Friday, October 2, 2015

SSH Jump and local command



I added this in my ~/.ssh/config to help avoid stupid mistakes:




Host *.prod-domain.com
    LocalCommand print "WARNING: PROD" && print "continue ?" && read
    PermitLocalCommand yes


Which makes ssh print a warning and a prompt when I try to connect to a host under prod-domain.com.



Now, most hosts do not expose ssh publically, so we have to go through a gateway. I used to do



ssh -J gateway.prod-domain.com target.prod-domain.com



But with the local command enabled, ssh fails with:



Bad packet length 1231976033.
ssh_dispatch_run_fatal: Connection to UNKNOWN port 65535: message authentication code incorrect


Connecting directly (e.g. ssh gateway.prod-domain.com) still works fine, and connecting with a jump works if I comment the local command.




Are local commands and ssh jumps incompatible ? Is it documented somewhere, and is there a way to make it work (like disabling the local command when "jumping"), or did I maybe hit a bug ?


Answer



As the ssh_config manpage says:




The command is run synchronously and does not have access to the session of the ssh(1) that spawned it. It should not be used for interactive commands.




Your problem is with the read statement, it messes up the negotiation process of SSH performed in the tunnel created via gateway.prod-domain.com.




You can configure your client so only the "endpoints" give you the warning, the gateway doesn't, by having an empty entry in your ~/.ssh/config for the gateway, like this:



Host gateway.prod-domain.com gateway
    HostName gateway.prod-domain.com

Host *.prod-domain.com
    ProxyJump gateway
    LocalCommand print "WARNING: PROD" && print "continue ?" && read
    PermitLocalCommand yes



This way, what you tried to do will work, just be sure not to use the "prod-domain" servers as a jump proxy (except for the gateway, of course). Or, to avoid interactive commands altogether, you could use something like this:



Host *.prod-domain.com
    LocalCommand echo -e "\x1b[30;41mWARNING: You are on a PRODUCTIVE system!\x1b0m"
    PermitLocalCommand yes


This way, while you can't prevent the session from establishing, you will be given a big red warning.


-

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

linux - How to SSH to ec2 instance in VPC private subnet via NAT server

I have created a VPC in aws with a public subnet and a private subnet. The private subnet does not have direct access to external network. S...