Add ProxyCommand to ssh

[carloscabanero]

Implement the ProxyCommand parameter to specify a command to use to connect to a server. This is useful (almost a requirement) in conjunction with Agent Forwarding and an ssh-agent #81.

[carloscabanero]

First mentioned on #139

[RevREB]

I seriously need this, Every server I need to access in behind a bastion servers. I know its hard to prioritize functions but I am willing to bounty this. Seriously, Im in for $200, ($300 if it works with a standard ssh config file, dont wanna have to define the proxy rules over and over again). I'm serious! What can I do to get this is accelerated and into a patch ASAP?

[RevREB]

no seriously! https://www.bountysource.com/issues/40003463-add-proxycommand-to-ssh

[brandonshough]

Bump!!!!!

[carloscabanero]

I have this working but it needs ssh agent forwarding to be really useful. For mosh that would require us to catch up with the latest version. @RevREB do you have the keys on the other server?

[carloscabanero]

I can confirm I have now ProxyCommand up and running, working on the Agent and the rest of the client. Fingers crossed to have this before holidays!

[AZLisme]

need this feature badly.

[RevREB]

@carloscabanero sorry for the delay in responding, and I look forward to playing with the work you've done (when might the changes be included in the iOS store version), but to answer your question... No, there would not be private keys on the "bastion" host.

[brunodeatlanta]

Looking forward to this.

[carloscabanero]

This comes next ;)

[mgbaozi]

Really looking forward to this, Is there any update about this and “agent forwarding”?

[RichardBronosky]

I do believe you will be the first ios product on the market to support ProxyCommand. That should motivate you. I would state that in your app store description "above the fold"!

[brunodeatlanta]

Really looking forward to this!! On Tue, Apr 17, 2018 at 4:45 PM -0400, "Bruno Bronosky" <notifications@github.com> wrote: I do believe you will be the first ios product on the market to support ProxyCommand. That should motivate you. I would state that in your app store description "above the fold"! — You are receiving this because you commented. Reply to this email directly, view it on GitHub, or mute the thread.

[jinie]

I'll be looking forward to this. As for being the first, the dead iSSH (https://web.archive.org/web/20120415035140/http://www.zinger-soft.com:80/iSSH_features.html) had a feature where you could forward ports via ssh, which would then be available to other apps on your iOS device.
This was extremely useful, i.e. mapping a port to an internal web server, then using safari to browse it via ssh.

[RevREB]

@carloscabanero is there any movement on this? It’s the only thing stopping me from doing my whole job from an iPad.

[yury]

@RevREB we are working on libssh, so we are close to ProxyCommand and port forwarding.

https://cdn.discordapp.com/attachments/441940293240225793/463731449615613953/IMG_0511.TRIM.MOV

[saptarshiguha]

I saw that video. Can’t can’t wait enough to see this and proxycommand. Such an excellent ssh app

[yury]

Here is a demo of ProxyCommand

https://cdn.discordapp.com/attachments/442023972138123276/469899397820579840/ScreenRecording_07-20-2018_19-11-42.MP4

[saptarshiguha]

Perfect! Looking forward to trying it out. An aside: recently i learned about

ControlMaster auto
ControlPath ~/.ssh/sockets/%r@%h-%p
ControlPersist yes

The bastion host requires me to use MFA (duo) to login. Before i added this to the config, i had to enter my DUO prompt on my phone with every ssh access. Now wiht this in my config, as long as the first SSH session is open, i dont get MFA prompts anymore.

So nice.

Would blink support this for this version or in future?

[yury]

Oh, interesting. For next release we will try to add support for iOS 12 sms codes suggestions feature.

_{Sent with GitHawk}

[yury]

@aphecetche sent you invite.

[aphecetche]

Thanks. How should I give my feedback ? Here on github ?

[yury]

Here or at discord

[saptarshiguha]

May i also get an invite? I would like to try with my setup.

[yury]

Hi @saptarshiguha, just sent invite to you.

[saptarshiguha]

I did install the test flight and i'm writing this (having uninstalled previous versions)

ssh -o "proxycommand=ssh -q bastion.Foo.net nc %h %p 2>/dev/null" hala

I also tried

ssh -o "proxycommand='ssh -q bastion.Foo.net nc %h %p 2>/dev/null'" hala

but in both cases i got

usage : ssh [....]

Note, I also tried ProxyCommand too

[yury]

Yep, 2>/dev/null broke params.

ssh -o "proxycommand=..." ...

