Skip to Content

SSH Through SSH SOCKS Proxy

Posted in

Your SSH client can be configured to connect to any host on an internal network through a SSH SOCKS proxy. This maybe necessary in a corporate environment when:

  • there is one SSH proxy server open to the world;
  • there are a number of hosts on the internal corporate network which only allow connections from trusted or "blessed" internal hosts;
  • you just want to have fun with SSH SOCKS proxy.

I set this up on my OS X box, but you could certainly do this on Linux or even Windows. Access to my external corporate SSH server requires a PIN+RSA token key combo. It is only a jump box into the internal network.

  1. Setup connectivity to the external corporate SSH server with SSHKeychain (OS X). Allocate a dynamic port forward to be used as the proxy port. I typically use 1081. 1080 is the most common.
    SSH tab
    Hostname: proxy.corp.company.com
    Port: 22
    Username: me

    Dynamic Ports tab
    Local Port 1081

  2. Verify connectivity to the external corporate server. Again, I use a PIN+RSA token combo for authentication.
  3. Edit ~/.ssh/config.
    This line sets up connectivity to the internal blessed host. You never need to login to this host interactively. SSH connections to this host will use your local SOCKS proxy listening on port 1081.


    Host blessed.company.com
    ForwardAgent yes
    ProxyCommand /usr/bin/nc -x localhost:1081 %h %p


    Host *.company.com
    ForwardAgent yes
    ProxyCommand ssh blessed.company.com /usr/local/bin/nc %h %p

Notice the location of the nc command in the first configuration. This proxy command sends my connections to the blessed host thru localhost:1081 via netcat on my local system. The second configuration sends all other SSH connections for *.company.com through netcat on the blessed host which happens to be a BSD box.