SSH "ProxyCommand" option support?
I am trying to create a SSH session using the "ProxyCommand" option. It seems to be a standard ssh option. I've never used it before, but I need to use it now to connect back via a secure portal for an ssh session to our secure network. I cant seem to find the option.
I've tried to create a proxy--but they are all SOCKS or HTTP(s) based.
I've tried to create a "firewall" but it doesnt seem to be able to be a proxy option in the SSH session i need to create.
Does RDM (windows and MacOS) support the "ProxyCommand" option?
If i was to do it via the windows command line, it's something like this:
ssh -o ProxyCommand="c:\path\to\folder\SomeExecutable.exe argument1" secureproxy.domain.com
In Putty, i put the path in the Connection --> Proxy --> Telnet Command or local proxy command box
Thank you!
All Comments (19)
Hello,
I had the same problem, I don't know if it's the best solution but I used template custom command like this:
in this example, I launch an ssh session with a proxycommand to run wstunnel which allows me to:
- bypass a corporate proxy with user and password
- to connect to a wstunnel server at the address ws://subdom.dom.com
- port forwarding to a Windows RDP
(start remote RDP session with "mstsc /v:localhost:2222")
Thanks! Good idea but unfortunately wont work in my use case.
I can work with putty, command line and securecrt. Was hoping I could have all my remote access connections all in one package with RDM. Hopefully there is a way to make it work.
If, like me, you are looking to use openssh to replace putty and have 1 single program for SSH and RDP, RDM is still a good solution. There is nothing that I failed to do with RDM, like the example I gave you and in my case, I am chaining the SSH connection with launching the RDP connection in RDMFreemanager.
On the other hand, the product is rich in features, it takes time to fully understand the many possibilities present.
I appreciate for example, to have the possibility of creating cmd.exe or powershell sessions thus allowing me to have in the same instance, SSH, ssh tunnels in socks proxy mode, RDP, powershell etc..
Hello,
Sorry for our late response on this. We discussed this internally and we have most things already in place to support this, from what we can tell. It's just missing a few things.
In the SSH Shell (as well as SSH Tunnel and Portforward) entry, we have a Proxy tab where you can configure, just like in PuTTY, your proxy settings:
The issue at the moment seems to be that we're missing the "local" and "telnet" modes, I think it was an oversight on our part. If we added these modes, it would help your scenario as you could configure it the exact same way as in PuTTY, while keeping everything within Remote Desktop Manager. Let me know what you think.
Regards,
Hubert Mireault
Hello. Thank you for your response. I think that is the issue. It's missing the "Local" option. I tried with with SOCKS4 or SOCKS5 and it did not work. It is looking to create a session to the <hostname> configured in the General --> Host field.
In Putty with the "local" option (at least for me) it kicks off the exe in the "local proxy command" section first which kicks off a Okta integrated login and then creates a secure tunnel to "hostname" field. If we are not on our VPN (Palo Alto), it still triggers the Okta login, but cannot not reach the backend system (ie "hostname). We need the VPN as well to be able to reach the "hostname" via the SSH portal. (Bonus points for adding PA Globalconnect VPN type and being able to incorporate a VPN client into this scenario :) ).
I'm not sure if i have the sequence of events correct, but that's how it works for our implementation. I'm not sure if it's a homegrown SSHproxy solution or third party. I'm just told how to use it with Putty and it just works. :)
I think if you added the same logic that Putty has for "local" proxy into that drop down menu, it would work.
Thank you!
Thank you for the details on your workflow. I'm not sure if everything will work as expected by simply adding the "local" proxy mode since it seems like quite a complex environment, but at least it would be a start and we could see what is missing from there.
Regards,
Hubert Mireault
Hello,
Just to let you know, we should have the Local (and Telnet) modes available starting with RDM 2022.3.11.0. Once this version is out, let us know if that works for you.
Regards,
Hubert Mireault
Thank you!
Thank you for the details on your workflow. I'm not sure if everything will work as expected by simply adding the "local" proxy mode since it seems like quite a complex environment, but at least it would be a start and we could see what is missing from there.
Yes. True. I wish it was easier. But Putty can handle it. :)
Just to let you know, we should have the Local (and Telnet) modes available starting with RDM 2022.3.11.0. Once this version is out, let us know if that works for you.
Excellent! Thank you for the reply. I'll keep an eye out for it. Do you have an ETA?
I think we should have a beta for 2022.3.11.0 next week if all goes well. We are also aiming for the first non beta release of RDM 2022.3 to be in early november.
Regards,
Hubert Mireault
Thank you for the clarification. The "Local" mode should work if, the proxycommand run BEFORE the SSH connection.
