I’m normally a PuTTY user, but I’m temporarily on a *IX (MacOS) system, and learning a few simple techniques for doing some of what I’ve done with PuTTY, plink, and pageant. So I thought I’d jot down a few of those.

SSH keys

First, I’m using SSH keys for much of my authentication. I may add details here later on how to create those, but it’s pretty straightforward to find all over the web.

Next, ssh-add to add SSH keys to your system’s authentication agent (what PuTTY pageant does). e.g.

ssh-add -K /Users/breaux/my-private-key.2048.ssh

Proxy a hop

To proxy/hop through one host that can reach the other hosts you want to reach, use the ProxyCommand option. (Source of this one was fellow IBMer, @Harley Stenzel.)

ssh -o ProxyCommand="ssh -W %h:%p _my-proxy-server_" _my-destination-server_

Further, I can tunnel ports, like the WebSphere administrator port, through that as well:

ssh -o ProxyCommand="ssh -W %h:%p _my-proxy-server_" -L9043:_my-websphere-server_:9043 _my-destination_

Where my-destination and my-websphere-server might or might not be the same server, as long as my-destination can reach my-websphere-server on the port being tunneled.

I’ll get a login shell to my-destination, and a tunneled port 9043 to my-websphere-server, through localhost:9043.

Dynamic Forwarding

Thanks, again, to Harley, this tip actually obviates some of the need for port tunneling. The -D option will dynamically forward connections through a local port, as a SOCKS server. Which… a browser can be configured to use, thus reaching any http URLs on the “other side” of that tunnel.

ssh -D localhost:8888 _my-destination_

Firefox proxy settings


I’m also currently trying out the SwitchyOmega add-on to automatically switch to this proxy configuration when hitting hosts in our private domain. Thus far, it seems to be working exactly as I’d like.

Saving SSH options

Finally, .ssh/config file in your home directory can contain saved configurations. Here’s what mine looks like (again, largely thanks to Harley):

# keepalive  
ServerAliveInterval 60

# proxy  
host *.my.private.domain  
  ProxyCommand ssh -W %h:%p _my-proxy-server_

The first item is just to prevent our firewall from dropping my connection regularly. It sends a “keepalive” request every 60 seconds.

The second allows me to just type:

ssh host1.my.private.domain

and have that automatically use the configured proxy server via the ProxyCommand to connect to host1.my.private.domain. (Assuming that fully-qualified name resolves.)

You can also add Dynamic Forwarding to this file, with a line like this:

  DynamicForward localhost:8888

A reference that helped me: https://www.ericholscher.com/blog/2009/mar/21/really-easy-ssh-tunneling/