search for: jumphosts

I want to ssh from a client to a machine on a closed network via a jumphost; let's call them {client,internal,jumphost}.example.com. I have authpf set up on the jumphost so that when logged in, I am allowed to open TCP connections from the jumphost to port 22 on internal nodes. This works well with port forwarding: des at client ~% ssh -L2222:internal.example.com:22 jumphost.example.com

My company uses a certain product which forces me to use a jumphost / ssh proxy. When connecting to a server I have to type "ssh myuser at technicaluser@targethost at jumphost" everytime. I tried to simplify this by editing my ssh_config and putting this into the file: Host targethost ProxyJump technicaluser at jumphost These lines are recognized but don't work like intended

On Tue, Oct 20, 2015 at 01:31:46AM +0200, ?ngel Gonz?lez wrote: > On 16/10/15 12:46, hubert depesz lubaczewski wrote: > >On Thu, Oct 15, 2015 at 04:15:03PM -0400, Daniel Kahn Gillmor wrote: > >>> if the intermediary machine (the "jumphost") is jumphost.example, and > >>> you are trying to reach bar.example.com (which is behind the firewall), >

On Thu, Oct 15, 2015 at 04:15:03PM -0400, Daniel Kahn Gillmor wrote: > if the intermediary machine (the "jumphost") is jumphost.example, and > you are trying to reach bar.example.com (which is behind the firewall), > you would do: > ssh -oProxyCommand='ssh jumphost.example -W %h:%p' bar.example.com We use jump host, but there are literally hundreds of hosts behind

Hi, I'm in a situation where I'm using multiple SSH keys, each to connect to different set of servers. I can't load/unload keys on demand, as I usually am connected to at least 2 of such sets. But - some rogue "root", could get access to my agent-forwarding socket, and in turn, get access to keys loaded to agent (not in terms of obtaining the key, but being able to use it

Good morning! We're experiencing rather very bad latency spikes on busy Linux systems, for example if one machine is the jumphost (ssh -J) for a few hundred connections, while at the same time handles CPU intensive tasks. Would RT/Linux SCHED_FIXED or SCHED_RR be of help in such a case, e.g. put all ssh processes into the SCHED_FIXED scheduling class, with a priority higher than the

raf wrote: > Warlich, Christof wrote: > > ... > > I want to be able to ssh to all internal hosts that live in the internal.sub.domain.net, > > i.e. that are only accessible through the internal.sub.domain.net jumphost without > > having to list each of these hosts somewhere, as they may frequently be added or > > removed from the internal domain and without being

On Thu, Oct 15, 2015 at 07:02:58PM -0400, Nico Kadel-Garcia wrote: > On Thu, Oct 15, 2015 at 10:34 AM, hubert depesz lubaczewski > <depesz at depesz.com> wrote: > > Hi, > > > > I'm in a situation where I'm using multiple SSH keys, each to connect to > > different set of servers. > > > > I can't load/unload keys on demand, as I usually am

On 03Nov2017 13:07, Damien Miller <djm at mindrot.org> wrote: >On Fri, 3 Nov 2017, Cameron Simpson wrote: >> TL;DR: I expect ProxyCommand to have effect in preference to >> ControlPath. [...] >> On reflection, of course these are distinct options and that side of >> things isn't, of itself, a bug. However, is there a sane use case for >> using

On Tue, Jan 21, 2020 at 11:08:51AM +1100, Damien Miller wrote: > So IMO disallowing session multiplexing is at most a speedbump that an > attacker will cross with relative ease. Speedbumps make sense sometimes, An attacker getting root on the jumphost gets immediate control of any _current_ persistent connections and new connections. Without ControlMaster it's a _lot_ harder to take

Dear developers, The ProxyJump feature is nowadays implemented on the basis of a TCP port forwarding on the jumping host, isn't it? As a result, this is affected by a AllowTcpForwarding=no configuration on the jumping host. So, may I suggest a variant based on Unix sockets (such as -L or -R does). Nice idea, isn't it? Any volunteer to implement this? Best regards Christophe

On Thu, 10 Aug 2023, Cedric Blancher wrote: >We're experiencing rather very bad latency spikes on busy Linux >systems, for example if one machine is the jumphost (ssh -J) for a few >hundred connections, while at the same time handles CPU intensive >tasks. > >Would RT/Linux SCHED_FIXED or SCHED_RR be of help in such a case, e.g. Did you already check the old and tried method

All, I occasionally manage some APC PDU devices. I manage them via a VPN, which enforces super-heavy crypto, and their access is restricted to only jumphosts and the VPN. Basically, the only time you need to log into these is when you go to reboot something that's down. Their web UI with SSL doesn't work with modern browsers. Their CPU is...tiny, and their SSHd implementation is...old (and, I believe, proprietary). I think it defaults to RS...

TL;DR: I expect ProxyCommand to have effect in preference to ControlPath. I've just tripped over this one. I have an ssh Host (let us call it "MAIN") with a ControlPath and with ControlMaster=no, from the .ssh/config file. I also have a shell script whose purpose is to hop to a remote host through a port forward, which uses the ProxyCommand option like this: ProxyCommand ssh

If the point is to access a specific web site only the remote machine can get to, you can also do it with port forwarding: ssh -L 8000:ip_of_web_site_to_access_from_remote:443 remote_machine and then locally run any browser, and access https://localhost:443 (assuming it's https. If it's plain http, use "http" and 80). Note that you'll be breaking some aspects of https

On 11/12/20 7:50 AM, Jonathan Billings wrote: > On Thu, Nov 12, 2020 at 12:56:15PM +0000, Bernstein, Noam CIV USN NRL (6393) Washington DC (USA) via CentOS wrote: >> If the point is to access a specific web site only the remote >> machine can get to, you can also do it with port forwarding: >> ssh -L 8000:ip_of_web_site_to_access_from_remote:443 remote_machine >> and

...ients's systems, and they update/change their information/settings, and I need to update my config file trying to find where what is inserted. At least a directory with separate files for each client would've helped/solved that issue. Not to mention to keep my laptop, home desktop and work jumphosts all in sync, or with only the specifics needed for the specific host/device, there the include files directives would be great and helpfull -- You are receiving this mail because: You are watching the assignee of the bug.

On Thu, Nov 12, 2020 at 12:56:15PM +0000, Bernstein, Noam CIV USN NRL (6393) Washington DC (USA) via CentOS wrote: > > If the point is to access a specific web site only the remote > machine can get to, you can also do it with port forwarding: > ssh -L 8000:ip_of_web_site_to_access_from_remote:443 remote_machine > and then locally run any browser, and access >

https://bugzilla.mindrot.org/show_bug.cgi?id=3555 Bug ID: 3555 Summary: ForwardAgent doesn't work under Match canonical Product: Portable OpenSSH Version: 8.4p1 Hardware: amd64 OS: Linux Status: NEW Severity: normal Priority: P5 Component: ssh Assignee: unassigned-bugs at

Philipp Marek wrote: > An easy workaround is to use a password manager (a plain file as a minimum) If you can/want to use a file then consider using a key instead. publickey authentication is non-interactive on the wire and the key is already unlocked so packet timing leaks nothing about your passphrase. //Peter