Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

What do you use ProxyCommand for? It seems hard to support, but I'd like to know more.


Everything in the Production zone in our corporate network is only available via jumphost. The kicker is that you need to support both "ProxyCommand args" enabling and "ProxyCommand None" for disabling.


I've used it in the past to ssh via bastion hosts and the like.


Yes. My config is something like this:

  # proxy n02 connections through bastion
  host n02.university.edu
  ProxyCommand ssh bastion.university.edu -W %h:%p 2> /dev/null
Almost all my remote shells require a similar setup.


Seems like this might be a common enough pattern that I could support it. I'll have a look.


You can also use ProxyCommand to perform filtering via sed / awk / some shell script on the hostname passed in. Examples: https://wiki.gentoo.org/wiki/SSH_jump_host

I have over 300 hosts defined in my .ssh/config file and it's indispensable to have all these options, especially when mixing in 2FA jump hosts into the mix.


I use ProxyCommand for tor hidden services, for connecting to IPv6 hosts (via a v4 connection to a host with v6 connectivity), for connecting to production past a bastion host, for triggering port knocking, all sorts of stuff.


I also use a smartcard with gpg-agent speaking the ssh-agent protocol. OpenSSH commandline supports it fine. What's the harm in shelling out?


I don't get to control the UI if I shell out. I want to prompt you for your password in a native window and display a native progress bar. I want to know exactly why it failed. I want to estimate the time remaining.


Things you don't get if you don't shell out:

- reusing ControlMaster bg connections

- smartcard auth

- agent support

- ssh_config support, including

- proxycommand

- Cipher selection

- KDF advances for on-disk key encryption

The list is long and expansive. You'd do better to submit a patch upstream for machine-readable progress output in OpenSSH's 'scp', and bundling that.


That's a fair point. We do support agents and much of ssh_config. I'll look into what it would take to patch scp when I get the chance.

For folks who have setups where iTerm2's scp implementation can't connect, you can always download files over an existing ssh connection with this script:

https://raw.githubusercontent.com/gnachman/iTerm2/master/tes...

Upload is a little trickier, but you can copy a file to the pasteboard (e.g., in Finder) and then paste it base64-encoded (Edit > Paste Special > Paste File Base64-Encoded) into base64 -D >> filename.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: