Connect with SSH through a proxy

Question

I have no real idea what I'm doing here so please bear that in mind if you can help me!

I am trying to connect to my virtual server through a proxy but I can't connect, it just hangs. I'm assuming this is because it's not getting through our proxy.

I have tried exactly the same thing at home and it works perfectly. I'm on OSX using Terminal to connect.

Can anyone advise me how I can get through the proxy with SSH?

You should be asking this in either ServerFault or SuperUser. Plus, you'll get a much better response. — Spencer Kormos, Jan 23 '14 at 16:10
For those try to use netcat: **you need to use the openbsd package!!! netcat-openbsd ** https://www.linuxquestions.org/questions/linux-newbie-8/how-to-sftp-using-a-socks-v5-proxy-789824/#post3867664 — Y00, Jan 19 '20 at 07:41
The netcat have different implementation on Mac/Linux/openbsd , please notice the difference between their parameters and copy-paste one for your own version! — Y00, Jan 19 '20 at 07:44

score 124 · Answer 1 · edited Oct 05 '21 at 16:12

124

Here's how to do Richard Christensen's answer as a one-liner, no file editing required (replace capitalized with your own settings, PROXYPORT is frequently 80):

 ssh USER@FINAL_DEST -o "ProxyCommand=nc -X connect -x PROXYHOST:PROXYPORT %h %p"

You can use the same -o ... option for scp as well, see my superuser answer.

If you get this in OS X:

 nc: invalid option -- X
 Try `nc --help' for more information.

it may be that you're accidentally using the homebrew version of netcat (you can see by doing a which -a nc command--/usr/bin/nc should be listed first). If there are two then one workaround is to specify the full path to the nc you want, like ProxyCommand=/usr/bin/nc ...

For CentOS nc has the same problem of invalid option --X. connect-proxy is an alternative, easy to install using yum and works --

ssh -o ProxyCommand="connect-proxy -S PROXYHOST:PROXYPORT %h %p" USER@FINAL_DEST

edited Oct 05 '21 at 16:12

Cadoiz

1,446
21
31

answered May 12 '14 at 18:16

rogerdpack

62,887
36
269
388

17

I use arch linux with gnu-netcat and the `nc: invalid option -- X` still exists. The solution for this problem is to replace gnu-netcat with openbsd-netcat. See https://pagekite.net/wiki/Howto/SshOverPageKite/#wrongnetcat for details. Thes two versions probably conflict to each other. – Han Dec 20 '15 at 17:16
1

A bit out of topic, but one can also open a tunnel through this connection (remove all '<' and '>' and keep 'localhost' as is): ssh -l -L :localhost: -o "ProxyCommand=nc -X connect -x : %h %p" – Pascal Jun 09 '16 at 08:11
Is there any way to connect using GNU NetCat? – Petr Oct 20 '16 at 07:32
@Petr I never did find a way to do ti using GNU, but feel free to raise a new question for taht I suppose... :) – rogerdpack Nov 18 '16 at 20:12
2

@Petr, --proxy command may work for you. EDIT: Scrolled down and noticed that an example is in shoaly's answer. – Joseph Jun 30 '17 at 15:34
2

I got: "nc: Proxy error: "HTTP/1.0 403 Forbidden" ssh_exchange_identification: Connection closed by remote host" What do I do? – Nike Feb 13 '18 at 04:26
@user1271772 https://askubuntu.com/questions/413710/nc-proxy-error-http-1-0-403-forbidden and https://serverfault.com/questions/571375/nc-proxy-error-http-1-0-403-forbidden may help – rogerdpack Feb 13 '18 at 04:39
@rogerdpack. The answer in the second link is to add "-X connect" which is already in the command suggested above (which didn't work for me). The first link seems to point to a different question and it's not clear whether the answer given there is really an answer. – Nike Feb 13 '18 at 14:16
I'm on CentOS 8 - and it doesn't have connect-proxy :-( ... and my netcat is "Nmap's netcat replacement". – einpoklum Dec 03 '19 at 16:31
@echo nc can pass the password in with "normal nc commands" like `-P proxy_username` not sure on password, seems it's going to require it from the command line :| – rogerdpack Feb 11 '20 at 19:46
ok, thanks. I was trying the general syntax (in accordance with HTTP URL structure) user:password@proxyserver:proxyport but it doesn't work that way – echo Feb 11 '20 at 22:11
@rogerdpack I got nc: invalid option -- P also I could find anything about -P proxy_username when I did /usr/bin/nc -help – echo Feb 11 '20 at 22:28
@echo Maybe ask as a new question, it may depend on your version of `nc` (`man nc` is a good starting reference), good luck! – rogerdpack Feb 12 '20 at 01:29
4

