Menu
I have a server (say, e.g., innerserver) that can only be reached from another server (say, outerserver), not the one running the Node server. However, the node server can reach outerserver. When using ssh from the command line I can use the ProxyCommand configuration file statement to simplify connections. My config file looks like this:
Host innerserver
ProxyCommand ssh outerserver nc innerserver 22
This allows me to simply type ssh innerserver and ssh will tunnel it through outerserver. Now I want to achieve the same thing using Node's ssh2 module. In the documentation it says that the socks-option to connect can be used for "connection hopping" but it never states what exactly that means or how you'd go about using it. I tried the following:
var ssh2 = require('ssh2');
function runCommand(command, callback) {
var connection = new ssh2();
require('fs').readFile('/path/to/key/file', function(err, privateKey) {
connection
.on('ready', function() {
connection.exec('nc innerserver 22', function(err, stream) {
var innerConnection = new ssh2();
innerConnection
.on('ready', function() {
innerConnection.exec(command, function(err, innerstream) {
var data = '';
innerstream.on('data', function(chunk) {
data += chunk;
});
innerstream.on('end', function() {
callback(data);
});
});
console.log('ready');
})
.on('error', function(msg) {
console.log('inner error:', msg);
callback('error');
})
.connect({username:'user', privateKey: privateKey, sock:stream, debug: function(msg) {
console.log('inner', msg);
}});
});
})
.on('error', function(msg) {
console.log('outer error', msg);
callback('error');
})
.connect({host:'outerserver', username:'user', privateKey:privateKey, debug: function(msg) {
console.log('outer:', msg);
}});
});
}
I get the following output:
outer: DEBUG: Parser: STATE_INIT
outer: DEBUG: Parser: STATE_GREETING
outer: DEBUG: Parser: STATE_HEADER
outer: DEBUG: Connection: Server ident: 'SSH-2.0-OpenSSH_6.4'
outer: DEBUG: Parser: STATE_PACKETBEFORE (expecting 8)
outer: DEBUG: Parser: STATE_PACKET
outer: DEBUG: Parser: pktLen:1532,padLen:7,remainLen:1528
outer: DEBUG: Parser: STATE_PACKETDATA
outer: DEBUG: Parser: STATE_PACKETDATAAFTER, packet: KEXINIT
outer: DEBUG: Parser: STATE_PACKETBEFORE (expecting 8)
outer: DEBUG: Connection: Sent KEXINIT
outer: DEBUG: Connection: Comparing KEXInits...
outer: DEBUG: (local) Server->Client ciphers: aes256-ctr,aes192-ctr,aes128-ctr,aes256-cbc,aes192-cbc,aes128-cbc,blowfish-cbc,3des-cbc,arcfour256,arcfour128,cast128-cbc,arcfour
outer: DEBUG: (remote) Server->Client ciphers: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,[email protected],[email protected],aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected]
outer: DEBUG: Connection: Server->Client Cipher: aes256-ctr
outer: DEBUG: (local) Client->Server ciphers: aes256-ctr,aes192-ctr,aes128-ctr,aes256-cbc,aes192-cbc,aes128-cbc,blowfish-cbc,3des-cbc,arcfour256,arcfour128,cast128-cbc,arcfour
outer: DEBUG: (remote) Client->Server ciphers: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,[email protected],[email protected],aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[email protected]
outer: DEBUG: Connection: Client->Server Cipher: aes256-ctr
outer: DEBUG: (local) KEX algorithms: diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
outer: DEBUG: (remote) KEX algorithms: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
