14

I am comfortable with using the ProxyCommand feature of ssh and can use it to hop through mulitple bastion hosts to reach the final host efficiently. But I just can't seem to understand how it actually works in the backend.

For eg. I have the following config file.

Host final
Hostname final.com
Port 22
AgentForwarding yes
User guestuser
ProxyCommand "ssh user@bastion.com -W %h:%p"

I understand that for connecting to host final, the ProxyCommand will run prior to making the connection to final.com. But I still can't seem to understand the order of connections.

And what does the option -W %h:%p do? I understand that it is the netcat feature and is similar to nc %h %p.

So as far as my understanding goes here is the sequence of operations. Kindly let me know if I am wrong. I'm will be using the config file specified above in my example.

  1. The user enters ssh final
  2. An ssh connection to bastion.com created.
  3. A netcat tunnel is created from bastion.com to port 22 of final.com. The stdin of netcat is connected to the shell obtained in the connection to bastion.com.
  4. So now we have a connection from our system to final.com. The first half of this connection is an ssh connection from our system to bastion.com. The second half of this connection is a netcat tunnel from bastion.com to final.com.
  5. Now ssh final command takes the above connection as a proxy and tunnels its data through this existing connection.

Additionally I would also like to know whether this techniques is also known as ssh stacking?

Denilson Sá Maia
  • 573
  • 4
  • 8
Naruto Uzumaki
  • 329
  • 1
  • 4
  • 9

2 Answers2

11

3) A netcat tunnel is created from bastion.com to port 22 of final.com.

false, there's no netcat.

1) The user enters ssh final on localhost. This launches the parent ssh process
2) The parent ssh creates a child ssh with I/O redirected to pipes
3) The child ssh creates a connection to bastion.com.
4) The sshd process on bastion.com creates a tcp connection to final.com:22
5) An ssh channel is added to existing ssh connection between localhost and bastion.com
6) Parent ssh writes the handshake data to the pipe, the child ssh reads it from the pipe, sends via the ssh channel to sshd on bastion.com; sshd reads it and writes it to the socket connected to final.com. Similarly, the data is transmitted from final.com to localhost

basin
  • 558
  • 1
  • 5
  • 22
0

Long story short, ProxyCommand is just a command to build a pseudo-socket in replace of the real socket addr:port to the SSH server.

%h and %p is tokens for ProxyCommand to replace %h to target host and %p to target port. So ssh user@bastion.com -W %h:%p will be replaced to ssh user@bastion.com -W final.com:22.

popcorny
  • 101
  • 1