Connect with SSH through a proxy
I have no real idea what I’m doing here so please bear that in mind if you can help me! I am trying to connect to my virtual server through a proxy but I can’t connect, it just hangs. I’m assuming this is because it’s not getting through our proxy. I have tried exactly the same thing at home and it works perfectly. I’m on OSX using Terminal to connect. Can anyone advise me how I can get through the proxy with SSH?
You should be asking this in either ServerFault or SuperUser. Plus, you’ll get a much better response.
For those try to use netcat: **you need to use the openbsd package. netcat-openbsd ** linuxquestions.org/questions/linux-newbie-8/…
The netcat have different implementation on Mac/Linux/openbsd , please notice the difference between their parameters and copy-paste one for your own version!
16 Answers 16
Here’s how to do Richard Christensen’s answer as a one-liner, no file editing required (replace capitalized with your own settings, PROXYPORT is frequently 80):
ssh USER@FINAL_DEST -o "ProxyCommand=nc -X connect -x PROXYHOST:PROXYPORT %h %p" You can use the same -o . option for scp as well, see my superuser answer.
If you get this in OS X:
nc: invalid option -- X Try `nc --help' for more information. it may be that you’re accidentally using the homebrew version of netcat (you can see by doing a which -a nc command— /usr/bin/nc should be listed first). If there are two then one workaround is to specify the full path to the nc you want, like ProxyCommand=/usr/bin/nc .
For CentOS nc has the same problem of invalid option —X . connect-proxy is an alternative, easy to install using yum and works —
ssh -o ProxyCommand="connect-proxy -S PROXYHOST:PROXYPORT %h %p" USER@FINAL_DEST I use arch linux with gnu-netcat and the nc: invalid option — X still exists. The solution for this problem is to replace gnu-netcat with openbsd-netcat. See pagekite.net/wiki/Howto/SshOverPageKite/#wrongnetcat for details. Thes two versions probably conflict to each other.
A bit out of topic, but one can also open a tunnel through this connection (remove all ‘<' and '>‘ and keep ‘localhost’ as is): ssh -l -L :localhost: -o «ProxyCommand=nc -X connect -x : %h %p»
@Petr, —proxy command may work for you. EDIT: Scrolled down and noticed that an example is in shoaly’s answer.
I got: «nc: Proxy error: «HTTP/1.0 403 Forbidden» ssh_exchange_identification: Connection closed by remote host» What do I do?
For CentOS 7, where I have no «-X» option for ncat, I used the following construction: ssh REMOTEUSER@REMOTEHOST -o «ProxyCommand=ncat REMOTEHOST 22 —proxy PROXYHOST:PROXYPORT —proxy-type http». E.g.: ssh user123@ssh.othercomany.com -o «ProxyCommand=ncat ssh.mycomany.com 22 —proxy proxy.mycomany.com:80 —proxy-type http»
If your SSH proxy connection is going to be used often, you don’t have to pass them as parameters each time. you can add the following lines to ~/.ssh/config
Host foobar.example.com ProxyCommand nc -X connect -x proxyhost:proxyport %h %p ServerAliveInterval 10 i tried that but didnt work. mind you i wasn’t exactly sure what i needed to put in but it went something like Host 159.23.191.23 ProxyCommand nc -x connect -x 10.3.50.01:22 %h %p ServerAliveInterval. is that right?
I just wanted to add that this solution did work perfect for me. My current workplace deploys HTTP-proxies and I simply replaced proxyhost by the IP (adding no schema!) and the proxyport by — in this case — 8080.
This answer only can tell someone that the commands you can pass are already (or can be defined) in it’s config file, but you have not to explicitly wrote it to a file. You can just pass the argument to the ssh connect command.
For CENTOS/RedHat: ProxyCommand connect-proxy -H proxyhost:proxyport %h %p. Please check the connect-proxy options -H/-T/-S and use the right one on the basis of the proxy server. Most likely they would be -H or -S, try out both combination
«nc: invalid option — ‘x'» same for -X. I checked nc -h. What these options are suposed to stands for? Can’t find how to replace them.
