A while ago in the Transparent SSH host-jumping (Advanced) post I
described a technique on how one could jump quite effortlessly through a chain
of intermediate hosts. However, there was a catch: the user names and ports
across the whole chain should be the same and there was no easy way to change
Given that I recently paid quite a lot of attention to the ProxyCommand
directive I decided to look into the implementation of the helper script that
will allow one to tweak parameters for the hosts in the chain.
I was involved in the creation of the sshephalopod project, which was an
attempt to build an enterprise level authentication framework for SSH
authentication using the SSH CA feature.
The project is based on a wrapper script that signs a user via a SAML identity
provider and gets user’s public key signed for the further usage.
In one of the discussions I pointed out that such a wrapper script is not good
for the end user experience and I proposed to provide the users with an excerpt
for their ssh config file, so the functionality of sshephalopod would be
time 5 min.
In this brief article I am going to describe how I resolved a nagging issue I
had with setting up access to hosts which are not directly reachable, but where
you need to forward your connection through an intermediate host.
Previously, I was using the local SSH port-forwarding technique (although I
was configuring hosts I connect to in the ~/.ssh/config file instead of
using the command-line options). However, this approach turned out to be quite
inconvenient since every time I wanted to connect to a new host (and, possibly,
through a new intermediate host) I had to edit my
time 6 min.
In my previous blog entry I described some basic functionality of SSH in terms
of port-forwarding. Now it’s time for a little bit more complex stuff.
In this article I will highlight:
(forward) piercing of a firewall (getting access to resources behind it);
dynamic port-forwarding (AKA proxy);
(reverse) piercing of a firewall (exposing your local services on the remote side).
Forward firewall piercing
Let’s start with the forward firewall piercing, since it is the easiest and was
somewhat already described in my previous blog entry on this topic. Now,
imagine that you already have SSH access to some
time 4 min.