For CentOS 7, where I have no "-X" option for ncat, I used the following construction: ssh REMOTEUSER@REMOTEHOST -o "ProxyCommand=ncat REMOTEHOST 22 --proxy PROXYHOST:PROXYPORT --proxy-type http". E.g.: ssh user123@ssh.othercomany.com -o "ProxyCommand=ncat ssh.mycomany.com 22 --proxy proxy.mycomany.com:80 --proxy-type http" – Sergey Beloglazov May 27 '20 at 13:48

score 47 · Answer 2 · edited Oct 07 '21 at 05:43

47

If your SSH proxy connection is going to be used often, you don't have to pass them as parameters each time. you can add the following lines to ~/.ssh/config

Host foobar.example.com
    ProxyCommand          nc -X connect -x proxyhost:proxyport %h %p
    ServerAliveInterval   10

then to connect use

ssh foobar.example.com

Source here

edited Oct 07 '21 at 05:43

Cadoiz

1,446
21
31

answered Oct 03 '13 at 14:39

Richard Christensen

2,046
17
28

i tried that but didnt work. mind you i wasn't exactly sure what i needed to put in but it went something like Host 159.23.191.23 ProxyCommand nc -x connect -x 10.3.50.01:22 %h %p ServerAliveInterval. is that right? – bencarter78 Oct 03 '13 at 14:48
I just wanted to add that this solution did work perfect for me. My current workplace deploys HTTP-proxies and I simply replaced `proxyhost` by the IP (adding no schema!) and the `proxyport` by -- in this case -- 8080. – Pit Jun 08 '15 at 07:43
1

This answer only can tell someone that the commands you can pass are already (or can be defined) in it's config file, but you have not to explicitly wrote it to a file. You can just pass the argument to the ssh connect command. – m3nda Mar 11 '16 at 06:49
1

For CENTOS/RedHat: ProxyCommand connect-proxy -H proxyhost:proxyport %h %p. Please check the connect-proxy options -H/-T/-S and use the right one on the basis of the proxy server. Most likely they would be -H or -S, try out both combination – yolob 21 Dec 14 '21 at 11:21
1

"nc: invalid option -- 'x'" same for -X. I checked nc -h. What these options are suposed to stands for? Can't find how to replace them. – Hedwin Bonnavaud Oct 24 '22 at 13:31

score 35 · Answer 3 · answered Jan 14 '16 at 04:48

35

I use -o "ProxyCommand=nc -X 5 -x proxyhost:proxyport %h %p" ssh option to connect through socks5 proxy on OSX.

answered Jan 14 '16 at 04:48

Maxim K.

651
5
7

2

Your answer is the only one that worked on **macOS 1.12**. I added it in my ssh config: `ProxyCommand nc -X 5 -x proxyhost:proxyport %h %p` – Deniz Sep 17 '17 at 10:06
2

Works perfectly on Ubuntu 16.04 Thank you! – Alexey Kislitsin Apr 26 '18 at 11:11

score 23 · Answer 4 · edited Oct 09 '21 at 10:55

23

Just a remark to @rogerdpack's answer: for windows platform it is really hard to find a nc.exe with -X(http_proxy), however, I have found nc can be replaced by ncat, full example as follows:

Host github.com
     HostName github.com
         #ProxyCommand nc -X connect -x 127.0.0.1:1080 %h %p
         ProxyCommand ncat --proxy 127.0.0.1:1080 %h %p
     User git
     Port 22
     IdentityFile D:\Users\Administrator\.ssh\github_key

and ncat with --proxy can work perfectly.

edited Oct 09 '21 at 10:55

Yun

3,056
6
9
28

answered Dec 07 '16 at 15:15

shoaly

2,130
2
11
12

If you use ncat your sysadmins will pounce on you. – Steve Scott Apr 04 '22 at 16:51

Hamid Rouhani · Answer 5 · 2019-05-05T05:25:40.367

For windows, @shoaly parameters didn't completely work for me. I was getting this error:

NCAT DEBUG: Proxy returned status code 501.
Ncat: Proxy returned status code 501.
ssh_exchange_identification: Connection closed by remote host

I wanted to ssh to a REMOTESERVER and the SSH port had been closed in my network. I found two solutions but the second is better.

