You can also try to use the option ProxyCommand.
It gives you the ability to control the command used to connect to the server; sounds troublesome, but I haven't found any problem with it yet.
From the ssh_config docs:
ProxyCommand
Specifies the command to use to connect to the server. The command string extends to the end of the line, and is executed using the user's shell ‘exec’ directive to avoid a
lingering shell process.
In the command string, any occurrence of %h
will be substituted by the host name to connect, %p
by the port, and %r
by the remote user name. The command can be basically
anything, and should read from its standard input and write to its standard output. It should eventually connect an sshd(8) server running on some machine, or execute sshd -i
somewhere. Host key management will be done using the HostName
of the host being connected (defaulting to the name typed by the user). Setting the command to none
disables
this option entirely. Note that CheckHostIP
is not available for connects with a proxy command.
This directive is useful in conjunction with nc(1) and its proxy support. For example, the following directive would connect via an HTTP proxy at 192.0.2.0:
ProxyCommand /usr/bin/nc -X connect -x 192.0.2.0:8080 %h %p
Example
Lets say you have a command or script that does the knocking IN YOUR PATH: knock.sh <host> <port1 port2 ... portX>
And you want to connect to some host: myhost.net
You can add the following to your ~/.ssh/config
Host thehost
HostName myhost.net
ProxyCommand bash -c 'knock.sh %h <port1 port2 ... portX>; nc %h %p'
- %h => the hostname (myhost.net)
- %p => the port (22)
And you can connect to your host with: ssh user@thehost
You should also be able to use the option directly from the command line with:
ssh -o ProxyCommand="bash -c 'knock.sh %h <port1 port2 ... portX>; nc %h %p'" [email protected]
Notes
If the program writes data to stdout by default it gets hidden, if you need to see it, add -v
after ssh
.
Also note that ssh
has to execute the knocking before performing the connection, so the total time it will take to complete the connection will be greater.
I have a current configuration working with port forwarding enabled and no problem with it yet.