How to Set Up Default Connections to Hosts Outside a Firewall (System Administration Guide: Security Services)

System Administration Guide: Security Services

How to Set Up Default Connections to Hosts Outside a Firewall

You can use Solaris Secure Shell to make a connection from a host inside a firewall to a host outside the firewall. This task is done by specifying a proxy command for ssh either in a configuration file or as an option on the command line. For the command-line option, see Example 19–7.

In general, you can customize your ssh interactions through a configuration file.

You can customize either your own personal file in ~/.ssh/config.
Or, you can use the settings in the administrative configuration file, /etc/ssh/ssh_config.

The files can be customized with two types of proxy commands. One proxy command is for HTTP connections. The other proxy command is for SOCKS5 connections. For more information, see the ssh_config(4) man page.

Specify the proxy commands and hosts in a configuration file.

Use the following syntax to add as many lines as you need:
[Host outside-host] ProxyCommand proxy-command [-h proxy-server] \ [-p proxy-port] outside-host|%h outside-port|%p
Host outside-host

Limits the proxy command specification to instances when a remote host name is specified on the command line. If you use a wildcard for outside-host, you apply the proxy command specification to a set of hosts.

proxy-command
Specifies the proxy command.

The command can be either of the following:
- /usr/lib/ssh/ssh-http-proxy-connect for HTTP connections
- /usr/lib/ssh/ssh-socks5-proxy-connect for SOCKS5 connections
-h proxy-server and -p proxy-port

These options specify a proxy server and a proxy port, respectively. If present, the proxies override any environment variables that specify proxy servers and proxy ports, such as HTTPPROXY, HTTPPROXYPORT, SOCKS5_PORT, SOCKS5_SERVER, and http_proxy. The http_proxy variable specifies a URL. If the options are not used, then the relevant environment variables must be set. For more information, see the ssh-socks5-proxy-connect(1) and ssh-http-proxy-connect(1) man pages.

outside-host

Designates a specific host to connect to. Use the %h substitution argument to specify the host on the command line.

outside-port

Designates a specific port to connect to. Use the %p substitution argument to specify the port on the command line. By specifying %h and %p without using the Host outside-host option, the proxy command is applied to the host argument whenever the ssh command is invoked.

Run Solaris Secure Shell, specifying the outside host.

For example, type the following:
myLocalHost% ssh myOutsideHost
This command looks for a proxy command specification for myOutsideHost in your personal configuration file. If the specification is not found, then the command looks in the system-wide configuration file, /etc/ssh/ssh_config. The proxy command is substituted for the ssh command.

Example 19–7 Connecting to Hosts Outside a Firewall From the Command Line

How to Set Up Default Connections to Hosts Outside a Firewall explains how to specify a proxy command in a configuration file. In this example, a proxy command is specified on the ssh command line.

% ssh -o'Proxycommand=/usr/lib/ssh/ssh-http-proxy-connect \
-h myProxyServer -p 8080 myOutsideHost 22' myOutsideHost

The -o option to the ssh command provides a command-line method of specifying a proxy command. This example command does the following:

Substitutes the HTTP proxy command for ssh
Uses port 8080 and myProxyServer as the proxy server
Connects to port 22 on myOutsideHost