SSH Tunneling

In my last post about Runner I briefly explained needing to modify your ~/.ssh/config to use a ProxyCommand to allow for automatic tunneling with SSH.

Host tlbastion
User tuxninja
ForwardAgent yes
DynamicForward 8081

Host *
User tuxninja
ProxyCommand /usr/local/bin/sconnect -4 -w 4 -S localhost:8081 %h %p

What I didn’t explain is there is an alternative method that is arguably simpler. It requires creating three small shells scripts & placing them in your path or a common host path like /usr/local/bin/ with the chmod +x permission. Here is the script that sets up the ssh tunnel.

Script: starttunnel

$ cat /usr/local/bin/starttunnel 
ssh -o ServerAliveInterval=300 -CfgNTL -D 8081

Running starttunnel, will connect you to your bastion/jump box and then background this connection with keep alives on. It will listen / dynamically forward ssh requests to 8081 through or to Additionally, if you wanted to tunnel a web port specifically on a machine that sits within your network back to the machine you are tunneling from, you can add it to the script. Such that the required host/port always gets tunneled and is available on your machine when you run starttunnel. Example config would look like.

Script: starttunnel + forwarding http


$ cat /usr/local/bin/starttunnel 
ssh -o ServerAliveInterval=300 -CfgNTL -D 8081

Now that you have authenticated to your bastion and have a working tunnel you need to get ssh requests to go through this tunnel. However, if your like me you still want the ability to ssh to other stuff without going through that tunnel. So I created a new script called ‘sshp’. When I want to ssh through the tunnel / proxy I use ‘sshp’, when I want to ssh to somewhere else on the internet or another network I use plain old ‘ssh’. Here is my sshp script used to connect to machines behind the bastion.

Script: sshp

$ cat /usr/local/bin/sshp 

ssh -o ConnectTimeout=3 -o StrictHostKeyChecking=no -o CheckHostIP=no -o ServerAliveInterval=300 -o "ProxyCommand /bin/nc -X 5 -x localhost:8081 %h %p" $1


Now, when you run sshp you will be connection through the tuxlabs bastion into tuxlabs1. Also notice in my previous post I used sconnect as the proxy command in this one we are using ‘nc’ aka netcat. I have found this method of tunneling to be the most simplistic and effective in my daily life. One more script you need is if you want to copy files you need to use scp. So you have to make a similar command ‘scpp’ for tunneling your copying of files. Here’s the script.

Script: scpp

$ cat /usr/local/bin/scpp 

scp -pr -o ConnectTimeout=3 -o StrictHostKeyChecking=no -o CheckHostIP=no -o "ProxyCommand /bin/nc -x localhost:8081 %h %p" $1 $2

One final note…if you need use ‘*’ aka splat for copying many files you cannot use the script above, because the shell or script converts that incorrectly. Instead just use the full command yourself from the command line.

scp’ing with *

$ scp -pr -o ConnectTimeout=3 -o StrictHostKeyChecking=no -o CheckHostIP=no -o "ProxyCommand /bin/nc -x localhost:8081 %h %p" copy.all.*

This would copy all files named ‘copy.all.<whatever>’ to the ¬†bastion. Hope this hopes the folks out there feeling limited by bastions. They provide great security and are an absolute requirement in secure environments so learning tricks that make sure you only need to authenticate once for an extended period of time can come in real handy.

Jason Riedel



Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.