ProxyCommand
ProxyCommand is the least privilege way I am aware of to ssh to machines behind a bastion host. Agent forwarding would work, but continues to allow use of my keys for the duration of my session (vs. just once at initial login), which is more privilege than I wanted to give the bastion. I'd subscribe to Premium if you let me configure ProxyCommands.
Brenda Larcom
shared this idea
Hi everyone,
Could you guys please provide the exact examples of the ProxyCommands that you use in your setups?
This will help to understand to the variety of cases and what to focus on first.
Thanks
46 comments
-
Anonymous
commented
ProxyCommand duoconnect -host=%h:%p -relay=https://<server>
-
Anonymous
commented
Host * !***.***.***.*** (obscured for security reasons)
ProxyCommand nc -X 5 -x proxyserver_address.com:proxyserver_port %h %p -
Andrew
commented
Is there any indication on when this might be implemented?
I need it for this - ProxyCommand cloudflared access ssh --hostname %h -
Anonymous
commented
any update on this trend? need also to use ssh proxyCommand
-
Tim Malone
commented
This now appears to be implemented by way of Host Chaining. Nice work guys!
-
Anonymous
commented
ProxyCommand ssh proxyuser@proxyhost nc %h %p
-
Anonymous
commented
Would go pro once implemented, absolutely useless in professional context without it as -any- professional setup uses ssh jump boxes instead of vpns nowdays to tunnel into shielded corporate boxes etc.
-
chris.welsh23@gmail.com
commented
ProxyJump -q via an ssh config file
-
Heavoc
commented
ProxyCommand ssh -W %h:%p bastion_host
-
Andrew P
commented
Awesome that you are working on this... I have things in my config like:
ProxyCommand ssh proxyuser@proxyhost nc %h %p
ProxyCommand ssh proxyuser@proxyhost /usr/local/bin/ssh-proxy %h
-
Rene Diepstraten
commented
Hi,
For example `ProxyCommand ssh -W %h:%p user@bastion.example.org”` to tunnel ssh sessions through the bastion host.
Newer openssh versions can do this by using `ProxyJump` by the way. -
dirk duellmann
commented
similar here: I'd be using it to implement multi-hop connections via something like:
ProxyCommand ssh -K -Y jump.host.at /usr/bin/nc %h %p 2> /dev/null
If you want to make it really nice you could predicate the proxy execution on the current subnet:
Eg in my real setup I use for each host the sequence:
Match host nick1 !exec "at-work"
Hostname long.real.name1.at
ProxyCommand ssh -K -Y jump.host.at /usr/bin/nc %h %p 2> /dev/null
Host nick1
HostName long.real.name1.atwhere "at-work" is a one-line script matching the ip subnet against the set of subnets used by my workplace.
That way the proxy is only used when necessary.
-
Mark B.
commented
I've been waiting for this so long.... Thanks for starting this!
ProxyCommand ssh -W %h:%p jumphost
-
Anonymous
commented
My proxy command is "ProxyCommand /usr/bin/ssh examplehost /usr/bin/nc -N %h %p"
-
Anonymous
commented
Thanks for starting this ! :-)
Here is what I'm using:
ProxyCommand ssh -k gwUser@gateway.host.domain /usr/bin/nc %h %p 2> /dev/null
Thanks,
cheers, andreas -
Michael
commented
Same, I'd go premium if supported
-
jC
commented
One more vote.. if done I would go premium,
-
Dan Hopkins
commented
Another vote +1
-
Mike W
commented
Please add this feature. I am a paying customer on iOS and need to go through a bastion host on a daily basis. Creating vpn connections or tunnels is just a pain in the bu..
Thank you very much!
-
Bruno Bronosky
commented
This was requested 3 years ago. Last official comment, giving a VERY single server mom & pop shop answer, was 2 years ago. This should really be an embarrassment to the the company. The bastion server pattern is very common.