MOSH into bastion server, SSH into internal hosts
I have ssh
configured to automatically forward through the bastion host:
Host bastion_host
HostName bastion.example.com
Host internal_host
ProxyCommand ssh -q bastion_host nc -q0 internal_host.dmz 22
User internal_user
This works. However, if I try to connect via mosh I get the following error:
$ mosh internal_host
/usr/local/bin/mosh: Could not resolve hostname internal_host
ssh_exchange_identification: Connection closed by remote host
/usr/local/bin/mosh: Did not find remote IP address (is SSH ProxyCommand disabled?).
What I'm looking for is a mosh
connection from my system to the bastion host and a normal ssh
tunnel from the bastion host to internal hosts. Possible?
You use ProxyCommand in your ssh config, and mosh mentions ProxyCommand in the error message. I think this is the vital clue. mosh uses ProxyCommand internally, and in doing so, it probably overrides your own setting.
I've avoided ProxyCommand with a manual port-forward invocation like this:
ssh -fN -L 2222:internal_host.example.com:22 bastion_host
Then I try to connect to localhost on port 2222:
mosh --ssh="ssh -p2222" internal_user@localhost
Instead of the ProxyCommand error, I get this:
mosh-server: invalid option -- 'l'
Usage: mosh-server new [-s] [-i LOCALADDR] [-p PORT] [-c COLORS] [-- COMMAND...]
I suspect that's due to different versions of mosh, as I see that even when using mosh directly without the bastion_host. In any case, a direct connection works despite the message, so I don't think that's the problem. Rather, I think the issue is that the port forwarding only handles port 22, while mosh also uses a UDP port in 60000:61000. ssh tunneling can not easily forward UDP traffic, so I think you may be better off using a different architecture.
I presume you want to use mosh for the first hop since your local machine may change networks, etc. Why not just use mosh and ssh like this (perhaps with an alias)?
mosh bastion_host ssh internal_user@internal_host
I use mosh
to connect to a bastion server, and run tmux
within that session to maintain permanent connections to the internal servers. That might be more useful for your situation too.
UPDATE May 2019
I have changed my process a bit, and run tmux
locally and now have a wrapper function for mosh
in my ~/.zshrc
. I've trimmed some of the details, but you'll get the gist:
function mosh() {
case $@ in
hostname)
command mosh bastion.domain.com -- bash -c 'echo "Bouncing via bastion..." && echo && ssh hostname.domain.com'
;;
*)
command mosh "$@"
;;
esac
}