Opened on Jan 9, 2009 at 3:44:39 PM
Closed on Oct 16, 2020 at 8:47:25 AM
Last modified on Dec 30, 2020 at 10:11:58 AM
#2865 closed enhancement (fixed)
Support proxy connection with SSH Tunnel through bastion server
Reported by: | ross.peoples@… | Owned by: | dkocher |
---|---|---|---|
Priority: | high | Milestone: | 7.7.0 |
Component: | sftp | Version: | 4.4.5 |
Severity: | normal | Keywords: | ssh tunnel sftp gateway jump server |
Cc: | xurizaemon@…, Gabrielradic, chris@…, denis@…, micah@…, pedrotti.maxime@… | Architecture: | Intel |
Platform: |
Description
Coming from Windows, I used WinSCP for my SFTP transfers. One of the features I miss in Cyberduck is the ability to connect to SFTP though another machine via SSH.
For example, I have a gateway that machine with an SSH server. When I connect to that server via SSH, I can then connect to another machine (inside the network) via SSH.
So having the ability to tunnel through one SSH server to another SSH server for SFTP transfers would be great. Right now, I have to log into the gateway, map a local port to the final machine, and use Cyberduck to connect to localhost:22 after the connection to the gateway has been made.
This would be a wonderful feature and a HUGE help to me and others in similar situations.
Attachments (2)
Change History (52)
comment:1 Changed on Mar 25, 2009 at 5:42:36 PM by max@…
comment:2 Changed on May 8, 2009 at 6:21:40 PM by pablo.englebienne@…
I would like to third this request. I have the following setup in my ~/.ssh/config file:
Host gateway Hostname gateway.mydomain.com Host server1 HostName server1.mydomain.com ProxyCommand ssh gateway netcat %h %p
This works perfectly for ssh and scp in the Terminal, but not with Cyberduck. Would there be a way for Cyberduck to use that information?
comment:3 Changed on Aug 31, 2009 at 1:07:12 AM by shikishiji@…
this would be very useful for me too
comment:4 Changed on Nov 24, 2009 at 3:43:09 PM by dan.xtc@…
Seconded this request as well, it'd be hugely useful.
comment:5 Changed on Dec 8, 2009 at 6:18:53 PM by warrenmelnick@…
I have to also ask for this. This is a common corporate strategy and we are stuck dealing with it in strange ways.
comment:6 Changed on Jan 10, 2010 at 9:01:39 PM by xurizaemon
- Cc xurizaemon@… added
This would be a useful addition for those of us who host machines behind an SSH-enabled gateway host and prefer to avoid opening multiple ports for each machine behind that host.
SSHFS from MacFuse, SCP and regular SSH all support the ProxyCommand config directive.
Other tickets which touch on or duplicate this request are: #958, #2104, #3030.
comment:7 Changed on Mar 13, 2010 at 9:01:01 PM by darkwater42@…
I would also love to see this feature. (I kind of just assumed Cyberduck would automatically support this, since everything else that I use that goes through ssh automatically does, and I banged my head on the wall for a while trying to figure out why it wasn't working.)
comment:8 Changed on Aug 8, 2010 at 8:25:28 PM by https://www.google.com/accounts/o8/id?id=aitoawlb67hbvurczhystrpfukkx6qslhzokohi
I concur with all in this thread. This would help out allot for thous of us whom would like to use Cyberduck with ssh "jumpbox" (ProxyCommand). I use something similar to @pablo.englebienne in my ~/.ssh/config file:
Host proxy_jumpbox DynamicForward 8080 HostName jumpbox.ssh-access-to-outside.myprotecteddomain.com Host *.NOssh-access-to-outside.myprotecteddomain.com EscapeChar none StrictHostKeyChecking no ProxyCommand /usr/bin/nc -x localhost:8080 %h %p
When I want to connect into any machine under *.NOssh-access-to-realworld.myprotecteddomain.com domain I first open a connection to the outside accessible jump host: $ssh proxy_jumpbox. Then all the subsequent connections to the boxs w/o access to the internets *.NOssh-access-to-realworld.myprotecteddomain.com get tunneled via the DynamicForward+(ProxyCommand/nc) proxy_jumpbox.
