SSH ProxyCommand and belier

September 9th, 2010 by lucas

Christoph, belier really looks like a hack. It’s easy to use ProxyCommand to connect to hosts using several hops.

Let’s say that you want to connect to host c, which can only be reached from host b, which can only be reached from host a. It’s as simple as doing:

Host a
    User logina

Host b
    ProxyCommand ssh a nc -q 1 b 22
    User loginb

Host c
    ProxyCommand ssh b nc -q 1 b 22
    User loginc

And of course, it just works with scp, rsync, and everything ssh-based.

It cannot auto-login using passwords, but I’m not sure that having passwords in clear text is a good idea either;)

10 Responses to “SSH ProxyCommand and belier”

  1. Jon wrote on 09/9/10 at 11:32 pm :

    Since 5.4 you can do the netcat bit inside ssh with -W

    Host a
    User logina
    Host b
    ProxyCommand “ssh -W b:22 a”
    User loginb
    Host c
    ProxyCommand “ssh -W c:22 b”
    User loginc

  2. Lucas wrote on 09/9/10 at 11:38 pm :

    That’s great! thanks!

  3. Jason Riedy wrote on 09/10/10 at 12:01 am :

    Thank you for the -W information! Makes it much easier for me to bounce through a firewall host to a compute node.

  4. i5513 wrote on 09/10/10 at 8:40 am :

    I had to remove quotes from ProxyCommand.

    ssh rocks!


  5. Latrisha Stpierrie wrote on 09/16/10 at 3:18 pm :

    The mind is the limit. As long as the imagination can envision the fact that you can do something, you can do it

  6. Paul wrote on 09/20/10 at 3:31 pm :

    Just found out you can do this with Putty (if you are stuck on windows):

    Use a local proxy, and in the proxy command use something like:

    C:\Path\to\plink\plink.exe user@host-A nc -q 1 host-B 22

    If you have all of your hosts preconfigured in putty, you should be able to chain them with -load.

  7. David wrote on 01/9/11 at 11:32 am :

    Does anyone know why running this gives me this error?

    nc: getaddrinfo: Name or service not known
    ssh_exchange_identification: Connection closed by remote host

  8. Christoph Anton Mitterer wrote on 01/15/11 at 3:07 am :

    Is there any reason why you use -q 1 to netcat?

    I’ve also seen people claiming they need to use -w 1, or nc processes are not killed on the gateway host, but I haven’t seen such problems.

  9. Lucas wrote on 01/15/11 at 10:25 am :

    I think that it depends on the implementation of netcat that you are using.

  10. Jake Bunner wrote on 06/23/11 at 6:45 pm :

    This is good post. Thank you very much for the quality information provided! I was looking for this entry for quite some time, but I wasn’t able to find a reliable source.