ssh ProxyCommand and PuTTY

Posted: October 1, 2010 in How To - Linux
Tags: , , , , ,

I’ve had problems in the past, where I’ve had so many NAT configurations to get into various machines in my small, home network. Using the ssh ProxyCommand, you can use a single exposed machine to forward your ssh sessions onto any machine in your network.

openSSH CLI

Obviously, most (if not all) flavours of Linux come with an ssh client included in the basic install, so you can just chuck a little config into ~/.ssh/config and your done.
In this example, I’ve exposed sshproxy.example.com to the internet on port 22, and I’m going to setup a connection to build.example.local (inside my network):

Host example-build
    User            example
    Hostname        build.example.local
    ForwardAgent    yes
    ProxyCommand    ssh example@sshproxy.example.com nc %h %p

Host is an arbitrary string to describe you connection. You’ll use this as the host value when you run ssh:

ssh example-build

User is the username that you use to connect to the host at Hostname
ProxyCommand is the command you run to create the proxy.

PuTTY

You can configure Putty the same way by doing this:

  • In the session section type this for the host string:
  • In Connection:Data enter your username:
  • In Connection:Proxy add the proxy settings:
  • and, Finally allow Agent Forwarding in Connection:SSH:Auth

As long as you have your public key installed on the proxy and the host that you are connecting to, and your key is loaded into pageant, This will work.

Please note that it is necessary to have publickey authentication with the proxyhost using this method. It is possible to send the password over to the proxy, but I don’t recommend that at all.

Comments
  1. Oh man! This is the FIRST and ONLY straight forward example of this that just works. It doesn’t require some stupid extra window open or connecting to localhost or any of that BS. Thank God you posted this… (care to do one for SecureCRT now?)

    I found your example from this question I posted:
    http://serverfault.com/questions/253470/how-do-i-ssh-tunnel-using-putty-or-securecrt-through-gateway-proxy-to-development

  2. Julien says:

    If your exposed machine doesn’t have ssh listening on port 22, you need the following local proxy command:
    plink -P %proxyport %user@%proxyhost -nc %host:%port

    And if it is listening on port 22 it doesn’t hurt.

  3. […] does seem that PuTTY version 0.59 and later supports ProxyCommand-like syntax; see, for example, this blog post. You most likely don’t want to use SOCKS. You want to be careful about having strong […]

  4. […] also tried looking up this guide to emulate ssh ProxyCommand on PUTTY. Unfortunately even this does not work. I went to the windows […]

  5. Jonathon says:

    For a key-based environment (such as AWS), you can change the plink command to:

    plink -i C:\path\to\your_proxy_key.ppk %user@%proxy_host -nc %host:%port

    Then specify the %host machine’s ssh key in SSH->Auth

  6. Pawel says:

    Thanks a lot! Worked like a charm!

  7. Gordon Watson says:

    Great article, many thanks 🙂
    If you want to expand on and do multi-hop this article also is useful:
    http://sshmenu.sourceforge.net/articles/transparent-mulithop.html

  8. Francis Montagnac says:

    For putty, you must have made once a connection to the proxy host to
    validate its host-key on the source machine otherwise the connection
    will fail: the putty window stay empty, no popup to accept the
    host-key appears. The SSH logs on the the proxy host only show a
    “Connection from “log. Also, Agent Forwarding is not
    mandatory to make the proxy session work.

  9. Roger says:

    Good article. Thanks. I have it working with the public key on the proxy …. but …

    ” It is possible to send the password over to the proxy, but I don’t recommend that at all.”
    I actually want to do a double prompt for passwords and googled everywhere looking for it.
    Basically I want to set up putty to go through the proxy, or gateway, but I want to be prompted for the proxy’s name/password. And then I want to be prompted for the credentials of the host I’m really trying to get to. I don’t want to put my public key on the proxy. Can this be done with putty.

    • geogdog says:

      I’m afraid that I don’t use putty anymore and don’t have any way to test a double password setup like you’re describing. Although, I’m pretty sure it’s possible. Good luck!

  10. Raj says:

    How do I get the public key installed on the proxy host ?
    I’m connecting from mywindows -> server1.site.com -> server2.site.com. (may also connect to server3/4/5 etc) I tested that if I manually login to server1.site.com (using ssh from my local machine without password), I can ssh to server2.site.com
    All settings are as mentioned above.
    However the error is this :

    Starting local proxy command: plink.exe -v @server1.site.com -nc server2.site.com:22
    proxy: Connecting to 10.10.10.10 port 22
    proxy: We claim version: SSH-2.0-PuTTY_Release_0.70
    proxy: Server version: SSH-2.0-OpenSSH_7.7
    proxy: Using SSH protocol version 2
    proxy: Doing ECDH key exchange with curve Curve25519 and hash SHA-256
    proxy: Host key fingerprint is:
    proxy: ssh-rsa 2048 38:8………….1b:41
    proxy: Initialised AES-256 SDCTR client->server encryption
    proxy: Initialised HMAC-SHA-256 client->server MAC algorithm
    proxy: Initialised AES-256 SDCTR server->client encryption
    proxy: Initialised HMAC-SHA-256 server->client MAC algorithm
    proxy: Pageant is running. Requesting keys.
    proxy: Pageant has 2 SSH-2 keys
    proxy: Using username “”.
    proxy: Trying Pageant key #0
    proxy: Authenticating with public key ” temporary key 1555555552″ from agent
    proxy: Sending Pageant’s response
    proxy: Access granted
    proxy: Opening connection to server2.site.com:22 for main channel
    proxy: Remote debug message: cert: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding
    proxy: Remote debug message: principals: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding
    proxy: Remote debug message: cert: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding
    proxy: Remote debug message: principals: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding
    proxy: FATAL ERROR: Server refused to open main channel: Connect failed [Connection timed out]

  11. Makarand V Sovani says:

    Thanks, This helped a lot.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s