System Administration Guide: Security Services

How to Set Up Default Connections to Hosts Outside a Firewall

You can use Secure Shell to make a connection from a host inside a firewall to a host on the other side of the firewall. This task is done by specifying a proxy command for ssh either in a configuration file or as an option on the command line. For more information see Example — Connecting to Hosts Outside a Firewall From the Command Line.

In general, you can customize your ssh interactions through a configuration file, either your own personal file $HOME/.ssh/config or an administrative configuration file in /etc/ssh/ssh_config. See ssh_config(4). There are two types of proxy commands. One proxy command is for HTTP connections. The other proxy command is for SOCKS5 connections.

  1. Specify the proxy commands and hosts in a configuration file.

    Use the following syntax to add as many lines as you need:


    [Host outside_host]
    ProxyCommand proxy_command [-h proxy_server] \
    [-p proxy_port] outside_host|%h outside_port|%p

    Use the Host outside_host option to limit this proxy command specification to instances when this host (or hosts if a wildcard is used) is specified on the command line.

    The designation proxy_command can be replaced by either of the following:

    • /usr/lib/ssh/ssh-http-proxy-connect for HTTP connections

    • /usr/lib/ssh/ssh-socks5-proxy-connect for SOCKS5 connections

    The -h proxy_server and -p proxy_port options specify a proxy server and a proxy port, respectively. If present, they override any environment variables that specify proxy servers and ports, such as HTTPPROXY, HTTPPROXYPORT, http_proxy (for specifying a URL), SOCKS5_SERVER, and SOCKS5_PORT. If the options are not used, then the relevant environment variables must be set. See ssh-socks5-proxy-connect(1) and ssh-http-proxy-connect(1).

    Use outside_host to designate a specific host to connect to or use %h to specify the host on the command line. Use outside_port or %p to specify the port. Specifying %h and %p without using the Host outside_host option has the effect of applying the proxy command to the host argument whenever ssh is invoked.

  2. Run Secure Shell, specifying the outside host.

    For example, type:


    myLocalHost% ssh myOutsideHost
    

    This command looks for a proxy command specification for myOutsideHost in your personal configuration file. If not found, then the command looks in the system-wide configuration file, ssh_config. The proxy command is substituted for ssh.

Example — Connecting to Hosts Outside a Firewall From the Command Line

The -o option for ssh lets you type any line that is permitted in an ssh configuration file. In this case the proxy command specification from the previous task is used.

Specify the proxy commands and hosts in a configuration file.

Run ssh and include a proxy command specification as a -o option. For example, type:


% ssh -o'Proxycommand=/usr/lib/ssh/ssh-http-proxy-connect \
-h myProxyServer -p 8080 myOutsideHost 22' myOutsideHost

This command substitutes the HTTP proxy command for ssh, uses port 8080 and myProxyServer as the proxy server, and connects to port 22 on myOutsideHost.