I use -o «ProxyCommand=nc -X 5 -x proxyhost:proxyport %h %p» ssh option to connect through socks5 proxy on OSX.
Your answer is the only one that worked on macOS 1.12. I added it in my ssh config: ProxyCommand nc -X 5 -x proxyhost:proxyport %h %p
Just a remark to @rogerdpack’s answer: for windows platform it is really hard to find a nc.exe with -X(http_proxy) , however, I have found nc can be replaced by ncat, full example as follows:
Host github.com HostName github.com #ProxyCommand nc -X connect -x 127.0.0.1:1080 %h %p ProxyCommand ncat --proxy 127.0.0.1:1080 %h %p User git Port 22 IdentityFile D:\Users\Administrator\.ssh\github_key and ncat with —proxy can work perfectly.
For windows, @shoaly parameters didn’t completely work for me. I was getting this error:
NCAT DEBUG: Proxy returned status code 501. Ncat: Proxy returned status code 501. ssh_exchange_identification: Connection closed by remote host I wanted to ssh to a REMOTESERVER and the SSH port had been closed in my network. I found two solutions but the second is better.
- To solve the problem using Ncat:
- I downloaded Tor Browser, run and wait to connect.
- I got Ncat from Nmap distribution and extracted ncat.exe into the current directory.
- SSH using Ncat as ProxyCommand in Git Bash with addition —proxy-type socks4 parameter:
ssh -o "ProxyCommand=./ncat --proxy-type socks4 --proxy 127.0.0.1:9150 %h %p" USERNAME@REMOTESERVER ssh -o "ProxyCommand=connect -a none -S 127.0.0.1:9150 %h %p" To use the proxy in git commands using ssh (for example while using GitHub) — assuming you installed Git Bash in C:\Program Files\Git\ — open ~/.ssh/config and add this entry:
host github.com user git hostname github.com port 22 proxycommand "/c/Program Files/Git/mingw64/bin/connect.exe" -a none -S 127.0.0.1:9150 %h %p $ which nc /bin/nc $ rpm -qf /bin/nc nmap-ncat-7.40-7.fc26.x86_64 $ ssh -o "ProxyCommand nc --proxy %h %p" USER@HOST $ ssh -o "ProxyCommand nc --proxy --proxy-type --proxy-auth %h %p" USER@HOST ProxyCommand nc -proxy xxx.com:8080 %h %p remove -X connect and use -proxy instead.
This is how I solved it, hoping to help others later.
My system is debian 10, and minimal installation.
I also have the same problem like this.
git clone git@github.com:nothing/nothing.git Cloning into 'nothing'. nc: invalid option -- 'x' nc -h for help ssh_exchange_identification: Connection closed by remote host fatal: Could not read from remote repository. Please make sure you have the correct access rights and the repository exists. git clone git@github.com:nothing/nothing.git Cloning into 'nothing'. /usr/bin/nc: invalid option -- 'X' nc -h for help ssh_exchange_identification: Connection closed by remote host fatal: Could not read from remote repository. Please make sure you have the correct access rights and the repository exists. So, I know the nc has different versions like openbsd-netcat and GNU-netcat , you can change the nc in debian to the openbsd version, but I choose to change the software like corkscrew , because the names of the two versions of nc in system are same, and many people don’t understand it well. My approach is as follows.
sudo apt install corkscrew Change this file like this.
Host github.com User git ProxyCommand corkscrew 192.168.1.22 8118 %h %p 192.168.1.22 and 8118 is my proxy server’s address and port, you should change it according to your server address.
