ssh to a remote server via gateway server

Cameron Simpson cs at zip.com.au
Tue Jun 3 01:30:07 UTC 2008


On 03Jun2008 10:31, lux <yuanlux at gmail.com> wrote:
| On Mon, Jun 2, 2008 at 4:38 PM, Cameron Simpson <cs at zip.com.au> wrote:
| > On 02Jun2008 16:23, lux <yuanlux at gmail.com> wrote:
| > | > >> I have a script called "sshto" that does exactly this for multihop
| > ssh
| > | > >> connections. [...]
| > | Sounds a  very interesting tool. I gave it a try. But
| > | what is shqstr?
| > | looks a like a command, but not in my system
| >
| > Yeah, sshto shamelessly uses other scripts from that same collection.
| > Shqstr quotes strings for handing to eval/sh/remote-ssh intact.
| > The simplest thing is to go to:
| >   http://www.cskk.ezoshosting.com/cs/css/
| > and download the tarball, unpack into /opt/css. [...]
| 
| Thanks a lot, I will try it.

Cool. The purpose of sshto is that it knows how to construct the right
proxycommand for you:-)

Oh yes, you will probably need the "nc" command (netcat) on the gateway
machine. Or the target machine, at the expense of an extra hop - I'll
elaborate on that if you turn out to need it. This is because, if sshto
uses proxycommand (i.e. it is multihop), it uses "nc host 22" to do the
final connection to the target ssh daemon (on labpc in your case).

| I followed your hint of ProxyCommand
| here is the .ssh/config file:
| 
| Host labpc
|         ProxyCommand ssh  lux at gw -t -w 3 labpc 22
| 
| When
| 
| ssh labpc
| 
| I got two layers of prompt for login. there were possible outputs:
| 
| 1st, sometime, I got login to labpc , but it last 1 or 2 seconds, and get
| discconetctd with this message:Connection to labpc closed by remote host.
| 
| the 2nd output is failure to login and got this message:
| Write failed: Broken pipe
| 
| any suggest? thanks

Yes. Start an ssh-agent, add your key to it, add forwardagent to your
ssh config file. Then no prompting will be needed. Pretty much all batch
or multihop stuff will need an agent to avoid prompting for passwords.

Also, always put ssh options before the "user at host", it is less
ambiguous. Eg:

  ProxyCommand ssh -t -w 3 lux at gw

You should not need (and in fact should probably _avoid_) the -t option
for the proxy command - it really should not use a terminal. I have not
used the -w options myself, and again they should not be in the
proxycommand, they should be in your upper-level ssh that _uses_ the
proxycommand. I don't know why you have "labpc 22" on the end of that.

A guess:

  Host labpc
    ProxyCommand ssh lux at gw

but be sure to set up ssh-agent first.

Cheers,
-- 
Cameron Simpson <cs at zip.com.au> DoD#743
http://www.cskk.ezoshosting.com/cs/

Sue Ralph Nader, too, he was supposed to have prevented this kind of thing by
now.  Oh, and my fee is 40%     - Ed "gettabike" Green, rec.motorcycles




More information about the fedora-list mailing list