Mailing List Archive

On 5 February 2011 19:10, Asif Iqbal <vadud3@gmail.com> wrote:
> # cat ~/.ssh/config
...
> host remotehost
>  hostname remotehost.example.net
>  ProxyCommand ssh jumphost -t ssh %h

ProxyCommand should in general connect its input/output stream to sshd
demon listening on some socket. In your case I would suggest to use
the nc command from jumphost that binds stdin/stdout to the ssh port
on the remote host, like in:

ProxyCommand ssh -T -a jumphost nc %h %p

where -T and -a is used to make sure that useless in this case tty on
jumphost is not allocated and no agent is forwarded.

On Mon, Feb 7, 2011 at 9:08 PM, Igor Bukanov <igor@mir2.org> wrote:
> On 5 February 2011 19:10, Asif Iqbal <vadud3@gmail.com> wrote:
>> # cat ~/.ssh/config
> ...
>> host remotehost
>>  hostname remotehost.example.net
>>  ProxyCommand ssh jumphost -t ssh %h
>
> ProxyCommand should in general connect its input/output stream to sshd
> demon listening on some socket.  In your case I would suggest to use
> the nc command from jumphost that binds stdin/stdout to the ssh port
> on the remote host, like in:
>
> ProxyCommand ssh -T -a jumphost nc %h %p
>
> where -T and -a is used to make sure that useless in this case tty on
> jumphost is not allocated and no agent is forwarded.
>

This worked perfect. So now I have it setup like this

$ cat ~/.ssh/config
host jumphost
hostname jumphost.example.net
ForwardX11 yes
ControlMaster auto
ControlPath ~/.ssh/%r@%h:%p
host remotehost
hostname remotehost.example.net
ProxyCommand ssh -T -a jumphost nc %h %p

And I can ssh to remotehost through the enabled shared session setup
by jumphost.

Is it possible to make it work as default for all hosts except the jumphost?

I tried to replace the remotehost with `*' and then tried to fresh
start, like below

$ cat ~/.ssh/config
host jumphost
hostname jumphost.example.net
ForwardX11 yes
ControlMaster auto
ControlPath ~/.ssh/%r@%h:%p
host *
hostname remotehost.example.net
ProxyCommand ssh -T -a jumphost nc %h %p

But, looks like jumphost is trying to use the proxy command instead of
just going with the config
specific to it

$ ssh -v jumphost
OpenSSH_5.5p1 Debian-4ubuntu5, OpenSSL 0.9.8o 01 Jun 2010
debug1: Reading configuration data /home/iqbala/.ssh/config
debug1: Applying options for jumphost
debug1: Applying options for *
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: auto-mux: Trying existing master
debug1: Control socket
"/home/iqbala/.ssh/iqbala@jumphost.example.net:22" does not exist
debug1: Executing proxy command: exec ssh -T -a jumphost.example.net
nc jumphost.example.net 22


--
Asif Iqbal
PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?

On 8 February 2011 04:20, Asif Iqbal <vadud3@gmail.com> wrote:
> Is it possible to make it work as default for all hosts except the jumphost?
>
> I tried to replace the remotehost with `*' and then tried to fresh
> start, like below

I suppose you cannot do that since host * provides defaults for all
hosts irrespective of the order. You can try to add an empty
ProxyCommand to jumphost.

On 8 February 2011 11:24, Igor Bukanov <igor@mir2.org> wrote:
> On 8 February 2011 04:20, Asif Iqbal <vadud3@gmail.com> wrote:
>> Is it possible to make it work as default for all hosts except the jumphost?
>>
>> I tried to replace the remotehost with `*' and then tried to fresh
>> start, like below
>
> I suppose you cannot do that since host * provides defaults for all
> hosts irrespective of the order. You can try to add an empty
> ProxyCommand to jumphost.

I was wrong here, to disable the proxy command for jumphost set
ProxyCommand to none , not an empty string , as stated in ssh_config
manual page, http://www.openbsd.org/cgi-bin/man.cgi?query=ssh_config&sektion=5
.

