When you have to go through multiple hops, it's usually better to get an
end-to-end connection. In this case:
ssh -oproxycommand="ssh -qaxT firewall nc %h %p" -L 5432:localhost:5432 dbserver
If you have a copy of the snail book, section 11.4 (p444) has a discussion
of these two approaches.
The annoyance with the second approach is that it requires having netcat
("nc") or something equivalent on the intermediate host. I hope that
someday OpenSSH will have this feature built in, i.e. connecting an exec
channel to a remote TCP connection.
Edit: I found some documentation on 'ProxyCommand' here that seems relevant
ProxyCommand
Specifies the command to use to connect to the server. The com-
mand string extends to the end of the line, and is executed with
the user's shell. In the command string, `%h' will be substitut-
ed by the host name to connect and `%p' by the port. The command
can be basically anything, and should read from its standard in-
put and write to its standard output. It should eventually con-
nect an sshd(8) server running on some machine, or execute sshd
-i somewhere. Host key management will be done using the Host-
Name of the host being connected (defaulting to the name typed by
the user). Setting the command to ``none'' disables this option
entirely. Note that CheckHostIP is not available for connects
with a proxy command.
This directive is useful in conjunction with nc(1) and its proxy
support. For example, the following directive would connect via
an HTTP proxy at 192.0.2.0:
ProxyCommand /usr/bin/nc -X connect -x 192.0.2.0:8080 %h %p
0 comments:
Post a Comment