Support for functionality like this would be awesome. +bump
comment:9 Changed on Sep 23, 2011 at 9:01:01 PM by logicbus
Adding my name to the list of people who have requested this. I use SSH tunnel only on rare occasions, but when I need it, it's for a good reason.
Fugu http://rsug.itd.umich.edu/software/fugu/ can do this, but I like Cyberduck.
comment:10 Changed on Jul 20, 2012 at 9:52:46 PM by Gabrielradic
- Architecture set to Intel
- Cc Gabrielradic added
- Version changed from 3.1 to 4.2.1
Many hosting providers, especially for dedicated boxes, would provide a free space server to an (S)FTP. The catch is that the server would only work from inside that specific network. Some hosters providing this system are Hetzner, Dedibox and OVH, all huge.
Having a tunnel option for any (S)FTP connection would allow managing the backup space without much hassle.
comment:11 Changed on Aug 22, 2013 at 11:14:01 PM by chris burgess
- Cc chris@… added
comment:12 Changed on Feb 20, 2014 at 8:47:48 AM by cobret
this would be very useful for me, too.
comment:13 Changed on Feb 21, 2014 at 1:04:00 PM by dkocher
- Priority changed from normal to low
comment:14 Changed on Jun 21, 2014 at 9:05:32 PM by DSDeniso
- Cc denis@… added
- Keywords gateway jump server added
- Milestone set to 5.0
- Owner changed from dkocher to DSDeniso
- Priority changed from low to high
- Status changed from new to assigned
- Version changed from 4.2.1 to 4.4.5
comment:15 Changed on Jun 23, 2014 at 11:58:45 AM by dkocher
- Milestone 5.0 deleted
- Owner changed from DSDeniso to dkocher
- Priority changed from high to low
- Status changed from assigned to new
comment:16 follow-up: ↓ 17 Changed on Jun 23, 2014 at 9:20:55 PM by DSDeniso
dkocher:
Can I ask you why you changed this back? Do you have any plans on developing this, or? I thought it was ok, since this is quite old. I'm also open to come collaboration.
/DSDeniso
comment:17 in reply to: ↑ 16 ; follow-up: ↓ 18 Changed on Jun 24, 2014 at 7:04:48 AM by dkocher
Replying to DSDeniso:
dkocher:
Can I ask you why you changed this back? Do you have any plans on developing this, or? I thought it was ok, since this is quite old. I'm also open to come collaboration.
I would certainly welcome code contributions which would allow it to schedule for a milestone.
comment:18 in reply to: ↑ 17 Changed on Jun 24, 2014 at 7:37:31 PM by DSDeniso
Replying to dkocher:
Replying to DSDeniso:
dkocher:
Can I ask you why you changed this back? Do you have any plans on developing this, or? I thought it was ok, since this is quite old. I'm also open to come collaboration.
I would certainly welcome code contributions which would allow it to schedule for a milestone.
I'm sorry. I don't think that I understand your message. Will you please try to explain in a bit more in depth? My formatting also looks wrong, so I'm maybe also missing some part of your comment.
Thanks, /DSDeniso
comment:19 Changed on Sep 26, 2014 at 1:07:49 PM by kunda loves scribus
+1
comment:20 Changed on Nov 27, 2014 at 12:47:03 AM by http://openid.lyraphase.com/
Surprised that this isn't already a part of Cyberduck, although I guess that this means it doesn't use built-in ssh & ~/.ssh/config.
comment:21 Changed on Mar 3, 2015 at 11:17:58 PM by mmilci
Most companies uses jumpboxes and without SSH Tunnel support its not easy to use Cyberduck. I think, It's easy and very helpful change for new release
+one
Changed on Mar 3, 2015 at 11:21:19 PM by mmilci
comment:22 Changed on Dec 28, 2015 at 9:29:19 PM by popo
I agree; I'm surprised this feature doesn't exist, as it's a very common situation. For example, Amazon suggests setting up a bastion server for EC2 instances https://blogs.aws.amazon.com/security/post/Tx3N8GFK85UN1G6/Securely-connect-to-Linux-instances-running-in-a-private-Amazon-VPC, so if you want to transfer files to and from your instance, you have to first tunnel through the bastion server. Please add this functionality.
