Adding support for the ProxyCommand feature

[clarete]

Now, instead of just ignoring the ProxyCommand var, the ssh library is able to retrieve
this configuration from the ~/.ssh/conf file and use it to proxy the connection between
the client and the SSH server.

This commit introduces the ssh.proxy module that implements the interface required by
the client.Transport class. But instead of using sockets, this class writes and reads info
from a peopened program that actually talks with the ssh server.

Given the following ssh config entry:

host comum
User lincoln
hostname comum.org
IdentityFile ~/.ssh/id_rsa
ProxyCommand ssh -q -o StrictHostKeyChecking=no localhost nc %h 22

Here's a simple test case

import ssh
import sys

def test_client(host_name):
    conf = ssh.SSHConfig()
    conf.parse(open(os.path.expanduser('~/.ssh/config')))
    host = conf.lookup(host_name)
    client = ssh.SSHClient()
    client.load_system_host_keys()
    client.connect(
        host['hostname'], username=host['user'],
        key_filename=host['identityfile'],
        proxy_command=host.get('proxycommand')
    )
    stdin, stdout, stderr = client.exec_command('ls /home')
    print stdout.read()
    stdin, stdout, stderr = client.exec_command('ls /')
    print stdout.read()

if __name__ == '__main__':
    test_client(sys.argv[1])

Run it with the following comand:

python example.py comum

[bninja]

will this change mean we no longer have to manually tunnel in fabric?

• http://stackoverflow.com/questions/6161548/fabric-how-to-double-tunnel
• https://gist.github.com/856179

[clarete]

Yep, @bninja exactly! But you'll also need this patch in fabric in order to make things work:

fabric/fabric#698

[bninja]

@clarete great work! cant wait to use this. i've had to use the tunnel hack for most of my deploys (target machines are typically behind bastions).

[clarete]

Hey @bitprophet, is there anything that I could do to see these patches applied? Thanks :)

[bitprophet]

Actually, yes, I just finished a major effort to port all 'ssh' changes back into Paramiko, so the next step is to address the open tickets here (this one included). All that should be necessary is renaming the local imports.

If you'd like to give that a shot I'd appreciate it; should just be:

• make a new ticket over at https://github.com/paramiko/paramiko, with a description (not subject :)) linking to this issue
• checkout latest paramiko
• copy your changes over
• update all references to ssh.*
• re-test

Once that's taken care of I'll make testing out the functionality of this ticket my highest priority.

Minor caveat: for the next ~day (hopefully less) you will need to use the Fabric branch ssh-to-paramiko when dev'ing against Paramiko instead of 'ssh'. Once a minor bit in another issue is squared away, those changes will land in Fabric master.

Thanks again for your patience!

[clarete]

Count on me, working on it! :)

[clarete]

Finally! paramiko/paramiko#97

Sorry for taking so long :(

[astrobounce]

Clarete , this was the thing i needed , thanks a lot man , but still there's one problem where i am stuck , My web servers are behind load balancer and only the way to access my web server is first login to my load balancer (jump host) as regular user , and then i have to use sudo su - (username) to switch to a user who have right to access the web servers , now using fabric/paramiko i am logged in to my jump host , but i am not able to execute the command sudo su - (username) ....... this username has authority to login to all web servers using ssh , so please can u guide me .

Thanks & Regards

[bitprophet]

Closing this as Paramiko merged & deployed support for it some time ago \o/