I’ve had problems in the past, where I’ve had so many NAT configurations to get into various machines in my small, home network. Using the ssh ProxyCommand, you can use a single exposed machine to forward your ssh sessions onto any machine in your network.
openSSH CLI
Obviously, most (if not all) flavours of Linux come with an ssh client included in the basic install, so you can just chuck a little config into ~/.ssh/config and your done.
In this example, I’ve exposed sshproxy.example.com to the internet on port 22, and I’m going to setup a connection to build.example.local (inside my network):
Host example-build User example Hostname build.example.local ForwardAgent yes ProxyCommand ssh example@sshproxy.example.com nc %h %p
Host is an arbitrary string to describe you connection. You’ll use this as the host value when you run ssh:
ssh example-build
User is the username that you use to connect to the host at Hostname
ProxyCommand is the command you run to create the proxy.
PuTTY
You can configure Putty the same way by doing this:
- In the session section type this for the host string:
- In Connection:Data enter your username:
- In Connection:Proxy add the proxy settings:
- and, Finally allow Agent Forwarding in Connection:SSH:Auth
As long as you have your public key installed on the proxy and the host that you are connecting to, and your key is loaded into pageant, This will work.
Please note that it is necessary to have publickey authentication with the proxyhost using this method. It is possible to send the password over to the proxy, but I don’t recommend that at all.
Oh man! This is the FIRST and ONLY straight forward example of this that just works. It doesn’t require some stupid extra window open or connecting to localhost or any of that BS. Thank God you posted this… (care to do one for SecureCRT now?)
I found your example from this question I posted:
http://serverfault.com/questions/253470/how-do-i-ssh-tunnel-using-putty-or-securecrt-through-gateway-proxy-to-development
I’ll take a look, but I’m not big on secureCRT.
If your exposed machine doesn’t have ssh listening on port 22, you need the following local proxy command:
plink -P %proxyport %user@%proxyhost -nc %host:%port
And if it is listening on port 22 it doesn’t hurt.
That certainly makes in more explicit. Thanks for your comment.
[…] does seem that PuTTY version 0.59 and later supports ProxyCommand-like syntax; see, for example, this blog post. You most likely don’t want to use SOCKS. You want to be careful about having strong […]
[…] also tried looking up this guide to emulate ssh ProxyCommand on PUTTY. Unfortunately even this does not work. I went to the windows […]
For a key-based environment (such as AWS), you can change the plink command to:
plink -i C:\path\to\your_proxy_key.ppk %user@%proxy_host -nc %host:%port
Then specify the %host machine’s ssh key in SSH->Auth
Ive never had this problem as peagent always has my idendities loaded.
Thank you 🙂 Your reply saved my day.
Thanks a lot! Worked like a charm!
Great article, many thanks 🙂
If you want to expand on and do multi-hop this article also is useful:
http://sshmenu.sourceforge.net/articles/transparent-mulithop.html
For putty, you must have made once a connection to the proxy host to
validate its host-key on the source machine otherwise the connection
will fail: the putty window stay empty, no popup to accept the
host-key appears. The SSH logs on the the proxy host only show a
“Connection from “log. Also, Agent Forwarding is not
mandatory to make the proxy session work.
Good article. Thanks. I have it working with the public key on the proxy …. but …
” It is possible to send the password over to the proxy, but I don’t recommend that at all.”
I actually want to do a double prompt for passwords and googled everywhere looking for it.
Basically I want to set up putty to go through the proxy, or gateway, but I want to be prompted for the proxy’s name/password. And then I want to be prompted for the credentials of the host I’m really trying to get to. I don’t want to put my public key on the proxy. Can this be done with putty.
I’m afraid that I don’t use putty anymore and don’t have any way to test a double password setup like you’re describing. Although, I’m pretty sure it’s possible. Good luck!
How do I get the public key installed on the proxy host ?
I’m connecting from mywindows -> server1.site.com -> server2.site.com. (may also connect to server3/4/5 etc) I tested that if I manually login to server1.site.com (using ssh from my local machine without password), I can ssh to server2.site.com
All settings are as mentioned above.
However the error is this :
Starting local proxy command: plink.exe -v @server1.site.com -nc server2.site.com:22
proxy: Connecting to 10.10.10.10 port 22
proxy: We claim version: SSH-2.0-PuTTY_Release_0.70
proxy: Server version: SSH-2.0-OpenSSH_7.7
proxy: Using SSH protocol version 2
proxy: Doing ECDH key exchange with curve Curve25519 and hash SHA-256
proxy: Host key fingerprint is:
proxy: ssh-rsa 2048 38:8………….1b:41
proxy: Initialised AES-256 SDCTR client->server encryption
proxy: Initialised HMAC-SHA-256 client->server MAC algorithm
proxy: Initialised AES-256 SDCTR server->client encryption
proxy: Initialised HMAC-SHA-256 server->client MAC algorithm
proxy: Pageant is running. Requesting keys.
proxy: Pageant has 2 SSH-2 keys
proxy: Using username “”.
proxy: Trying Pageant key #0
proxy: Authenticating with public key ” temporary key 1555555552″ from agent
proxy: Sending Pageant’s response
proxy: Access granted
proxy: Opening connection to server2.site.com:22 for main channel
proxy: Remote debug message: cert: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding
proxy: Remote debug message: principals: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding
proxy: Remote debug message: cert: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding
proxy: Remote debug message: principals: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding
proxy: FATAL ERROR: Server refused to open main channel: Connect failed [Connection timed out]
Thanks, This helped a lot.