SSH multi-hop connections with netcat mode proxy
Posted
by
aef
on Server Fault
See other posts from Server Fault
or by aef
Published on 2012-11-09T10:51:12Z
Indexed on
2012/11/09
11:06 UTC
Read the original article
Hit count: 315
Since OpenSSH 5.4 there is a new feature called natcat mode, which allows you to bind STDIN
and STDOUT
of local SSH client to a TCP port accessible through the remote SSH server. This mode is enabled by simply calling ssh -W [HOST]:[PORT]
Theoretically this should be ideal for use in the ProxyCommand
setting in per-host SSH configurations, which was previously often used with the nc
(netcat) command. ProxyCommand
allows you to configure a machine as proxy between you local machine and the target SSH server, for example if the target SSH server is hidden behind a firewall.
The problem now is, that instead of working, it throws a cryptic error message in my face:
Bad packet length 1397966893.
Disconnecting: Packet corrupt
Here is an excerpt from my ~/.ssh/config
:
Host *
Protocol 2
ControlMaster auto
ControlPath ~/.ssh/cm_socket/%r@%h:%p
ControlPersist 4h
Host proxy-host proxy-host.my-domain.tld
HostName proxy-host.my-domain.tld
ForwardAgent yes
Host target-server target-server.my-domain.tld
HostName target-server.my-domain.tld
ProxyCommand ssh -W %h:%p proxy-host
ForwardAgent yes
As you can see here, I'm using the ControlMaster feature so I don't have to open more than one SSH connection per-host.
The client machine I tested this with is an Ubuntu 11.10 (x86_64) and both proxy-host and target-server are Debian Wheezy Beta 3 (x86_64) machines.
The error happens when I call ssh target-server
. When I call it with the -v
flag, here is what I get additionally:
OpenSSH_5.8p1 Debian-7ubuntu1, OpenSSL 1.0.0e 6 Sep 2011
debug1: Reading configuration data /home/aef/.ssh/config
debug1: Applying options for *
debug1: Applying options for target-server.my-domain.tld
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: auto-mux: Trying existing master
debug1: Control socket "/home/aef/.ssh/cm_socket/[email protected]:22" does not exist
debug1: Executing proxy command: exec ssh -W target-server.my-domain.tld:22 proxy-host.my-domain.tld
debug1: identity file /home/aef/.ssh/id_rsa type -1
debug1: identity file /home/aef/.ssh/id_rsa-cert type -1
debug1: identity file /home/aef/.ssh/id_dsa type -1
debug1: identity file /home/aef/.ssh/id_dsa-cert type -1
debug1: identity file /home/aef/.ssh/id_ecdsa type -1
debug1: identity file /home/aef/.ssh/id_ecdsa-cert type -1
debug1: permanently_drop_suid: 1000
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.0p1 Debian-3
debug1: match: OpenSSH_6.0p1 Debian-3 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.8p1 Debian-7ubuntu1
debug1: SSH2_MSG_KEXINIT sent
Bad packet length 1397966893.
Disconnecting: Packet corrupt
© Server Fault or respective owner