Hacker News new | ask | show | jobs
by finaard 265 days ago
But that wasn't really a thing that was an issue with SSH.

Host *.internal.example.com

  ProxyCommand ssh -q -W %h:%p hop.internal.example.com
in the SSH client config would make everything in that domain hop over that hop server. It's one extra connection - but with everything correctly configured that should be barely noticeable. Auth is also proxied through.
4 comments
kbolino 265 days ago
Is there a way to configure the jump (hop) server to reroute the request based on the value of %h and/or %p? Otherwise, it's going to be quite difficult to configure something like HTTP virtual hosts.

EDIT: Looking at the relevant RFC [1] and the OpenSSH sshd_config manual [2], it looks like the answer is that the protocol supports having the jump server decide what to do with the host/port information, but the OpenSSH server software doesn't present any relevant configuration knobs.

[1]: https://www.rfc-editor.org/rfc/rfc4254.html#section-7.2

[2]: https://man7.org/linux/man-pages/man5/sshd_config.5.html

link
t-3 265 days ago
Yes, but it's not in the sshd config, it's in the ssh config. See ssh_config(5), search for Remote to find the most relevant sections.
link
kbolino 264 days ago
I don't follow. If it's in ssh_config, then it's client-side. Either that's the client initiating the request, in which case it's not server-controlled like HTTP virtual hosts, or else it's the "client" involved in the hop through the jump server, in which case it's going to be specific to a single username. Also the Remote* options have to do with remote port forwarding, which is in the wrong direction.

What am I missing?

link
doubled112 265 days ago
If you don't need to do anything complicated, ProxyJump is easier to remember.

    Host *.internal.example.com
      ProxyJump hop.internal.example.com
link
chupasaurus 265 days ago
ProxyJump was implemented a decade ago to replace that specific string.
link
she46BiOmUerPVj 265 days ago
I'm aware of proxy jump and other client side config but I'd rather that not every single client need to do this configuration.
link
unsnap_biceps 265 days ago
Newer versions of ssh support ProxyJump

  ssh -J hop.internal.example.com foo.internal.example.com
link