Search code examples
sshssh-tunnel

One-line command exploiting ssh_config for ssh tunneling with local private key

Context

  • work, proxy and service are computers.
  • work is a multi-users computer.
  • I own proxy.
  • work is behind a firewall that restricts service access, since service entrypoint port (122) is blocked by the firewall.
  • I can access over ssh proxy to then access service.

  • priv.key is the private key to connect to service and it must only be on work (not proxy).

               firewall
    +-------+  |  +-------+    +---------+
    |  Work |--|--| proxy |----| service |
    +-------+  |  +-------+    +---------+
       `-------------'  `----------' <- port forwarding/ssh tunneling

Solution A: port forwarding

I can access service by executing these two commands:

ssh server -L 2222:service:122 -N
ssh -i /home/work-user/.ssh/priv.key -p 2222 service-user@localhost

This solution is insecure and not convenient: any user accessing on work has also access to service:122, and there are two commands.

Solution B: ssh tunnel

I tried to exploit ssh_config and configure an ssh tunnel with the following:

Host service
    HostName service
    User service-user
    Port 122
    IdentityFile /home/work-user/.ssh/priv.key
    ProxyCommand ssh proxy /usr/bin/nc %h %p 2>/dev/null
    # "proxy" in the previous line is a working ssh alias.

However, the ssh service command is not successful, here are the logs:

debug1: Reading configuration data /home/work-user/.ssh/config
debug3: kex names ok: [*authorized algorithms*]
debug1: /home/work-user/.ssh/config line 54: Applying options for test
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Hostname has changed; re-reading configuration
debug1: Reading configuration data /home/work-user/.ssh/config
debug3: kex names ok: [*authorized algorithms*]
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Executing proxy command: exec ssh proxy /usr/bin/nc service 122 2>/dev/null
debug1: permanently_drop_suid: 1000
debug1: identity file /home/work-user/.ssh/priv.key type 4
debug1: key_load_public: No such file or directory
debug1: identity file /home/work-user/.ssh/priv.key-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
ssh_exchange_identification: Connection closed by remote host

I also tried to copy priv.key on proxy, only to test since I do not want it a permanent solution, but I had the same error.

Question

Is there a one-line command using ssh_config to exploit ssh-tunneling while keeping my private-key on work and not proxy?

Solution

  • Is there a one-line command using ssh_config to exploit ssh-tunneling while keeping my private-key on work and not proxy?

    Using ProxyCommand, authenticates always from your local computer and not from the proxy. Today, you should use -W switch instead of netcat:

    ProxyCommand ssh -W %h:%p proxy

    or ProxyJump option, which does it even simpler:

    ProxyJump proxy

    Your use case did redirect the errors to the /dev/null so even though there would be some errors, you would not see it.

    Give it a try with the above and if it will not help, provide the debug logs (using LogLevel DEBUG3 for both of the steps -- proxy and service).