[saptarshiguha]

Thanks. I tried

ssh -o "proxycommand=ssh -q bastion.Foo.net nc %h %p " hala

which prints (yes/no): and control is returned to the blink prompt. Usually the equivalent

 ssh -o ProxyCommand='ssh -q bastion.Foo.net nc %h %p' hala

sends me DUO prompt on my phone which i need to accept.

[yury]

Please try

ssh -o "proxycommand=ssh -q -W %h:%p bastion.Foo.net" hala

[saptarshiguha]

same result

[yury]

Can you make screenshots? from blink and other terminal?

It should be something like on this screenshot?

[saptarshiguha]

Yes,

From my laptop here is the screenshot (note the -W %h:%p syntax does not work).

(i've blanked out hostnames)

When i press enter, i get the following prompt on my phone

I accept and you see i'm logged in.

On the iPad (not yet ios12, the version prior), you can see the following image (and no prompt on my phone)

hala is in Hosts and corresponds to the same host as above. Moreover even if i enter some incorrect hostname(at the end, the bastion is still correct), i get the same response.

hope this helps.

[yury]

Thank you @saptarshiguha,

will try to fix that tomorrow... Will post any updates on that.

[aphecetche]

Hi,

I’m a bit at lost. My first test is pretty simple :

Host linode-ui
User laurent
Hostname 178.Xxx.yyy.zzz

But I can’t connect using a simple ‘ssh linode-ui’

I assume this is because I misunderstood something obvious ;-)

A) is the .ssh/config supposed to be read ?
B) if it is, where do the keys are supposed to come from ? (From config or from the .ssh directory)

[yury]

Hi,

.ssh/config is not supported yet. You need to run config command and add host and keys there.

[aphecetche]

Ok, so I’ve misunderstood how far the functionality I’d need is already available.

I mean, if I need to get host+keys in config (as now) + type by hand the -o « proxycommand= .... » then that’s not quite what I had in mind ;-)

Guess I’ll have to wait a bit more then...

[saptarshiguha]

I updated via testflight and eager to try it out again. How do i go about editing .ssh/config on the ipad?

[yury]

We currently do not fully support .ssh/config. You should use ‘config’ command.
config -> hosts -> -> ProxyCmd

[saptarshiguha]

Unfortunately, the same ending. Note, i'm using

ssh -q bastion.shared.xyz  nc %h %p 2>/dev/null

as the ProxyCmd. The suggested example

ssh bastion.sharedxyz -W %h:%p

does not work (even when i ssh from my desktop, for some reason our bastion doesn't work with this form).

mouchak:~ sguha$ ssh hala -S none
channel 0: open failed: administratively prohibited: open failed
stdio forwarding failed
ssh_exchange_identification: Connection closed by remote host

On the server end, we have PermitTunnel=no set. Hope this provides some insight.

[yury]

Hi @saptarshiguha,

Yes, if your sshd don't allow port forwarding, then you should use nc.

In ProxyCmd you should write ssh -q bastion.shared.xyz nc %h %p. (without 2>/dev/null)

But before you go to your host ssh to your bastion directly.
It will prompt you for host keys acceptance. You should accept it.

Then try connect to host with proxy command.

[saptarshiguha]

Thanks much.

1. I did ssh into bastion - accepted keys (so that's where the yes/no was coming from) got returned to blink prompt

ssh bastion
Connected to x.y.z.x

but returned to blink prompt (i..e not in remote terminal). If i ssh into bastion from my desktop I get
(along with a DUO prompt)

Autopushing login request to phone...
Success. Logging you in...

Similarly if i ssh into hala, i just get returned to blink prompt.

[yury]

Yes, it should return to blink.
But now try to connect to your host with ProxyCmd thought bastion.

[saptarshiguha]

that too returns to blink. I'm also free to chat on Discord. I can join there if thats better

[saptarshiguha]

1. One should have an host entry for the bastion e.g. my entry has Host field "bastion" and HostName "bastion.foo.boo.net". SSH into this host once.

then

2. I have an entry for my bastion in Blink config with the Host field called "bastion". For the host which requires a bastion e.g. "hala" in the above discussion , i have the following for the ProxyCommand setting

ssh -o "RemoteCommand=nc %h %p 2>/dev/null" -q bastion

previously i was using the bastion's HostName field.

This works for me with DUO MultiFactor Auth too.

Thanks so much!!