TCP connect timeout with proxy

Peter Stuge peter at stuge.se
Fri Mar 27 08:40:42 AEDT 2020


Anand Buddhdev wrote:
> 3. ProxyCommand ssh -W [%h]:%p proxyhost
> 4. ProxyJump proxyhost
..
> Methods #3 and #4 are essentially the same, and have the main advantage
> of not requiring any extra utilities on the proxy server. But they have
> one disadvantage that I've not been able to solve. They don't offer me
> any way to control the TCP timeout, and so I get the OS default, which
> is too long.
..
> So my question is: is there any way I can influence the timeout that
> sshd on the proxy uses for making the TCP connection to the target when
> using methods #3, #4 or #5?

#3 and #4 open a "direct-tcpip" channel within the SSH session.

The open message doesn't support specifying a timeout, or any way to
extend it with more/new parameters.

You would have to extend the SSH protocol upstream and waiting for the
extension to be supported by all your proxy hosts.


Alterantively, if you control all proxy hosts and all clients then you
can hack something. \o/

Maybe a variant of the "direct-tcpip" channel open message that takes an
extra uint32 timeout, or you could steal a few bits from
uint32 initial window size
or
uint32 maximum packet size
to encode your desired timeout.

(See RFC 4254 for full details of the channel open message.)


//Peter


More information about the openssh-unix-dev mailing list