SSH multi-hop connections with netcat mode proxy

Posted by aef on Server Fault See other posts from Server Fault or by aef
Published on 2012-11-09T10:51:12Z Indexed on 2012/11/09 11:06 UTC
Read the original article Hit count: 315

Filed under:
|
|
|
|

Since OpenSSH 5.4 there is a new feature called natcat mode, which allows you to bind STDIN and STDOUT of local SSH client to a TCP port accessible through the remote SSH server. This mode is enabled by simply calling ssh -W [HOST]:[PORT]

Theoretically this should be ideal for use in the ProxyCommand setting in per-host SSH configurations, which was previously often used with the nc (netcat) command. ProxyCommand allows you to configure a machine as proxy between you local machine and the target SSH server, for example if the target SSH server is hidden behind a firewall.

The problem now is, that instead of working, it throws a cryptic error message in my face:

Bad packet length 1397966893.
Disconnecting: Packet corrupt

Here is an excerpt from my ~/.ssh/config:

Host *
  Protocol 2
  ControlMaster auto
  ControlPath ~/.ssh/cm_socket/%r@%h:%p
  ControlPersist 4h

Host proxy-host proxy-host.my-domain.tld
  HostName proxy-host.my-domain.tld
  ForwardAgent yes

Host target-server target-server.my-domain.tld
  HostName target-server.my-domain.tld
  ProxyCommand ssh -W %h:%p proxy-host
  ForwardAgent yes

As you can see here, I'm using the ControlMaster feature so I don't have to open more than one SSH connection per-host.

The client machine I tested this with is an Ubuntu 11.10 (x86_64) and both proxy-host and target-server are Debian Wheezy Beta 3 (x86_64) machines.

The error happens when I call ssh target-server. When I call it with the -v flag, here is what I get additionally:

OpenSSH_5.8p1 Debian-7ubuntu1, OpenSSL 1.0.0e 6 Sep 2011
debug1: Reading configuration data /home/aef/.ssh/config
debug1: Applying options for *
debug1: Applying options for target-server.my-domain.tld
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: auto-mux: Trying existing master
debug1: Control socket "/home/aef/.ssh/cm_socket/[email protected]:22" does not exist
debug1: Executing proxy command: exec ssh -W target-server.my-domain.tld:22 proxy-host.my-domain.tld
debug1: identity file /home/aef/.ssh/id_rsa type -1
debug1: identity file /home/aef/.ssh/id_rsa-cert type -1
debug1: identity file /home/aef/.ssh/id_dsa type -1
debug1: identity file /home/aef/.ssh/id_dsa-cert type -1
debug1: identity file /home/aef/.ssh/id_ecdsa type -1
debug1: identity file /home/aef/.ssh/id_ecdsa-cert type -1
debug1: permanently_drop_suid: 1000
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.0p1 Debian-3
debug1: match: OpenSSH_6.0p1 Debian-3 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.8p1 Debian-7ubuntu1
debug1: SSH2_MSG_KEXINIT sent
Bad packet length 1397966893.
Disconnecting: Packet corrupt

© Server Fault or respective owner

Related posts about linux

Related posts about networking