outer: DEBUG: Connection: KEX: diffie-hellman-group14-sha1
outer: DEBUG: (local) Client->Server HMAC algorithms: hmac-md5,hmac-sha1,hmac-sha2-256,hmac-sha2-256-96,hmac-sha2-512,hmac-sha2-512-96,hmac-ripemd160,hmac-sha1-96,hmac-md5-96
outer: DEBUG: (remote) Client->Server HMAC algorithms: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-md5,hmac-sha1,[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
outer: DEBUG: Connection: Client->Server HMAC: hmac-md5
outer: DEBUG: (local) Server->Client HMAC algorithms: hmac-md5,hmac-sha1,hmac-sha2-256,hmac-sha2-256-96,hmac-sha2-512,hmac-sha2-512-96,hmac-ripemd160,hmac-sha1-96,hmac-md5-96
outer: DEBUG: (remote) Server->Client HMAC algorithms: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-md5,hmac-sha1,[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
outer: DEBUG: Connection: Server->Client HMAC: hmac-md5
outer: DEBUG: (local) Client->Server compression algorithms: none
outer: DEBUG: (remote) Client->Server compression algorithms: none,[email protected]
outer: DEBUG: Connection: Client->Server Compression: none
outer: DEBUG: (local) Server->Client compression algorithms: none
outer: DEBUG: (remote) Server->Client compression algorithms: none,[email protected]
outer: DEBUG: Connection: Server->Client Compression: none
outer: DEBUG: (local) Host key formats: ssh-rsa,ssh-dss
outer: DEBUG: (remote) Host key formats: ssh-rsa,ecdsa-sha2-nistp256
outer: DEBUG: Connection: Host key format: ssh-rsa
outer: DEBUG: Connection: Sent KEXDH_INIT
outer: DEBUG: Parser: STATE_PACKET
outer: DEBUG: Parser: pktLen:828,padLen:7,remainLen:824
outer: DEBUG: Parser: STATE_PACKETDATA
outer: DEBUG: Parser: STATE_PACKETDATAAFTER, packet: KEXDH_REPLY
outer: DEBUG: Connection: Checking host key format
outer: DEBUG: Connection: Checking signature format
outer: DEBUG: Connection: Verifying signature
outer: DEBUG: Connection: Sent NEWKEYS
outer: DEBUG: Parser: STATE_PACKETBEFORE (expecting 8)
outer: DEBUG: Parser: STATE_PACKET
outer: DEBUG: Parser: pktLen:12,padLen:10,remainLen:8
outer: DEBUG: Parser: STATE_PACKETDATA
outer: DEBUG: Parser: STATE_PACKETDATAAFTER, packet: NEWKEYS
outer: DEBUG: Connection: Sent SERVICE_REQUEST
outer: DEBUG: Parser: STATE_PACKETBEFORE (expecting 16)
outer: DEBUG: Parser: STATE_PACKET
outer: DEBUG: Parser: Decrypting
outer: DEBUG: Parser: pktLen:28,padLen:10,remainLen:16
outer: DEBUG: Parser: STATE_PACKETDATA
outer: DEBUG: Parser: Decrypting
outer: DEBUG: Parser: hmacSize:16
outer: DEBUG: Parser: STATE_PACKETDATAVERIFY
outer: DEBUG: Parser: Verifying MAC
outer: DEBUG: Parser: STATE_PACKETDATAAFTER, packet: SERVICE_ACCEPT
outer: DEBUG: Connection: Sent USERAUTH_REQUEST (publickey -- check)
outer: DEBUG: Parser: STATE_PACKETBEFORE (expecting 16)
outer: DEBUG: Parser: STATE_PACKET
outer: DEBUG: Parser: Decrypting
outer: DEBUG: Parser: pktLen:300,padLen:4,remainLen:288
outer: DEBUG: Parser: STATE_PACKETDATA
outer: DEBUG: Parser: Decrypting
outer: DEBUG: Parser: hmacSize:16
outer: DEBUG: Parser: STATE_PACKETDATAVERIFY
outer: DEBUG: Parser: Verifying MAC
outer: DEBUG: Parser: STATE_PACKETDATAAFTER, packet: USERAUTH_PK_OK
outer: DEBUG: Connection: Sent USERAUTH_REQUEST (publickey)
outer: DEBUG: Parser: STATE_PACKETBEFORE (expecting 16)
outer: DEBUG: Parser: STATE_PACKET
outer: DEBUG: Parser: Decrypting
outer: DEBUG: Parser: pktLen:12,padLen:10,remainLen:0
outer: DEBUG: Parser: STATE_PACKETDATA
outer: DEBUG: Parser: hmacSize:16