comment:23 Changed on Feb 26, 2016 at 7:08:40 AM by a.e.urai@…
+1, it would be very useful to have SSH tunnel information in the settings for a specific bookmark and avoid having to manually reopen the tunnel when the connection drops.
comment:24 Changed on Feb 26, 2016 at 10:04:58 AM by dkocher
#8688 closed as duplicate.
comment:25 Changed on Feb 26, 2016 at 10:05:09 AM by dkocher
#9304 closed as duplicate.
comment:26 Changed on Feb 26, 2016 at 10:05:44 AM by dkocher
- Milestone set to 5.0
- Status changed from new to assigned
comment:27 Changed on Feb 26, 2016 at 3:39:14 PM by jcw.dev
I'd like to also nominate this feature - it is critical in enterprise environments that SSH bastion's or jumpbox's are reliably employed. There are two primary configuration components needed for this to work well: ProxyCommand, and ForwardAgent.
Consider this example where I first define my bastion host, and second define a host domain range for which I'd like to tunnel connections through the bastion.
Host bastion Hostname bastion.mydomain.com User jcw IdentityFile /Users/.../jcw.pem Host *.mydomain.com User jcw IdentityFile /Users/.../jcw.pem ProxyCommand ssh -vvv bastion -W %h:%p -q ForwardAgent yes
The ProxyCommand is self-explanatory, and the crux of this topic. ForwardAgent is an important nuance, allowing the client to remain the only holder of their private key (it should not live on the bastion!).
If these things were in place, I would be using Mountain Duck as part of my core workflow every day!
comment:28 Changed on Feb 26, 2016 at 10:35:27 PM by dkocher
Some references
comment:29 Changed on Feb 29, 2016 at 9:00:28 AM by dkocher
- Summary changed from SSH Tunnel to Support proxy connection with SSH Tunnel through bastion server
comment:30 Changed on May 18, 2016 at 3:27:20 PM by dkocher
- Milestone 5.0 deleted
comment:31 Changed on Oct 18, 2016 at 3:28:49 PM by dkocher
#9708 closed as duplicate.
comment:32 Changed on Dec 14, 2016 at 3:31:10 AM by micah-uber
- Cc micah@… added
It would be great if this were a thing. Right now I have to use a different product to be able to accomplish this. As much as I love cyberduck, if i dont have this feature I cannot use this product. Its sad that this has been open for 8 years.... 2016... and cannot ssh tunnel... tsk tsk.
Please implement.
comment:33 Changed on Dec 14, 2016 at 3:51:32 AM by mmilci
Hi micah, which product are you using support ssh tunnel, I cannot find any so I'm continue to use this, if you found can you share the name
Changed on Dec 14, 2016 at 4:12:02 AM by micah-uber
comment:34 Changed on Dec 14, 2016 at 4:12:23 AM by micah-uber
I may have misspoke a little. I have an ssh config that does the proxying for me. Other clients respect this config and work as expected. When I use cyberduck it will not let use the setting i have setup in the .ssh/config file.
Host domenode HostName somenode ForwardAgent yes Host someprefix-* !somenode* Compression no ForwardAgent yes HostName %h ProxyCommand ssh somenode -W %h:%p
For context, I can ssh to somenode just fine.
I also think native support would be best since you dont have to rely on ssh configs.
comment:35 Changed on Dec 14, 2016 at 4:54:53 AM by mmilci
yep, 8 years ago task was created with same request "even if you are not support tunnel, at least let cyberduck to use ~/.ssh/config" but it is not support
comment:36 Changed on Dec 14, 2016 at 4:58:12 AM by micah-uber
Is there a timeline for supporting .ssh/config settings? or support it natively?
comment:37 Changed on Dec 14, 2016 at 5:00:00 AM by mmilci
I’m also a user, but 8 years clearly shows it won’t happen.
comment:38 Changed on Apr 23, 2017 at 11:21:46 PM by yourwebclient
I found myself desperately needing to access a VPN that was connected to on a remote host, from my localhost (Mac). Specifically, I wanted CyberDuck on my Mac to have access to hosts on a VPN that only a remote (but locally accessible) host had access to. But I found the ProxyCommand setting that works perfectly with BBEdit's SFTP infrastructure, doesn't work with Cyberduck.