On Tue, Feb 8, 2011 at 9:35 AM, Igor Bukanov <igor@mir2.org> wrote:
> On 8 February 2011 11:24, Igor Bukanov <igor@mir2.org> wrote:
>> On 8 February 2011 04:20, Asif Iqbal <vadud3@gmail.com> wrote:
>>> Is it possible to make it work as default for all hosts except the jumphost?
>>>
>>> I tried to replace the remotehost with `*' and then tried to fresh
>>> start, like below
>>
>> I suppose you cannot do that since host * provides defaults for all
>> hosts irrespective of the order. You can try to add an empty
>> ProxyCommand to jumphost.
>
> I was wrong here, to disable the proxy command for jumphost set
> ProxyCommand to none , not an empty string , as stated in ssh_config

actually I understood that is what you meant and it is working perfect now.

here is my latest setup

$ cat ~/.ssh/config
host jumphost
hostname jumphost.example.net
ForwardX11 yes
ControlMaster auto
ControlPath ~/.ssh/%r@%h:%p
ProxyCommand none
host *
hostname remotehost.example.net
ProxyCommand ssh -T -a jumphost nc %h %p

Thanks a lot for your help!

> manual page, http://www.openbsd.org/cgi-bin/man.cgi?query=ssh_config&sektion=5
> .
>



--
Asif Iqbal
PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?

On Tue, Feb 8, 2011 at 9:51 AM, Asif Iqbal <vadud3@gmail.com> wrote:
> On Tue, Feb 8, 2011 at 9:35 AM, Igor Bukanov <igor@mir2.org> wrote:
>> On 8 February 2011 11:24, Igor Bukanov <igor@mir2.org> wrote:
>>> On 8 February 2011 04:20, Asif Iqbal <vadud3@gmail.com> wrote:
>>>> Is it possible to make it work as default for all hosts except the jumphost?
>>>>
>>>> I tried to replace the remotehost with `*' and then tried to fresh
>>>> start, like below
>>>
>>> I suppose you cannot do that since host * provides defaults for all
>>> hosts irrespective of the order. You can try to add an empty
>>> ProxyCommand to jumphost.
>>
>> I was wrong here, to disable the proxy command for jumphost set
>> ProxyCommand to none , not an empty string , as stated in ssh_config
>
> actually I understood that is what you meant and it is working perfect now.
>
> here is my latest setup
>
> $ cat ~/.ssh/config
> host jumphost
>  hostname jumphost.example.net
>  ForwardX11 yes
>  ControlMaster auto
>  ControlPath ~/.ssh/%r@%h:%p
>  ProxyCommand none
> host *
>  hostname remotehost.example.net

sorry no hostname entry there

>  ProxyCommand ssh -T -a jumphost nc %h %p
>
> Thanks a lot for your help!
>
>> manual page, http://www.openbsd.org/cgi-bin/man.cgi?query=ssh_config&sektion=5
>> .
>>
>
>
>
> --
> Asif Iqbal
> PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
> A: Because it messes up the order in which people normally read text.
> Q: Why is top-posting such a bad thing?
>



--
Asif Iqbal
PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?

On Tue, Feb 8, 2011 at 5:24 AM, Igor Bukanov <igor@mir2.org> wrote:
> On 8 February 2011 04:20, Asif Iqbal <vadud3@gmail.com> wrote:
>> Is it possible to make it work as default for all hosts except the jumphost?
>>
>> I tried to replace the remotehost with `*' and then tried to fresh
>> start, like below
>
> I suppose you cannot do that since host * provides defaults for all
> hosts irrespective of the order. You can try to add an empty
> ProxyCommand to jumphost.
>

Hopefully I am not pushing it :-) , but is it possible to factor in
the IP network I am connecting from in my config file?

So if I am connecting from 192.168.1.0/24 block, usually when I am
home, *only* then login to remotehost using the proxy command.

But if I am connecting from 10.13.137.0/22 block, usually when at
work, do not use proxy command.





--
Asif Iqbal
PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?

On Tue, Feb 8, 2011 at 10:08 AM, Asif Iqbal <vadud3@gmail.com> wrote:
> On Tue, Feb 8, 2011 at 5:24 AM, Igor Bukanov <igor@mir2.org> wrote:
>> On 8 February 2011 04:20, Asif Iqbal <vadud3@gmail.com> wrote:
>>> Is it possible to make it work as default for all hosts except the jumphost?
>>>
>>> I tried to replace the remotehost with `*' and then tried to fresh
>>> start, like below
>>
>> I suppose you cannot do that since host * provides defaults for all
>> hosts irrespective of the order. You can try to add an empty
>> ProxyCommand to jumphost.
>>
>
> Hopefully I am not pushing it :-) , but is it possible to factor in
> the IP network I am connecting from in my config file?
>
> So if I am connecting from 192.168.1.0/24 block, usually when I am
> home, *only* then login to remotehost using the proxy command.
>
> But if I am connecting from 10.13.137.0/22 block, usually when at
> work, do not use proxy command.

