search for: jumphost

I want to ssh from a client to a machine on a closed network via a jumphost; let's call them {client,internal,jumphost}.example.com. I have authpf set up on the jumphost so that when logged in, I am allowed to open TCP connections from the jumphost to port 22 on internal nodes. This works well with port forwarding: des at client ~% ssh -L2222:internal.example.com:2...

My company uses a certain product which forces me to use a jumphost / ssh proxy. When connecting to a server I have to type "ssh myuser at technicaluser@targethost at jumphost" everytime. I tried to simplify this by editing my ssh_config and putting this into the file: Host targethost ProxyJump technicaluser at jumphost These lines are recognized but...

On Tue, Oct 20, 2015 at 01:31:46AM +0200, ?ngel Gonz?lez wrote: > On 16/10/15 12:46, hubert depesz lubaczewski wrote: > >On Thu, Oct 15, 2015 at 04:15:03PM -0400, Daniel Kahn Gillmor wrote: > >>> if the intermediary machine (the "jumphost") is jumphost.example, and > >>> you are trying to reach bar.example.com (which is behind the firewall), > >>> you would do: > >>> ssh -oProxyCommand='ssh jumphost.example -W %h:%p' bar.example.com > >We use jump host, but there are litera...

On Thu, Oct 15, 2015 at 04:15:03PM -0400, Daniel Kahn Gillmor wrote: > if the intermediary machine (the "jumphost") is jumphost.example, and > you are trying to reach bar.example.com (which is behind the firewall), > you would do: > ssh -oProxyCommand='ssh jumphost.example -W %h:%p' bar.example.com We use jump host, but there are literally hundreds of hosts behind it. And since I often...

Hi, I'm in a situation where I'm using multiple SSH keys, each to connect to different set of servers. I can't load/unload keys on demand, as I usually am connected to at least 2 of such sets. But - some rogue "root", could get access to my agent-forwarding socket, and in turn, get access to keys loaded to agent (not in terms of obtaining the key, but being able to use it

Good morning! We're experiencing rather very bad latency spikes on busy Linux systems, for example if one machine is the jumphost (ssh -J) for a few hundred connections, while at the same time handles CPU intensive tasks. Would RT/Linux SCHED_FIXED or SCHED_RR be of help in such a case, e.g. put all ssh processes into the SCHED_FIXED scheduling class, with a priority higher than the non-interactive compute processes? Also,...

raf wrote: > Warlich, Christof wrote: > > ... > > I want to be able to ssh to all internal hosts that live in the internal.sub.domain.net, > > i.e. that are only accessible through the internal.sub.domain.net jumphost without > > having to list each of these hosts somewhere, as they may frequently be added or > > removed from the internal domain and without being forced to always type their > > fully qualified hostnames. > If you are invoking ssh from a shell, you could define a short varia...

On Thu, Oct 15, 2015 at 07:02:58PM -0400, Nico Kadel-Garcia wrote: > On Thu, Oct 15, 2015 at 10:34 AM, hubert depesz lubaczewski > <depesz at depesz.com> wrote: > > Hi, > > > > I'm in a situation where I'm using multiple SSH keys, each to connect to > > different set of servers. > > > > I can't load/unload keys on demand, as I usually am

...>"try to use multiplexing but if you have to open a new connection then >do it via this proxy". Ah, now the rationale is apparent. Ok, that makes sense to me. Thank you. >> ProxyCommand ssh MAIN nc 127.0.0.1 7777 >If your ssh client is new enough, you should try ssh -J / JumpHost instead. I give this particular script to others, so that may not be feasible yet. But I saw that option arrive and intend to make us of it. Nice! I discovered -G too recently, very useful to me. Not least for autorestarting persistent tunnels when I modify a config file (I use the output as a...

On Tue, Jan 21, 2020 at 11:08:51AM +1100, Damien Miller wrote: > So IMO disallowing session multiplexing is at most a speedbump that an > attacker will cross with relative ease. Speedbumps make sense sometimes, An attacker getting root on the jumphost gets immediate control of any _current_ persistent connections and new connections. Without ControlMaster it's a _lot_ harder to take control of current connections, but pretty easy to subvert new connections. So there is a benefit... but a small one. > but they must be weighed against th...