I will try it for a connection without RDP redirection with a scenario like this:
1) Connection proxycommand wstunnel --> wstunnel server
2) connection to the ssh server through wstunnel
or the command line:
ssh my_user@my_server -i .ssh/id_ed25519 -o proxycommand="C:/Tools/wstunnel.exe -L stdio:%h:%p --httpProxy=%PROXYUSER%:%PROXYPASS%@%prxyAddr% wss:/ /my_wstunnel-server.com"
Hello,
Just to let you know, we should have the Local (and Telnet) modes available starting with RDM 2022.3.11.0. Once this version is out, let us know if that works for you.
Regards,
Sorry, I don't know what is "ETA" ?
It's probably an acronym known to you, but I don't know its meaning yet.
can you explain to me, please?
;-//
Excellent! Thank you for the reply. I'll keep an eye out for it. Do you have an ETA?
We are also aiming for the first non beta release of RDM 2022.3 to be in early november
I saw it was available and downloaded it.
The "local" proxy is working great! Just like in Putty and in powershell CLI with ssh -o ProxyCommand=blah\blah\blah.exe.
And i can log everything to a local text file as well for documentation purposes. This is great!
Thank you for the quick turnaround and adding the feature!
That's great, I'm glad to know it works for you 🙂 If you need anything else, let us know.
Regards,
Hubert Mireault
I installed version 2022.3.16.0 64-bit. I have the local option for the proxy, but...it doesn't work ! ;-((
if I put the path as "c:\Tools\wstunnel.exe" I get an error message "file not found" and the same if I put "c:/Tools/wstunnel.exe"
I tried to put the switch -o proxycommand="...", but that doesn't work either
I also tried without putting a path (wstunnel is in my local path variable), but that doesn't work either. I have a message "(-1) non specific error"
I looked at the log file (verbose mode 4)
[04/11/22 15:39:12] Devolutions Protocols version: 2022.11.1.1 Windows
[04/11/22 15:39:12] Starting SSH, verbose level: 4
[04/11/22 15:39:12] Setting up connection
[11/04/22 15:39:12] Using proxy type: Local
[04/11/22 15:39:12] Connecting to port: 22 (IP any)
[04/11/22 15:39:12] Local proxy: wstunnel.exe -vvv -L stdio:192.168.10.25:22 wss://wstunnelgateway.mydomain.com
[04/11/22 15:39:12] Empty pre-connection PDU, ignored
[04/11/22 15:39:13] Disconnection in progress
[04/11/22 15:39:13] Local proxy command message:
[04/11/22 15:39:13] DEBUG:: Oppening tcp connection to wstunnelgateway.mydomain.com:443
DEBUG :: Doing tls Handshake
DEBUG :: Oppening Websocket stream
[04/11/22 15:39:13] Bytes sent: 24, Bytes received: 0
[04/11/22 15:39:13] Packets sent: 0, Packets received: 0
[04/11/22 15:39:13] Kex completed: 0
[04/11/22 15:39:13] Disconnecting
NB: Of course, these are not the real @IP addresses and domain name
What do I see on my servers?
1) On the wstunnel gateway, I can see the connection and the forward to the ssh server
2) on the ssh server I see: sshd[710783]: Connection closed by 192.168.10.91 port 57944 [preauth]
WTF ?? the connection is closed without being opened ??
OK, I can reproduce that. If I try to connect without an ssh key (ssh -i /path/to/my_private-ssh-key) or if I disable the ssh agent (Keepass in my case) I have the same result.
I've tried putting a valid ssh key at the login level to stop having this problem, but nothing works. If I take the same key with a direct ssh session on the ssh server (without the wstunnel gateway) it works.
Ok, after quite a lot of tries I think the ssh key for authentication is not passed by the ssh agent or if I give the ssh key (...)
Indeed, I do not leave my servers in password authentication but only via ssh keys.
Did you do the test with ssh key authentication?
I think it's a minor bug and in any case, thank you and congratulations for the job! ;-))
The pdf is an example configuration for a wstunel gateway with docker, if you to test it
wstunnel _ ssh over https or by-pass enterprise http proxy.pdf
Hello,
Thank you for the feedback and the information, I have opened a ticket so our developer in charge of the terminal can take a look at it. As you say maybe there is a bug under certain circumstances. I will let you know if we need more information or when we have a fix for you to try.
Regards,
Hubert Mireault
OK, thanks
Hello,
We should have a fix for this available in RDM 2022.3.18.0, which will be released this week.
Regards,
Hubert Mireault
Hello,
Good news, the new release work ! ;-))
Hello,
Happy to hear it! Let us know if there's anything else we can do to help.
Regards,
Hubert Mireault