SSH Agent Forwarding in Windows
I need to tunnel SSH through one intermediate host B to the final host C. From host A, over B to C (A-B-C) where host A can’t directly access host C, but A-B and B-C can. For this, the best way is to use SSH public-key authentication, but it can be achieved also with password.
When using passwords, typing:
ssh -t savioko ssh -t root@apach-1
and passwords after that, will do the job.
Multi-hop SSH without passwords
As a mandatory we have to make a ssh-agent work on local machine. As noted elsewhere, it can be done by copy-pasting:
set SSH_AUTH_SOCK=%TEMP%\ssh-agent.socket rm -f %SSH_AUTH_SOCK% FOR /F "tokens=1 delims=;" %r IN ('ssh-agent -a %SSH_AUTH_SOCK% ') DO @(SET %r >NUL 2>&1) setx SSH_AUTH_SOCK %SSH_AUTH_SOCK%
Then, we must ad a keys to the agent:
And we must execute the same command as before, only this time adding a
-A for the intermediate host. This switch tells that host to
enable agent forwarding.
ssh -t -A savioko ssh root@apach-1
For agent forwarding through SSH tunnel to work, really nothing special must be done on final and intermediate server.
For debugging purposes, when executing SSH, add
-vvv to any SSH
command. This will display very detailed process information.
No need for nothing more
About settings that are really not important.
sshd_configas server configuration, is by default turned on, so it doesn’t matter - don’t bother with this unless it’s not disabled on purpose somewhere.
~/.ssh/configas client settings - it is not important because using SSH switch
-Awhen connecting produces exactly the same effect.
In two simple steps
- Local ssh-agent must be running and your key must be loaded in it
ssh -t -A user@HostMiddleman ssh user@HostDestination
Bazinga: more elegant way - fully automatic!
Holy schmoly! Bazinga! For this solution you don’t even need an active ssh-agent. Simply beautifull!
Just configure client to do a hop. Use a
ProxyCommand directive for
set F="%HOMEDRIVE%%HOMEPATH%\.ssh\config" echo. >> %F% echo Host apach-1.savioko >> %F% echo HostName apach-1 >> %F% echo User root >> %F% echo Port 22 >> %F% echo IdentityFile "~/.ssh/id_rsa" >> %F% echo IdentitiesOnly yes >> %F% echo ProxyCommand ssh savioko nc %h %p >> %F%
This is it. Check that you can login with keys, and disable password login after that.
In the future, if you have the latest version of OpenSSH, you could use
-W switch and avoid using Netcat
ProxyCommand ssh savioko -W %h:%p
Sources: Multihop SSH tunneling
Local port forwarding
This is usualy needed to trick GUI tools about connecting to remote. In my case, I’m using it for SSHFS client WebDrive.
ssh savioko -L 9999:apach-1:22 -N
-N is not to execute a remote command - exactly useful for just
forwarding port. You can change option to
-fN combination to tell SSH
to connect, establish tunnels and continue running in background.
Now I can login to apach-1 server with:
ssh root@localhost -p 9999 -o "HostkeyAlias=apach-1"
This trick with passing option
HostkeyAlias is avoiding fatal warning
WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!. Very good idea.
Quick local SOCKS Proxy with an SSH Tunnel
SSH Tunnel + SOCKS Proxy Forwarding = Secure Browsing
You can use the
-D flag of OpenSSH to create a SOCKS proxy.
ssh -D 8080 savioko
In browser, set SOCKS5 at localhost:8080, and it will instantly work.