WORKAROUND: I set up an ssh tunnel daemon using the Mac "SSH Tunnel" app (paid app) from the App Store, using the app as convenient way to track and manage tunnels (in my case, all one of them), but no magic there, it's just uses ssh -L ... (many examples of setting up that kind of tunnel, online). Once a tunnel is running that bridges the Mac to a host on VPN via the the VPN-connected remote host (lets call it the proxy), I connect with Cyberduck running on the mac to the tunnel port on same mac Cyberduck running on (e.g. to localhost:<tunnel port>), and whalla - CyberDuck now has access to a host on the VPN. The downside of this workaround might be an avoidable performance hit (e.g. redundant ssh encryption of the I/O streams).
It would be helpful if CyberDuck supported the ProxyCommand ssh config option, or at least would explain their position on the matter, in any case (I.e. Are there future plans to add this? Is it deferred? Is it technically not feasible? Skipped due to the availability of workarounds? Not enough demand? Not interested, etc...?)
comment:39 Changed on Feb 11, 2018 at 9:57:12 AM by mpmuc
- Cc pedrotti.maxime@… added
comment:40 Changed on Nov 20, 2018 at 9:07:16 AM by dkocher
- Milestone set to 7.0
comment:41 Changed on Jan 13, 2019 at 8:48:08 PM by dkocher
- Priority changed from low to high
comment:42 Changed on Jan 19, 2019 at 11:32:38 AM by skylite
This would be very useful to me too! I tried almost all ssh/scp clients for mac and currently there is no GUI client capable of doing this. With sshfs it would look something like this if you dont fill out the ~/.ssh/config file (and using private key auth) :
/etc/ssh/sshd_config file on the server:
Match User john ForceCommand nc -q0 192.168.1.10 22
mount command on client:
sshfs john@my-entry-server.hu:/ my_local_folder/ -o ProxyCommand='ssh -q john@my-entry-server.hu -i ~/id_rsa_user_v2' -o IdentityFile='~/id_rsa_user_v2’
if you have the config file:
host internal_server user john ProxyCommand ssh -q john@my-entry-server.hu -i ~/id_rsa_user_v2 IdentityFile ~/id_rsa_user_v2
then it is just:
sshfs internal_server: my_local_folder/
comment:43 Changed on May 31, 2019 at 1:32:36 PM by dkocher
- Milestone changed from 7.0 to 7.1
comment:44 Changed on Sep 2, 2019 at 7:37:32 AM by dkocher
- Milestone changed from 7.1 to 8.0
comment:45 Changed on Jun 5, 2020 at 10:04:46 AM by dkocher
We would intend to support the ProxyJump directive from the OpenSSH configuration.
The main method is to use an SSH connection to forward the SSH protocol through one or more jump hosts, using the ProxyJump directive. Using the ProxyCommand option to invoke Netcat as the last in the chain is a variation of this for very old clients.
Starting from OpenSSH 7.3, released August 2016[1], the easiest way to pass through one or more jump hosts is with the ProxyJump directive in ssh_config(5).
comment:46 Changed on Oct 16, 2020 at 8:47:25 AM by dkocher
- Resolution set to fixed
- Status changed from assigned to closed
In r49988. Documentation in Connect via SSH tunnel through bastion server.
comment:47 Changed on Oct 16, 2020 at 9:05:20 AM by dkocher
Can be tested as of snapshot build 7.6.5.33632 or later.
comment:48 Changed on Nov 2, 2020 at 1:24:43 PM by dkocher
- Milestone changed from 8.0 to 7.7.0
Milestone renamed
comment:49 Changed on Nov 2, 2020 at 1:26:44 PM by dkocher
- Milestone changed from 7.7.0 to 7.7
Milestone renamed
comment:50 Changed on Dec 30, 2020 at 10:11:58 AM by dkocher
- Milestone changed from 7.7 to 7.7.0
Milestone renamed
I just would like to second this feature request. We also have to access all our files through a gateway machine. It would be very helpful if one could do this via Cyberduck, without extra work.