Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View

I've just revised my "deep-ssh" script to use quoting that I think will
work better.  I'd been engaging in wishful thinking previously, hoping
against hope that bash would do python-style quoting (IE, alternating '
and "), but I've switched instead to " alone with exponential backslashes.

Anyway, deep-ssh is a python script that builds shell commands that run
ssh under ssh under ssh...  and so on.  So if you have to get past two
routing discontinuities (IE, firewalls), you can do it in one command,
with something like:

deep-ssh host1.com!user@host2.com 'uname -a'

The syntax is clearly inspired by UUCP.  :)

The default username on each hop, is of course the same as the username on
the prior hop.

Deep-ssh will also attempt to set up X11 tunneling
automatically, although at this time it only knows about -X.  I may add
some form of -Y support eventually.

I have a web page up about it at


Re: "deep-ssh"

Quoted text here. Click to load it

The problem with chaining ssh'es like that (ie "ssh gateway ssh targethost")
is that each and every gateway host is a potential attack point at which
the traffic may be monitored and/or modified.

With OpenSSH, if you have a suitable command on the intermediate host
(eg connect[1] or netcat) then you can achieve a similar effect using
the ProxyCommand option, eg in your ~/.ssh/config:

Host targethost
    ProxyCommand ssh gateway connect %h %p

This has the disadvantage of double-encrypting the traffic in the first
hop but has the advantage of encrypting the second session end-to-end.

[1] http://www.taiyo.co.jp/~gotoh/ssh/connect.html

Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

Site Timeline