What is the difference between ssh proxycommand -W, nc, exec nc

Question

I have seen a few blogs about .ssh/config and proxycommand

now what is the difference between the next commands

ProxyCommand ssh proxyserver -W [%h]:%p

ProxyCommand ssh proxyserver nc -q0 %h %p 2> /dev/null

ProxyCommand ssh proxyserver exec nc -q0 %h %p 2> /dev/null

Some of these commands work on some machines, and don't work on others.

Answer 1

Here's how I understand it:

---

1. ProxyCommand ssh proxyserver -W [%h]:%p

   • The -W option is built into new(er) versions of OpenSSH, so this will only work on machines that have the minimum version (5.4, unless your distro back-ported any features; e.g., RHEL6 OpenSSH 5.3p1 includes this feature). Per the release notes: http://www.openssh.com/txt/release-5.4

     Added a 'netcat mode' to ssh(1): "ssh -W host:port ..." This connects stdio on the client to a single port forward on the server. This allows, for example, using ssh as a ProxyCommand to route connections via intermediate servers.

2. ProxyCommand ssh proxyserver nc -q0 %h %p 2> /dev/null

   • Before the -W option was available, we used the nc (or netcat) utility. nc allows you to forward TCP & UDP packets to specified (alternate) locations and essentially behaves the same as ssh -W (as ssh -W was modeled after nc). In order for this variation to work the intermediate host(s) require(s) that nc be installed and the option AllowTcpForwarding must be enabled in the host's sshd_config (default: yes). The option -q0 to nc is (supposed to be) for quieting errors, but I can't find which version this was introduced. (Note: 2> /dev/null is probably to quite ssh errors, but one can use ssh -q instead.)

3. ProxyCommand ssh proxyserver exec nc -q0 %h %p 2> /dev/null

   • This is very much the same as the second variation, except you're calling the shell's built-in function exec. I'm not sure, but I believe there is no difference between including or excluding exec from the ProxyCommand; this variation should function everywhere the variation above does. For example, the Bash manual says something like this:

     exec [-cl] [-a name] [command [arguments]]

     If command is specified, it replaces the shell. No new process is created. The arguments become the arguments to command. If the -l option is supplied, the shell places a dash at the beginning of the zeroth argument passed to command. This is what login(1) does. The -c option causes command to be executed with an empty environment. If -a is supplied, the shell passes name as the zeroth argument to the executed command. If command cannot be executed for some reason, a non-interactive shell exits, unless the shell option execfail is enabled, in which case it returns failure. An interactive shell returns failure if the file cannot be executed. If command is not specified, any redirections take effect in the current shell, and the return status is 0. If there is a redirection error, the return status is 1.