TCP connect timeout with proxy
Anand Buddhdev
anandb at ripe.net
Thu Mar 26 23:03:29 AEDT 2020
Dear openssh developers and users,
I'm new to the list, and my apologies if this question has been asked
before. I've tried to look for answers and haven't succeeded, which is
why I'm asking.
Here's the situation: I'm connect to a dual-stacked host with A and AAAA
records. The IPv6 connectivity to the host is broken.
When connecting to the host directly from my client system, the TCP
connect to the IPv6 address times out after 75s, which is the TCP
default timeout. After that, SSH proceeds to connect to the IPv4 address
successfully. This causes a rather large delay. I can control this by
setting "ConnectTimeout" to something lower, like 30s. So far, so good.
However, when I'm not on a trusted network, I have to use a proxy to
connect to that same dual-stacked host. I can do the proxy in one of the
following ways:
1. ssh -tt proxyhost ssh -tt host
2. ProxyCommand ssh proxyhost 'exec nc %h %p 2>/dev/null'
3. ProxyCommand ssh -W [%h]:%p proxyhost
4. ProxyJump proxyhost
5a. ssh -D localhost:1080 -N proxyhost
5b. ProxyCommand nc -x localhost %h %p
I don't like method #1 at all, for obvious reasons.
Method #2 works well, and in fact, has the side effect of making the
connection faster, since "nc" times out the TCP connection to the IPv6
address in just 10s, and falls back to the IPv4 address. But the
disadvantage is that "nc" is required on the proxy, and I can't always
ensure that.
Methods #3 and #4 are essentially the same, and have the main advantage
of not requiring any extra utilities on the proxy server. But they have
one disadvantage that I've not been able to solve. They don't offer me
any way to control the TCP timeout, and so I get the OS default, which
is too long. This long delay in connecting to the target messes up other
things that run atop ssh, such as ansible.
Method #5 requests SOCKS proxy via the sshd on the proxyhost, but like
with methods #3 and #4, I am beleagured by the TCP connect timeout of
the proxyhost.
So my question is: is there any way I can influence the timeout that
sshd on the proxy uses for making the TCP connection to the target when
using methods #3, #4 or #5?
Regards,
Anand Buddhdev
More information about the openssh-unix-dev
mailing list