outer: DEBUG: Parser: STATE_PACKETDATAVERIFY
outer: DEBUG: Parser: Verifying MAC
outer: DEBUG: Parser: STATE_PACKETDATAAFTER, packet: USERAUTH_SUCCESS
outer: DEBUG: Connection: Sent CHANNEL_OPEN
outer: DEBUG: Parser: STATE_PACKETBEFORE (expecting 16)
outer: DEBUG: Parser: STATE_PACKET
outer: DEBUG: Parser: Decrypting
outer: DEBUG: Parser: pktLen:28,padLen:10,remainLen:16
outer: DEBUG: Parser: STATE_PACKETDATA
outer: DEBUG: Parser: Decrypting
outer: DEBUG: Parser: hmacSize:16
outer: DEBUG: Parser: STATE_PACKETDATAVERIFY
outer: DEBUG: Parser: Verifying MAC
outer: DEBUG: Parser: STATE_PACKETDATAAFTER, packet: CHANNEL_OPEN_CONFIRMATION
outer: DEBUG: Channel: Sent CHANNEL_REQUEST (exec)
outer: DEBUG: Parser: STATE_PACKETBEFORE (expecting 16)
outer: DEBUG: Parser: STATE_PACKET
outer: DEBUG: Parser: Decrypting
outer: DEBUG: Parser: pktLen:28,padLen:18,remainLen:16
outer: DEBUG: Parser: STATE_PACKETDATA
outer: DEBUG: Parser: Decrypting
outer: DEBUG: Parser: hmacSize:16
outer: DEBUG: Parser: STATE_PACKETDATAVERIFY
outer: DEBUG: Parser: Verifying MAC
outer: DEBUG: Parser: STATE_PACKETDATAAFTER, packet: CHANNEL_WINDOW_ADJUST
outer: DEBUG: Parser: STATE_PACKETBEFORE (expecting 16)
outer: DEBUG: Parser: STATE_PACKET
outer: DEBUG: Parser: Decrypting
outer: DEBUG: Parser: pktLen:12,padLen:6,remainLen:0
outer: DEBUG: Parser: STATE_PACKETDATA
outer: DEBUG: Parser: hmacSize:16
outer: DEBUG: Parser: STATE_PACKETDATAVERIFY
outer: DEBUG: Parser: Verifying MAC
outer: DEBUG: Parser: STATE_PACKETDATAAFTER, packet: CHANNEL_SUCCESS
outer: DEBUG: Parser: STATE_PACKETBEFORE (expecting 16)
outer: DEBUG: Parser: STATE_PACKET
outer: DEBUG: Parser: Decrypting
outer: DEBUG: Parser: pktLen:44,padLen:13,remainLen:32
outer: DEBUG: Parser: STATE_PACKETDATA
outer: DEBUG: Parser: Decrypting
outer: DEBUG: Parser: hmacSize:16
outer: DEBUG: Parser: STATE_PACKETDATAVERIFY
outer: DEBUG: Parser: Verifying MAC
outer: DEBUG: Parser: STATE_PACKETDATAAFTER, packet: CHANNEL_DATA
inner DEBUG: Parser: STATE_INIT
inner DEBUG: Parser: STATE_GREETING
inner DEBUG: Parser: STATE_HEADER
inner DEBUG: Connection: Server ident: 'SSH-2.0-OpenSSH_6.4'
inner DEBUG: Parser: STATE_PACKETBEFORE (expecting 8)
outer: DEBUG: Parser: STATE_PACKETBEFORE (expecting 16)
inner DEBUG: Connection: Sent KEXINIT
It seems the inner connection is never really established. What am I doing wrong?
391
UPDATE: You may be better off using connection.forwardOut() (as long as its permitted by the server) instead of relying on netcat or similar utilities to make the next hop.
As of ssh2 v0.2.19 you can do something like this for connection hopping:
var Connection = require('ssh2');
var conn1 = new Connection(),
conn2 = new Connection();
conn1.on('ready', function() {
console.log('FIRST :: connection ready');
conn1.exec('nc 192.168.1.2 22', function(err, stream) {
if (err) return console.log('FIRST :: exec error: ' + err);
conn2.connect({
sock: stream,
username: 'user2',
password: 'password2'
});
});
});
conn1.connect({
host: '192.168.1.1',
username: 'user1',
password: 'password1'
});
conn2.on('ready', function() {
console.log('SECOND :: connection ready');
conn2.exec('uptime', function(err, stream) {
if (err) return console.log('SECOND :: exec error: ' + err);
stream.on('data', function(data) {
console.log(data.toString());
});
stream.on('end', function() {
conn1.end(); // close parent (and this) connection
});
});
});
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
