ssh ProxyCommand and PuTTY

Posted: October 1, 2010 in How To - Linux
Tags: , , , , ,

I’ve had problems in the past, where I’ve had so many NAT configurations to get into various machines in my small, home network. Using the ssh ProxyCommand, you can use a single exposed machine to forward your ssh sessions onto any machine in your network.

openSSH CLI

Obviously, most (if not all) flavours of Linux come with an ssh client included in the basic install, so you can just chuck a little config into ~/.ssh/config and your done.
In this example, I’ve exposed sshproxy.example.com to the internet on port 22, and I’m going to setup a connection to build.example.local (inside my network):

Host example-build
    User            example
    Hostname        build.example.local
    ForwardAgent    yes
    ProxyCommand    ssh example@sshproxy.example.com nc %h %p

Host is an arbitrary string to describe you connection. You’ll use this as the host value when you run ssh:

ssh example-build

User is the username that you use to connect to the host at Hostname
ProxyCommand is the command you run to create the proxy.

PuTTY

You can configure Putty the same way by doing this:

  • In the session section type this for the host string:
  • In Connection:Data enter your username:
  • In Connection:Proxy add the proxy settings:
  • and, Finally allow Agent Forwarding in Connection:SSH:Auth

As long as you have your public key installed on the proxy and the host that you are connecting to, and your key is loaded into pageant, This will work.

Please note that it is necessary to have publickey authentication with the proxyhost using this method. It is possible to send the password over to the proxy, but I don’t recommend that at all.

Comments
  1. Oh man! This is the FIRST and ONLY straight forward example of this that just works. It doesn’t require some stupid extra window open or connecting to localhost or any of that BS. Thank God you posted this… (care to do one for SecureCRT now?)

    I found your example from this question I posted:
    http://serverfault.com/questions/253470/how-do-i-ssh-tunnel-using-putty-or-securecrt-through-gateway-proxy-to-development

  2. Julien says:

    If your exposed machine doesn’t have ssh listening on port 22, you need the following local proxy command:
    plink -P %proxyport %user@%proxyhost -nc %host:%port

    And if it is listening on port 22 it doesn’t hurt.

  3. […] does seem that PuTTY version 0.59 and later supports ProxyCommand-like syntax; see, for example, this blog post. You most likely don’t want to use SOCKS. You want to be careful about having strong […]

  4. […] also tried looking up this guide to emulate ssh ProxyCommand on PUTTY. Unfortunately even this does not work. I went to the windows […]

  5. Jonathon says:

    For a key-based environment (such as AWS), you can change the plink command to:

    plink -i C:\path\to\your_proxy_key.ppk %user@%proxy_host -nc %host:%port

    Then specify the %host machine’s ssh key in SSH->Auth

  6. Pawel says:

    Thanks a lot! Worked like a charm!

  7. Gordon Watson says:

    Great article, many thanks🙂
    If you want to expand on and do multi-hop this article also is useful:
    http://sshmenu.sourceforge.net/articles/transparent-mulithop.html

  8. Francis Montagnac says:

    For putty, you must have made once a connection to the proxy host to
    validate its host-key on the source machine otherwise the connection
    will fail: the putty window stay empty, no popup to accept the
    host-key appears. The SSH logs on the the proxy host only show a
    “Connection from “log. Also, Agent Forwarding is not
    mandatory to make the proxy session work.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s