To solve the problem using Ncat:
1. I downloaded Tor Browser, run and wait to connect.
2. I got Ncat from Nmap distribution and extracted ncat.exe into the current directory.
3. SSH using Ncat as ProxyCommand in Git Bash with addition --proxy-type socks4 parameter:
```
ssh -o "ProxyCommand=./ncat --proxy-type socks4 --proxy 127.0.0.1:9150 %h %p" USERNAME@REMOTESERVER
```
  Note that this implementation of Ncat does not support socks5.
THE BETTER SOLUTION:
1. Do the previous step 1.
2. SSH using connect.c as ProxyCommand in Git Bash:
```
ssh -o "ProxyCommand=connect -a none -S 127.0.0.1:9150 %h %p"
```
  Note that connect.c supports socks version 4/4a/5.

To use the proxy in git commands using ssh (for example while using GitHub) -- assuming you installed Git Bash in C:\Program Files\Git\ -- open ~/.ssh/config and add this entry:

host github.com
    user git
    hostname github.com
    port 22
    proxycommand "/c/Program Files/Git/mingw64/bin/connect.exe" -a none -S 127.0.0.1:9150 %h %p

It works, but you need to run git command in mingw shell instead of windows command line — Sofair R., Nov 27 '19 at 14:53
Sofair is right. Instead of `127.0.0.1`, you can also use `localhost` — Cadoiz, Oct 05 '21 at 15:21

score 4 · Answer 6 · edited Oct 07 '21 at 09:27

4

I use proxychains ssh user@host; from proxychains-ng.
By default it uses a socks4 proxy at 127.0.0.1:9050 but it can be changed in the conf file /etc/proxychains.conf or you can specify another conf file like this: proxychains -f custom.conf

edited Oct 07 '21 at 09:27

Cadoiz

1,446
21
31

answered Jun 20 '19 at 08:52

Riccardo Pozzi

51
1
4

`proxychains` is also usefull with authenticated socks proxy where `nc` cannot handle it. – Id2ndR Jun 11 '21 at 08:08

zhigang · Answer 7 · 2017-11-03T13:35:13.490

3

$ which nc
/bin/nc

$ rpm -qf /bin/nc
nmap-ncat-7.40-7.fc26.x86_64

$ ssh -o "ProxyCommand nc --proxy <addr[:port]> %h %p" USER@HOST

$ ssh -o "ProxyCommand nc --proxy <addr[:port]> --proxy-type <type> --proxy-auth <auth> %h %p" USER@HOST

edited Nov 03 '17 at 13:35

answered Oct 09 '17 at 13:54

zhigang

6,597
4
30
24

ssh -o "ProxyCommand nc --proxy %h %p" USER@HOST – Sérgio Nov 02 '17 at 12:57
1

what about adding some info about how this works? It showed in the LQP – fedorqui Nov 03 '17 at 15:04

score 3 · Answer 8 · edited Dec 10 '18 at 23:01

3

ProxyCommand nc -proxy xxx.com:8080 %h %p

remove -X connect and use -proxy instead.

Worked for me.

edited Dec 10 '18 at 23:01

double-beep

5,031
17
33
41

answered Dec 10 '18 at 19:43

Robin Mathews

27
2

score 3 · Answer 9 · answered Jan 04 '21 at 09:37

This is how I solved it, hoping to help others later.

My system is debian 10, and minimal installation.

I also have the same problem like this.

git clone git@github.com:nothing/nothing.git
Cloning into 'nothing'...
nc: invalid option -- 'x'
nc -h for help
ssh_exchange_identification: Connection closed by remote host
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

Or

git clone git@github.com:nothing/nothing.git
Cloning into 'nothing'...
/usr/bin/nc: invalid option -- 'X'
nc -h for help
ssh_exchange_identification: Connection closed by remote host
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

So, I know the nc has different versions like openbsd-netcat and GNU-netcat, you can change the nc in debian to the openbsd version, but I choose to change the software like corkscrew, because the names of the two versions of nc in system are same, and many people don’t understand it well. My approach is as follows.

sudo apt install corkscrew

Then.

vim ~/.ssh/config

Change this file like this.

Host github.com
    User git
    ProxyCommand corkscrew 192.168.1.22 8118 %h %p

192.168.1.22 and 8118 is my proxy server's address and port, you should change it according to your server address.

It's work fine.

Thanks @han.

