Using a ssh gateway / ProxyCommand

[derkaan]

Hi,

We would like to use phpseclib to connect via ssh on servers. Due to security restrictions we have to connect through a ssh gateway to reach the target server.

<local machine> --> <ssh gateway> --> <target server>

In SSH terminology this would be handled via the ProxyCommand: Example entry in a ssh config file:

Host my-ssh-gateway
  Hostname 111.222.333.444
  ForwardAgent yes

Hostname my-target-server
  ssh my-ssh-gateway nc %h %p

Is there a way/config to use this functionality also in phpseclib? Please let me know if I missed something in the manual and/or point me to a site where can grab the details.

Thanks + Best derkaan

[bantu]

Is there a way/config to use this functionality also in phpseclib?

No. Also see #261

[terrafrost]

I'll add this to my to-do list :)

But atm, no, it's not supported.

[bantu]

See #505 for Implementing Agent Forwarding.

[dforsber]

+1

[boite]

Are there any technical reasons this feature hasn't been implemented? Would it be straightforward to do? I ask because I am interested in this feature, but not familiar with the SSH code.

[mledoze]

Hello, are there any updates on this feature?

[sibaz]

I'm keen for to figure this out too. I have the following in my ~/.ssh/config for each host that needs to proxy via our MFA jump box, but currently I can't connect to any of those hosts via PHPSecLib, which is annoying.

ProxyCommand ssh -q %r@mfaserver.domain nc -w1 %h %p

I will need to find a solution to this in the next few weeks, even if it means coding it myself, so any guidance would be welcome. Presumably the above is just starting a tty on the proxy server, running ncat to connect onwards to get a psudo terminal, on the intended machne (%h %p in the above).

I guess the only difficult bit would be having phpseclib nest itself to use the pty of a previous command. Like I say any guidance would be welcome, or even a proper location to discuss this, if this issue is not the correct place.

[terrafrost]

I'll get to this in due time but tbh we're probably talking about a time scale of years. My main priority, atm, is to modernize the underlying crypto algorithms that phpseclib uses and then get 3.0 out. Pursuant to that I've implemented ECDSA / Ed25519 / chacha20-poly1305 and aes-gcm. Right now I'm working on making the public key algorithms immutable and making it so that you can login into an SSH server with an ECDSA key and create / read X.509 certs with ECDSA keys. After that it'll be ECDH. After that I'll either start working on the documentation for 3.0 and then release 3.0 or else maybe I'll release 3.0 and then do the documentation for it.

After that I want to completely refactor X509 and then SSH2.

I'm willing to adjust my timetables and priorities but I will need cash to do so. ie. pay me as me a consultant / contractor at a rate of $100 / hr or so and I'll get it done and will give you weekly status updates until it is done. Any work that I do for phpseclib under this arrangement will need to be open source. I might be willing to do a non-open source implementation as well but that's going to be a lot more $$ (ie. would that mean that I'd never be able to implement support for this in phpseclib ever? I guess I could go for that but it's going to cost $$).

There is precedent for this. See https://github.com/terrafrost/phpseclib/tree/cms

Also, one thing to keep in mind with this: I do have a regular 8-5 job that I work M-F and that job has nothing to do with phpseclib. So don't expect me to put in 40-50h billable hours of work on this a week. I suppose I could use PTO to take time off work to invest more time in this project but (1) I already have plans for pretty much all of my PTO (I'm gonna take almost the entire month of November off to do Egypt / Turkey / Norway [for the northern lights] / Paris / London). I guess I'd be willing to use my PTO to get the work done that much faster and re-arrange my November plans (I've already paid for about half the trip and what I've paid for... idk if it's refundable) but that'll cost $$ as well.