Dear developers, The ProxyJump feature is nowadays implemented on the basis of a TCP port forwarding on the jumping host, isn't it? As a result, this is affected by a AllowTcpForwarding=no configuration on the jumping host. So, may I suggest a variant based on Unix sockets (such as -L or -R does). Nice idea, isn't it? Any volunteer to implement this? Best regards Christophe

On Thu, 10 Aug 2023, Cedric Blancher wrote: >We're experiencing rather very bad latency spikes on busy Linux >systems, for example if one machine is the jumphost (ssh -J) for a few >hundred connections, while at the same time handles CPU intensive >tasks. > >Would RT/Linux SCHED_FIXED or SCHED_RR be of help in such a case, e.g. Did you already check the old and tried method of nice(2)? If the other load is CPU-intensive, this is usually suffic...

All, I occasionally manage some APC PDU devices. I manage them via a VPN, which enforces super-heavy crypto, and their access is restricted to only jumphosts and the VPN. Basically, the only time you need to log into these is when you go to reboot something that's down. Their web UI with SSL doesn't work with modern browsers. Their CPU is...tiny, and their SSHd implementation is...old (and, I believe, proprietary). I think it defaults to R...

TL;DR: I expect ProxyCommand to have effect in preference to ControlPath. I've just tripped over this one. I have an ssh Host (let us call it "MAIN") with a ControlPath and with ControlMaster=no, from the .ssh/config file. I also have a shell script whose purpose is to hop to a remote host through a port forward, which uses the ProxyCommand option like this: ProxyCommand ssh

If the point is to access a specific web site only the remote machine can get to, you can also do it with port forwarding: ssh -L 8000:ip_of_web_site_to_access_from_remote:443 remote_machine and then locally run any browser, and access https://localhost:443 (assuming it's https. If it's plain http, use "http" and 80). Note that you'll be breaking some aspects of https

...the remote side, set the 'proxy' settings in the > configuration, and all yum/dnf traffic will go over the established > SSH connection. Why would you do this? Well, if you've got a system > that's sitting inside a private, not NAT'd network and your > workstation/jumphost has a VPN enabled but you don't have it enabled > on the remote side, you can update a system without doing a lot of > complicated network magic. Now imagine using Ansible to do this, > which is already setting up SSH sessions... > Sounds interesting, can you point me to any exampl...

...ients's systems, and they update/change their information/settings, and I need to update my config file trying to find where what is inserted. At least a directory with separate files for each client would've helped/solved that issue. Not to mention to keep my laptop, home desktop and work jumphosts all in sync, or with only the specifics needed for the specific host/device, there the include files directives would be great and helpfull -- You are receiving this mail because: You are watching the assignee of the bug.

...t up a proxy port on the remote side, set the 'proxy' settings in the configuration, and all yum/dnf traffic will go over the established SSH connection. Why would you do this? Well, if you've got a system that's sitting inside a private, not NAT'd network and your workstation/jumphost has a VPN enabled but you don't have it enabled on the remote side, you can update a system without doing a lot of complicated network magic. Now imagine using Ansible to do this, which is already setting up SSH sessions... -- Jonathan Billings <billings at negate.org>

...t bastion ProxyJump none Match canonical ProxyJump bastion ForwardAgent yes Host * ForwardAgent no CanonicalizeHostname always CanonicalDomains mydomain.co.uk CanonicalizeMaxDots 0 CanonicalizeFallbackLocal yes ---- When I connect to foo.mydomain.co.uk through the jumphost bastion.mydomain.co.uk, ssh-agent is not forwarded. If I change the ForwardAgent directive under Host * to 'yes', then it does get forwarded. Therefore, it seems that the ForwardAgent directive is not being read when it is under Match canonical. I have not been able to test on newer versi...

Philipp Marek wrote: > An easy workaround is to use a password manager (a plain file as a minimum) If you can/want to use a file then consider using a key instead. publickey authentication is non-interactive on the wire and the key is already unlocked so packet timing leaks nothing about your passphrase. //Peter