exchange: the comments field and an idea how to use it

Peter Stuge peter at stuge.se
Thu Nov 14 04:24:00 EST 2013


Hannes Hörl wrote:
>> Host private_internal_machine
>>    hostname 192.168.1.22
>>    ProxyCommand ssh proxy -W %h:%p
>
> If I understand this right this would make a ssh connection to the proxy, 
> terminate it there - and make a second connection from the client machine 
> to the backend machine, tunneled through the first ssh connection, right?

Yes.


> So anything needed (account, certs, ...) to authenticate a user on the 
> backend machine needs to be setup and available on the proxy too.

No.

The second logical connection is (as you write) indeed between the
client and the backend machine. Both the proxy and the backend
machine individually and independently authenticate their respective
connection, and in both cases it is the client machine on the other end.


> For my imaginary use case, the backend machines would be (virtual) hosts 
> for customers, friends, ... where I have no idea about e.g. user accounts 
> (or for that matter: I'd have no idea about anything going on on those 
> hosts).
> The only thing I know is, if there is a host with a certain hostname in my 
> backend network or not. If so I'd like to pipe through the connection to 
> the desired host. I don't want to have any ssh connection to the proxy 
> machine itself.

Why have a proxy if it allows to connect to any backend machine
without authenticating the request anyway?


//Peter


More information about the openssh-unix-dev mailing list