How to Set Up Default Connections to Hosts Outside a Firewall (System Administration Guide: Security Services)

System Administration Guide: Security Services

How to Set Up Default Connections to Hosts Outside a Firewall

You can use Solaris Secure Shell to make a connection from a host inside a firewall to a host on the other side of the firewall. This task is done by specifying a proxy command for ssh either in a configuration file or as an option on the command line. For more information, see Example—Connecting to Hosts Outside a Firewall From the Command Line.

In general, you can customize your ssh interactions through a configuration file, either your own personal file $HOME/.ssh/config or an administrative configuration file in /etc/ssh/ssh_config. See ssh_config(4). There are two types of proxy commands. One proxy command is for HTTP connections. The other proxy command is for SOCKS5 connections.

Specify the proxy commands and hosts in a configuration file.

Use the following syntax to add as many lines as you need:
[Host outside_host] ProxyCommand proxy_command [-h proxy_server] \ [-p proxy_port] outside_host|%h outside_port|%p
where
Host outside_host

Limits the proxy command specification to instances when a remote host name is specified on the command line. If you use a wildcard for outside_host, you apply the specification to a set of hosts.

proxy_command
Specifies the proxy command. The command can be either of the following:
- /usr/lib/ssh/ssh-http-proxy-connect for HTTP connections
- /usr/lib/ssh/ssh-socks5-proxy-connect for SOCKS5 connections
-h proxy_server and -p proxy_port

These options specify a proxy server and a proxy port, respectively. If present, the proxies override any environment variables that specify proxy servers and proxy ports, such as HTTPPROXY, HTTPPROXYPORT, SOCKS5_PORT, SOCKS5_SERVER, and http_proxy. The http_proxy variable specifies a URL. If the options are not used, then the relevant environment variables must be set. See the ssh-socks5-proxy-connect(1) and ssh-http-proxy-connect(1) man pages.

outside_host

Designates a specific host to connect to. You can use %h to specify the host on the command line.

outside_port

Designates a specific port to connect to. You can use %p to specify the port on the command line. By specifying %h and %p without using the Host outside_host option, the proxy command is applied to the host argument whenever the ssh command is invoked.

Run Solaris Secure Shell, specifying the outside host.

For example, type the following:
myLocalHost% ssh myOutsideHost
This command looks for a proxy command specification for myOutsideHost in your personal configuration file. If the specification is not found, then the command looks in the system-wide configuration file, ssh_config. The proxy command is substituted for ssh.

Example—Connecting to Hosts Outside a Firewall From the Command Line

The -o option to the ssh command lets you type any line that is permitted in an ssh configuration file. In this case, the proxy command specification from the previous task is used.

Specify the proxy commands and hosts in a configuration file.
Run the ssh command. Include a proxy command specification as an argument to the -o option. For example, type the following:
% ssh -o'Proxycommand=/usr/lib/ssh/ssh-http-proxy-connect \ -h myProxyServer -p 8080 myOutsideHost 22' myOutsideHost
This command substitutes the HTTP proxy command for ssh, uses port 8080 and myProxyServer as the proxy server, and connects to port 22 on myOutsideHost.