Managing Secure Shell Access in Oracle® Solaris 11.2

Exit Print View

Updated: September 2014

How to Set Up Default Secure Shell Connections to Hosts Outside a Firewall

You can use Secure Shell to make a connection from a host inside a firewall to a host outside the firewall. This task is done by specifying a proxy command for ssh either in a configuration file or as an option on the command line. For the command-line option, see Example 1–7.

You can customize your ssh interactions through your own personal configuration file, ~/.ssh/config, or you can use the settings in the administrative configuration file, /etc/ssh/ssh_config..

The files can be customized with two types of proxy commands. One proxy command is for HTTP connections. The other proxy command is for SOCKS5 connections. For more information, see the ssh_config(4) man page.

  1. Specify the proxy commands and hosts in a configuration file.

    Use the following syntax to add as many lines as you need:

    [Host outside-host]
    ProxyCommand proxy-command [–h proxy-server] \
    [–p proxy-port] outside-host|%h outside-port|%p
    Host outside-host

    Limits the proxy command specification to instances when a remote host name is specified on the command line. If you use a wildcard for outside-host, you apply the proxy command specification to a set of hosts.


    Specifies the proxy command.

      The command can be either of the following:

    • /usr/lib/ssh/ssh-http-proxy-connect for HTTP connections

    • /usr/lib/ssh/ssh-socks5-proxy-connect for SOCKS5 connections

    –h proxy-server and –p proxy-port

    These options specify a proxy server and a proxy port, respectively. If present, the proxies override any environment variables that specify proxy servers and proxy ports, such as HTTPPROXY, HTTPPROXYPORT, SOCKS5_PORT, SOCKS5_SERVER, and http_proxy. The http_proxy variable specifies a URL. If the options are not used, then the relevant environment variables must be set. For more information, see the ssh-socks5-proxy-connect (1) and ssh-http-proxy-connect (1) man pages.


    Designates a specific host to connect to. Use the %h substitution argument to specify the host on the command line.


    Designates a specific port to connect to. Use the %p substitution argument to specify the port on the command line. By specifying %h and %p without using the Host outside-host option, the proxy command is applied to the host argument whenever the ssh command is invoked.

  2. Run Secure Shell, specifying the outside host.

    For example:

    mySystem% ssh myOutsideHost

    This command looks for a proxy command specification for myOutsideHost in your personal configuration file. If the specification is not found, then the command looks in the system-wide configuration file, /etc/ssh/ssh_config. The proxy command is substituted for the ssh command.

Example 1-7  Connecting to Hosts Outside a Firewall From the Secure Shell Command Line

How to Set Up Default Secure Shell Connections to Hosts Outside a Firewall explains how to specify a proxy command in a configuration file. In this example, a proxy command is specified on the ssh command line.

% ssh -o'Proxycommand=/usr/lib/ssh/ssh-http-proxy-connect \
-h myProxyServer -p 8080 myOutsideHost 22' myOutsideHost

    The –o option to the ssh command provides a command-line method of specifying a proxy command. This example command does the following:

  • Substitutes the HTTP proxy command for ssh

  • Uses port 8080 and myProxyServer as the proxy server

  • Connects to port 22 on myOutsideHost