0

There's something really broken about my mental model of how ssh's nesting of ProxyCommand works.

I have the following ssh command that works the way I want it to (ssh to jump.mydomain.com and then once I'm on jump.mydomain.com I ssh (using ProxyCommand) to server.remote.com.

ssh -t local_me@jump.mydomain.com                                \
    ssh -o "ProxyCommand='cloudflared access ssh --hostname %h'" \
        remote_me@server.remote.com

I feel like I should be able to set up some rules in my local ~/.ssh/config file so that I can just type

ssh remote_me@server.remote.com

and have these multiple steps "just work", but I can't figure out what those rules should be.

I think my question might be a duplicate of ProxyCommand use for multiple hops and prompt authentication prompt-authentication, but in that question the proxycommands are all being used for simple hops, and my proxycommand doesn't seem to fit into either end of the chain.

Wandering Logic
  • 1,451

1 Answers1

2

This doesn't really help with my lack of mental modeling about how ProxyJumps and ProxyCommands work and interact, but I did find a way to accomplish the specific task outlined in the question.

After I asked the question I realized that I could come up with an alternate ssh command where the nested ssh was part of the ProxyCommand, as follows:

ssh -o "ProxyCommand=ssh local_me@jump.mydomain.com            \
                         cloudflared access ssh --hostname %h" \
    remote_me@server.remote.com

Now I have a single ProxyCommand that I can fit into my ~/.ssh/config file:

Host server.remote.com
     ProxyCommand ssh local_me@jump.mydomain.com cloudflared access ssh --hostname %h

And once I've put the ProxyCommand into my config file I can do:

ssh remote_me@server.remote.com

While I'm happy that I've come up with a solution to my immediate problem, I'm not sure that I've improved my mental model in any way that will help me solve my next conundrum.

Wandering Logic
  • 1,451
  • see the manual page ssh_config(3) for how ProxyCommand works. the client simply uses a pipe to establish the ssh connection, instead of starting a tcp connection itself. i think your solution is the only clean solution, i was thinking of ProxyJump but it works with port forwarding and doesn't allow to force using a command (such as cloudflared). – don_aman Mar 16 '23 at 21:07
  • 1
    I think some intuition about ProxyCommand can be built by observing how one can use it to achieve what goals. I have a nice example here: How to throttle bandwidth of SSH connection. – Kamil Maciorowski Mar 16 '23 at 21:14
  • 1
    @don_aman Minor correction: ssh_config(5). It's man 5 ssh_config. – Kamil Maciorowski Mar 16 '23 at 21:22