Linux – Use ProxyCommand for all SSH Connections

linuxnetworkingopensshssh

I was playing around with the idea of having a SSH Proxy Server or otherwise called Jump Host, which I would use to connect to all of my "hidden" Servers. So basically I have the following setup. Please note I intentionally use IP addresses here instead of hostname.

<client> ---> <proxy_ssh> ---> <192.168.0.*>

My intention is that it should be as transparent for the users as possible. So ideally the users should only have to execute the following command

# ssh user@192.168.0.10

To get this working I've created the following .ssh/config.

Host *                                                                                                                                                                           
    ServerAliveInterval 240                                                                                                                                                      
    Compression yes                                                                                                                                                              
    ForwardAgent yes                                                                                                                                                             
    ForwardX11 yes                                                                                                                                                               

Host 192.168.0.*                                                                                                                                                                   
    ProxyCommand ssh my_user@proxy_ssh.example.com netcat -w 120 %h %p

This works fine. But it is kind of tedious if I would have more networks to work with behind my proxy_ssh server. So I've tried simply adding the ProxyCommand to the Host * section which did not work.

I've wanted to make this more transparent for the end user, and changed the ssh config to the following, simply leaving out the specific Host definition.

Host *
    ServerAliveInterval 240                                                                                                                                                      
    Compression yes                                                                                                                                                              
    ForwardAgent yes                                                                                                                                                             
    ForwardX11 yes                                                                                                                                                               
    ProxyCommand ssh my_user@proxy_ssh.example.com netcat -w 120 %h %p

This had the impact that I was not able to connect any longer to the endhost. The connection simply timed out!

So hence my question is there any way of having this more transparent in such a way that all of my SSH connection would use the proxy_ssh host?

Best Answer

The example above will make it recursive, that every connection will use a proxy command, which is again ssh with another proxy command. Good way to DOS your proxy.

You should exclude the proxy from the list, use -F /dev/null to ignore the configuration for the proxy command or just ignore the proxy command for the proxy ssh:

ProxyCommand ssh -oProxyCommand=none my_user@proxy_ssh.example.com netcat -w 120 %h %p