Worked for me on Ubuntu 18.04 and DietPi. It's a bit pity that credentials must be stored in an external file. — Emanuel George Hategan, Mar 29 '22 at 10:51

Angelo · Answer 10 · 2022-08-15T06:00:08.753

3

The easiest way to do this after OpenSSH 7.3 is with ProxyJump:

ssh USERNAME@HOSTNAME -J PROXYHOSTNAME

which is short hand for the ProxyCommand below (which works on older clients):

ssh USERNAME@HOSTNAME -o "ProxyCommand=ssh PROXYHOSTNAME -W %h:%p"

Or in your ssh config file ($HOME/.ssh/config):

Host HOSTNAME
User USERNAME
ProxyCommand ssh PROXYHOSTNAME -W %h:%p

The oldest clients require the use of netcat. YMMV depending on the version of netcat and options supported (see other answers).

edited Aug 15 '22 at 06:00

answered Aug 15 '22 at 05:34

Angelo

328
4
14

Your answer is the better option according to the [OpenSSH wikibook](https://en.wikibooks.org/wiki/OpenSSH/Cookbook/Proxies_and_Jump_Hosts). And almost everyone should have OpenSSH > 7.3 by now, which was released August 2016! However, it did not work in my case, saying `Squid does not support some access protocols. For example, the SSH protocol is currently not supported`. – winkmal Jan 11 '23 at 14:38
Squid is a web proxy, and it's telling you it doesn't know how to do SSH. You just proxy SSH connections through an SSH server instead, for example through a bastion host. – Angelo Jan 13 '23 at 08:14

score 1 · Answer 11 · answered Sep 27 '18 at 14:37

I was using the following lines in my .ssh/config (which can be replaced by suitable command line parameters) under Ubuntu

Host remhost
  HostName      my.host.com
  User          myuser
  ProxyCommand  nc -v -X 5 -x proxy-ip:1080 %h %p 2> ssh-err.log
  ServerAliveInterval 30
  ForwardX11 yes

When using it with Msys2, after installing gnu-netcat, file ssh-err.log showed that option -X does not exist. nc --help confirmed that, and seemed to show that there is no alternative option to handle proxies.

So I installed openbsd-netcat (pacman removed gnu-netcat after asking, since it conflicted with openbsd-netcat). On a first view, and checking the respective man pages, openbsd-netcat and Ubuntu netcat seem to very similar, in particular regarding options -X and -x. With this, I connected with no problems.

where `1080` can be a `socks5 port`. – Ferris Oct 23 '19 at 10:04 — Ferris, Oct 23 '19 at 10:04

score 1 · Answer 12 · answered Dec 27 '22 at 18:08

to connect to SOCKS5 proxy, simply run

ssh user@destination -o "ProxyCommand=nc -X 5 -x proxyhost:proxyport %h %p"

OR add proxy settings to .ssh/config

Host destinaion_host
    HostName destinaion_host
    User ali
    ProxyCommand nc -X 5 -x proxyhost:proxyport %h %p
    ServerAliveInterval 60
    ServerAliveCountMax 10

then you can simply run ssh destinaion_host

with special thanks to @maxim-k

score 1 · Answer 13 · answered Feb 13 '23 at 01:40

edit config file in:

.ssh/config

Host github.com
    HostName github.com
    User git
    Port 22
    ProxyCommand nc -X 5 -x 192.168.49.1:8000 %h %p

and test:

ssh -T git@github.com

Hi [username]! You've successfully authenticated, but GitHub does not provide shell access.

score 0 · Answer 14 · answered Feb 13 '18 at 13:40

In my case since I had a jump host or Bastion host on the way, and because the signatures on these bastion nodes had changed since they were imported into known_hosts file, I just needed to delete those entries/lines from the following file:

/Users/a.abdi-kelishami/.ssh/known_hosts

From above file, delete those lines referring to the bastion hosts.

score 0 · Answer 15 · edited Sep 09 '20 at 08:00

0

Try -o "ProxyCommand=nc --proxy HOST:PORT %h %p" for command in question. It worked on OEL6 but need to modify as mentioned for OEL7.

edited Sep 09 '20 at 08:00

drops

1,524
1
11
20

answered Sep 08 '20 at 10:25

Ashu M

1

score 0 · Answer 16 · answered Apr 08 '21 at 12:05

0

If anybody on CentOS / RHEL get

nc: invalid option -- 'X'

use this ProxyCommand

ProxyCommand nc --proxy  HOST:PORT --proxy-type http %h %p

answered Apr 08 '21 at 12:05

Delcon

2,355
1
20
23

This was already [mentioned in this answer](https://stackoverflow.com/a/23616021/4575793) and also applies to *OS X* – Cadoiz Oct 05 '21 at 15:26

Connect with SSH through a proxy

16 Answers16

Linked