1

I would like to create a SOCKS proxy for accessing a few remote HTTP apps through multiple SSH jumps.

My intent would be as follow:

myHost:4321 -> HostA(sshd) -> HostB(sshd) -> HostsX(app)

If there wasn't the need to pass through HostB, the command for creating the SOCKS proxy would be as simple as:

ssh -D 4321 HostA -N

But I don’t know how to add a "jump" to the command; for example the following errputs the usage message:

ssh -D 4321 -o ProxyCommand='ssh -J HostA' HostB -N
Improve this question

1 Answer 1

Reset to default
2

-J is an alternative to (some class of) -o ProxyCommand=, (usually) not an addendum. You use it as straightforwardly as:

ssh -ND 4321 -J HostA HostB

This is how -J works:

-J destination
Connect to the target host by first making a ssh connection to the jump host described by destination and then establishing a TCP forwarding to the ultimate destination from there. Multiple jump hops may be specified separated by comma characters. […]

Note ssh -J HostA HostB is not equivalent to connecting from local to HostA and then from HostA to HostB. It's equivalent to connecting from local to HostA and then from local to HostB (using packets forwarded through HostA).

If you specified more jump hosts (e.g. -J HostA,HostX,HostY,…) then a connection to each extra host would be established via a tunnel connecting your local machine and the previous host. The connection to the ultimate destination would use a tunnel ending at the last jump host. All connections would start at your local system.

So it's not like a daisy chain. It's like nested tubes (tunnels), where each tube of smaller and smaller diameter uses the previous (slightly larger) tube and connects your local system to a point further and further away.

Wrong picture, daisy chain:

local ###> HostA ===> HostX +++> HostY ---> destination

Right picture, nested tubes:


      ###> HostA
      ==============> HostX
      +++++++++++++++++++++++++> HostY
      ------------------------------------>
local                                       destination
      ------------------------------------>
      +++++++++++++++++++++++++>
      ==============>
      ###>

This means if you want to use private keys with ssh -J then only keys available to your local ssh will matter. No SSH client will be invoked on any jump host; your private keys (if any) stored on jump host(s) will be irrelevant.

Improve this answer
0

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .