Last Updated: February 25, 2016
· fstrube

Proxying SSH Connections

Have you ever had to connect to an SSH server that is behind some sort of firewall? Sometimes clients protect their networks with VPNs, or allow only certain IP addresses to connect to their servers. Luckily, SSH makes connecting to these systems simple by allowing us to "proxy" through any command, even another SSH connection!

Take the following example:

Typically, if you wanted to connect to one of the web servers in that diagram, you would first type ssh user@secure, type in your password, and then type ssh user@web1. This 2 - 5 second delay isn't too bad when you only need to connect once-in-a-while, but try rsync-ing some files between your laptop and web1, or deploying your application using scp.

By configuring SSH to use a proxy command, we can make the connection to web1 in one fell swoop. On the command-line it would look something like this ssh -o ProxyCommand="ssh user@secure nc %h %p 2>/dev/null" user@web1.

Or, in your ~/.ssh/config file you can add an alias for your web server:

Host web1
    Hostname web1
    ProxyCommand ssh user@secure nc %h %p 2>/dev/null

The meat of this configuration is the ProxyCommand directive. It uses netcat to connect to web1, essentially creating a tunnel for connecting to the web1 server. Now, any time you run ssh web1 it will be as if you have a direct connection to the server.

Note: If you don't have SSH keys setup, you will be asked for a password twice: once to establish the proxy connection, and again for the actual login to web1.

I've been using this trick for a while to circumvent firewalls and networking rules. Hopefully you can add it to your bag of tricks too!

<a href="" target="blank">Laptop</a> from The Noun Project
<a href="" target="
blank">Internet</a> designed by <a href="" target="blank">Fernando Vasconcelos</a> from The Noun Project
<a href="" target="
blank">Servers</a> designed by <a href="" target="_blank">Daniel Campos</a> from The Noun Project