scp -S, sftp -S

Darren Tucker dtucker at
Fri Aug 5 02:56:57 EST 2005

Frederik Eaton wrote:
>>If you have pubkey auth then it's pretty much transparent.
>>You pay a price in multiple encryption (although you can mitigate this 
>>by specifying a fast cipher like arcfour for the intermediate hops.)
>>One day I'd like ssh to learn how to establish a single port forward and 
>>pass the traffic to and from stdin/stdout, which would remove the need 
>>to have connect/nc on the intermediate hosts (and the modified ssh would 
>>only be required on the client end).
> I see. That would be nice. But why was 'connect' needed at all?

Because a proxycommand operates on stdio, you need to make a TCP 
connection somehow.  If ssh learns the above then it won't be necessary.

> I found that nesting ssh as I described works fine (except that you need
> a wrapper script to manage the task of quoting your command properly).

I don't follow: with the example I gave, a multi-hop ssh works exactly 
the same as a single-hop.

> Does your version have lower latency or something?

The main thing it gives you is a guaranteed end-to-end SSH connection 
and thus:
a) a verifyable host key on *your* client, thus no MITM.
b) 8-bit clean
c) no quoting problems
d) no managing local port numbers, no chance of collision.

> I guess my version
> puts some extra encryption burden on the firewall, and doesn't have
> end-end encryption, so if you don't trust the firewall operator...

I'm guessing you do the the equivalent of "ssh -t hosta ssh hostb"?  If 
so then you're vulnerable to snooping and/or MITM at each of the 
intermediate hops since the traffic is fully decrypted then passed to 
ssh for re-encryption.  (I have heard of compromises of this configuration.)

> Anyway, I do this often enough that I think I'll find my shorter
> syntax quite useful. If necessary, the wrapper script can always be
> modified to chain things with ProxyCommand instead of through the ssh
> remote command arguments.

Sure, do what works for you.  I was just offering some options.

Darren Tucker (dtucker at
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
     Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

More information about the openssh-unix-dev mailing list