I think I got it

$ cat ~/.ssh/config

host jumphost
hostname jumphost.example.net
ForwardX11 yes
ControlMaster auto
ControlPath ~/.ssh/%r@%h:%p
ProxyCommand none
host from="!*.ad.work.com"
ProxyCommand ssh -T -a jumphost nc %h %p

So it skips the proxy command now when connecting from work. I will
test some more from home.

Thanks again!

>
>
>
>
>
> --
> Asif Iqbal
> PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
> A: Because it messes up the order in which people normally read text.
> Q: Why is top-posting such a bad thing?
>



--
Asif Iqbal
PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?

On Tue, Feb 8, 2011 at 10:16 AM, Asif Iqbal <vadud3@gmail.com> wrote:
> On Tue, Feb 8, 2011 at 10:08 AM, Asif Iqbal <vadud3@gmail.com> wrote:
>> On Tue, Feb 8, 2011 at 5:24 AM, Igor Bukanov <igor@mir2.org> wrote:
>>> On 8 February 2011 04:20, Asif Iqbal <vadud3@gmail.com> wrote:
>>>> Is it possible to make it work as default for all hosts except the jumphost?
>>>>
>>>> I tried to replace the remotehost with `*' and then tried to fresh
>>>> start, like below
>>>
>>> I suppose you cannot do that since host * provides defaults for all
>>> hosts irrespective of the order. You can try to add an empty
>>> ProxyCommand to jumphost.
>>>
>>
>> Hopefully I am not pushing it :-) , but is it possible to factor in
>> the IP network I am connecting from in my config file?
>>
>> So if I am connecting from 192.168.1.0/24 block, usually when I am
>> home, *only* then login to remotehost using the proxy command.
>>
>> But if I am connecting from 10.13.137.0/22 block, usually when at
>> work, do not use proxy command.
>
> I think I got it
>
> $ cat ~/.ssh/config
>
> host jumphost
>  hostname jumphost.example.net
>  ForwardX11 yes
>  ControlMaster auto
>  ControlPath ~/.ssh/%r@%h:%p
>  ProxyCommand none
> host from="!*.ad.work.com"
>  ProxyCommand ssh -T -a jumphost nc %h %p

host from="!.*.ad.work.com" won't work.

so I still need to find out if it is possible?

That is, can I modify the .ssh/config in such that if I am coming from
corporate network don't use the proxy command ?

I use the same laptop from work and home. So I will have the same
.ssh/config file.

When I am connecting from home the proxy command works fine. But I
like to disable the proxy command when
I am connecting from work, because I do have direct access to the
remotehosts. No need to jump through jumphost.


>
> So it skips the proxy command now when connecting from work. I will
> test some more from home.
>
> Thanks again!
>
>>
>>
>>
>>
>>
>> --
>> Asif Iqbal
>> PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
>> A: Because it messes up the order in which people normally read text.
>> Q: Why is top-posting such a bad thing?
>>
>
>
>
> --
> Asif Iqbal
> PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
> A: Because it messes up the order in which people normally read text.
> Q: Why is top-posting such a bad thing?
>



--
Asif Iqbal
PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?

For your hosts where you want to connect conditionally over jumphost
your can use a proxy command that points to a shell script like:

ProxyCommand my-proxy-script %h %p

Then the proxy script would contain something like:

if grep -q ad.work.com /etc/resolve; then
#direct cionnection
exec nc $1 $2
fi
exec ssh -T -a jumphost nc $1 $2

Clearly you may need to adjust the check for direct connection. Also
you may add a check that the host is not jumphost to prevent
recurssion...

On 9 February 2011 04:43, Asif Iqbal <vadud3@gmail.com> wrote:
> On Tue, Feb 8, 2011 at 7:15 PM, Igor Bukanov <igor@mir2.org> wrote:
>> On 8 February 2011 21:18, Asif Iqbal <vadud3@gmail.com> wrote:
>>> host from="!.*.ad.work.com" won't work.
>>
>> That should be simply
>>
>> host !.*.ad.work.com
>
> That won't work. I need a way to negate the origin domain, not the
> destination domain.
>
> when I connect my laptop to work network it get a dhcp ip and my
> server joins the ad.work.com domain.
>
> But when I connect my laptop into home network, I am not into the
> ad.work.com domain
>
> So I want the proxy command to enable, only when my laptop connects
> from home and not when connects from work
>
> Not sure if I could draw the scenario without confusion.
>
> Thanks for the help!
>
>>
>
>
>
> --
> Asif Iqbal
> PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
> A: Because it messes up the order in which people normally read text.
> Q: Why is top-posting such a bad thing?
>