17

I'm trying to set up automatic SSH hopping through a server which doesn't have nc.

This works from the command line:

ssh -A gateway ssh steve@target

(I have added my public key to the SSH agent).

However, adding it to ~/.ssh/config doesn't:

Host target
  User steveb
  ProxyCommand ssh -A gateway ssh steve@targetip

$ ssh target
Pseudo-terminal will not be allocated because stdin is not a terminal.


^CKilled by signal 2.

Attempting to force the issue with -t is amusing but unhelpful.

ProxyCommand ssh -A -t gateway ssh steve@targetip

$ ssh target
Pseudo-terminal will not be allocated because stdin is not a terminal.
Pseudo-terminal will not be allocated because stdin is not a terminal.


^CKilled by signal 2.

More -t's? No good.

ProxyCommand ssh -A -t -t gateway ssh steve@targetip

$ ssh target
tcgetattr: Inappropriate ioctl for device


^CKilled by signal 2.

Is this possible? Most tutorials (eg http://www.arrfab.net/blog/?p=246 ) suggest using nc.

Steve Bennett
  • 2,213

4 Answers4

14

SSH ProxyCommand without netcat

The ProxyCommand is very useful when hosts are only indirectly accessible. With netcat it is relative strait forward:

ProxyCommand ssh {gw} netcat -w 1 {host} 22

Here {gw }and {host} are placeholders for the gateway and the host.

But it is also possible when netcat is not installed on the gateway:

ProxyCommand ssh {gw} 'exec 3<>/dev/tcp/{host}/22; cat <&3 & cat >&3;kill $!'

The /dev/tcp is a built-in feature of standard bash. The files don't exist. To check whether bash has this feature built-in use run:

cat < /dev/tcp/google.com/80

...on the gateway.

To make sure that bash is used, use:

ProxyCommand ssh {gw} "/bin/bash -c 'exec 3<>/dev/tcp/{host}/22; cat <&3 & cat >&3;kill $!'"

And it even works together with ControlMaster.

(Updated on Oct 22 to include kill to clean up background cat) (Updated on Mar 3 2011 to make placeholders more clear and explain /dev/tcp)

100% credit to roland schulz. Here's the source:
http://www.rschulz.eu/2008/09/ssh-proxycommand-without-netcat.html
see more useful info in the comments there.

There is also more here:
http://www.linuxjournal.com/content/tech-tip-tcpip-access-using-bash
http://securityreliks.securegossip.com/2010/08/enabling-devtcp-on-backtrack-4r1ubuntu/

UPDATE: here's something new from Marco

In reference to a ProxyCommand in ~/.ssh/config where one has a line like this:

ProxyCommand ssh gateway nc localhost %p

Marco says:

You don't need netcat if you use a recent version of OpenSSH. You can replace nc localhost %p with -W localhost:%p.

The result would look like this:

ProxyCommand ssh gateway -W localhost:%p
Community
  • 1
MountainX
  • 17,948
9

Big T, not little t.

-T' Disable pseudo-tty allocation.
-t' Force pseudo-tty allocation.

My script used to return that message, and does no longer.

/usr/bin/ssh -T -q -i $HOME/.ssh/one_command other_system

I use the authorized_key on the other_system to cause this to run a command:

from="my.mydomain.com",command="bin/remotely-run" ssh-rsa ...
slm
  • 369,824
user46083
  • 91
3

Give this a try:

ProxyCommand ssh -A -t gateway ssh -t steve@targetip
Hauke Laging
  • 90,279
-3

You could try the following technique of ssh'ing into server1 followed by ssh'ing into server2.

$ ssh -t user1@server1 ssh -t user2@server2

Doing it like this works for me.

slm
  • 369,824
Jan Marius Evang
  • 26
  • 1
    Please explain more... What this command does and how it is useful to solve the answer. – TPS Sep 10 '14 at 12:00