SSH RemoteCommand over netcat hopping, or not.

Patrick Debois‘ article on Chaining SSH tunnels inspired me to effectively start using this technique.

At first my use case was pretty simple. It wasn’t the host I needed to connect to which behind a firewall, but, as it turned out, I was.

I’ve got a box at home listening on a high port, as my provider is blocking the low <1024 ports, Which is a problem when I'm on a network which only allows outbound SSH connections on port 22. It's easy to hop around by first connecting to another server on regular port 22, but automating that with Patrick's proxycommand-plus-netcat trick proved to be handy in this situation, too.

I could easily add an entry to .ssh/config to manage this specific situation.

Now, the typical firewalled networks I need to use, I often work on them either by being on its premises, or remotely. When I need to connect remotely, especially for a longer period, I can often use a dedicated VPN for that, but very often I just want quickly check something on one host, and entering the network not by launching a full-blown VPN stack, but hopping through a SSH gateway, tends to be the preferred solution.

Normally, you then need separate .ssh/config entries for each host. And then you need a separate .ssh/config entry for each host using a specific ProxyCommand.

But this doesn’t scale well. One would need to manage redundant information. I don’t want to configure .ssh/config entries for each server separately to be reached from within its own LAN and remotely through SSH hopping.

I didn’t find a way to handle this with a config in .ssh/config only, but adding following little (Bash) function to my environment lets me use an extra ssh command which lets me use the same .ssh/config entries for both situations:

ssh-via () { proxy=$1 ; shift ; ssh -o Proxycommand="ssh $proxy nc %h %p" $* ; }

Just use ssh-via instead of plain ssh, and let the first parameter be the name of the .ssh/config entry for the gateway you need to use.