4 ways to SSH & SCP via proxy (jump) server in Linux
With openssh package version 7.4p1-11 or later, we can use ProxyJump option to transfer files using a proxy server. The syntax of the scp command to transfer files via proxy is :
~]# scp -o "ProxyJump user@10.23.100.70" dataFile.txt user@192.168.10.100:/tmp user@10.23.100.70's password: user@192.168.10.100's password: dataFile.txt 100% 5 0.0KB/s 00:00
Here my proxy server is 10.23.100.70 while the destination server is 192.168.10.100
Method-2: Using scp with ProxyCommand
SCP uses ssh as the underlying protocol and hence we can use the ssh options along with the scp commands. The syntax to use ProxyCommand option with scp command is:
~]# scp -o "ProxyCommand ssh @ nc %h %p" :
While using the ProxyCommand option , ensure that nmap-ncat package is installed on the proxy server that provides the nc command, otherwise the following error message will be displayed.
bash: nc: command not found ssh_exchange_identification: Connection closed by remote host lost connection ~]# scp -o "ProxyCommand ssh user@10.23.100.70 nc %h %p" dataFile.txt root@192.168.10.100:/tmp user@10.23.100.70's password: root@192.168.10.100's password: dataFile.txt 100% 5 0.0KB/s 00:00
Here my proxy server is 10.23.100.70 while the destination server is 192.168.10.100
SSH through a proxy server
Method-1: Pass ProxyCommand using ssh options
We can again use ProxyCommand to ssh another server using proxy server. The syntax to SSH via proxy would be:
~]# ssh -o "ProxyCommand ssh user_name_on_proxy@hostname_or_IP_of_proxy nc %h %p" user_name_on_server@hostname_or_IP_of_server Example: To login as root on 192.168.10.100 via the proxy at 10.23.100.70 with login credentials on the proxy for proxy_user
~]# ssh -o "ProxyCommand ssh proxy_user@10.23.100.70 nc %h %p" root@192.168.10.100 proxy_user@10.23.100.70's password: root@192.168.10.100's password: Last login: Tue Dec 24 10:40:33 2019 from 10.23.100.70 ~]# ip a l | grep eth0 2: eth0: mtu 1500 qdisc pfifo_fast qlen 1000 inet 192.168.10.100/24 brd 192.168.1.255 scope global eth0
If the proxy server does not have the nc command installed or you do not have login credentials for the proxy server but the proxy server is running a proxy service like squid which will accept SSH connections you can use the following command. Note that this method requires that you have the nc command installed on the local/client system.
~]# ssh -o "ProxyCommand nc --proxy hostname_or_IP_of_proxy:proxy_service_port --proxy-type http %h %p" user_name_on_server@hostname_or_IP_of_server For example, to login as root on 192.168.10.100 via the proxy service listening on port 3128 at 10.23.100.70. The proxy service does not require any credentials.
~]# ssh -o "ProxyCommand nc --proxy 10.23.100.70:3128 --proxy-type http %h %p" root@192.168.10.100 root@192.168.10.100's password: Last login: Tue Dec 24 10:40:46 2019 from 10.23.100.70 ~]# ip a l | grep eth0 2: eth0: mtu 1500 qdisc pfifo_fast qlen 1000 inet 192.168.10.100/24 brd 192.168.1.255 scope global eth0
Method-2: Using ssh client configuration file
We had discussed in the depth about SSH client configuration file. So instead of providing all the options as input arguments to SSH, we can also use SSH client configuration file.
Edit the ~/.ssh/config file per the below:
# vim ~/.ssh/config . Host HostName User ProxyCommand ssh @ nc %h %p
- : Sets nickname for the target server
- : Sets the real remote server/host name
- : Real user who exists on target server
- : IP or the hostname` of the proxy server
- %h will be substituted by the host name to connect
- %p will be substituted by the port
Next you can SSH with additional verbose option to verify the configuration
Conclusion
In this tutorial we learned about different methods to SSH a Linux box using another proxy server or to transfer files using SCP via another proxy server or jump host. You can use either ProxyCommand or ProxyJump with ssh and scp respectively to ssh through any proxy service such as squid or any other proxy server.
Didn’t find what you were looking for? Perform a quick search across GoLinuxCloud
If my articles on GoLinuxCloud has helped you, kindly consider buying me a coffee as a token of appreciation.
For any other feedbacks or questions you can either use the comments section or contact me form.
Thank You for your support!!