Feature request: SFTP ssh pivot (ProxyJump/ProxyCommand)

[Tsunulukai]

Hello,

It would be great if the Android SFTP plugin for TotalCommander allowed the use of pivot host to access remote servers.

It could be like the firewall option in the ftp plugin or the equivalent of the ssh ProxyJump or ProxyCommand option.

[ghisler(Author)]

I don't know whether this was added yet to the used library sshj or not, see this github discussion:
https://github.com/hierynomus/sshj/pull/337

[Tsunulukai]

Well, the discussion page is tagged as 'merged'.

The merge (commit 9e8bef2) happened on July 6 2017:
https://github.com/hierynomus/sshj/commit/9e8bef24c5dcf5353677333037d5a52ac3f3a34f

There's even an example provided: https://github.com/hierynomus/sshj/blob/master/examples/src/main/java/net/schmizz/sshj/examples/Jump.java

Given the commit date, one could only hope it's available in the compiled builds

[ghisler(Author)]

So how do I test this? I have SFTP servers on ghisler.com and ghisler.ch, can I connect to ghisler.com and then forward the connection to ghisler.ch? Or do I need a special SFTP proxy server software or special configuration on the server?

[Tsunulukai]

Let's say that ghisler.ch is in a private network and ghisler.com can be used as a gateway to reach it from the Internet.
You can test if your SSH/SFTP server would support the scenario with the following ssh config file in a linux VM:

~/.ssh/config

Code: Select all

Host public
    Hostname ghisler.com
    User <username>
    IdentityFile <path_to_ssh_private_key>
    
Host private
    Hostname ghisler.ch
    User <username>
    IdentityFile <path_to_ssh_private_key>
    ProxyJump public
    #ProxyCommand ssh -W %h:%p public  #use as an alternative if your ssh client doesn't support the ProxyJump directive

Once configured in you ssh config file, you should be able to access ghisler.ch through ghisler.com just by typing

Code: Select all

sftp private

or

Code: Select all

ssh private

and you system will automatically connect through to the private target through the public one.

By enabling verbosity in the ssh client you can confirm the use of the proxy host which should look more or less like this:

Code: Select all

ssh -v private
...
debug1: Setting implicit ProxyCommand from ProxyJump: ssh -v -W '[%h]:%p' public
...
debug1: Executing proxy command: exec ssh -v -W '[ghisler.ch]:22' public
...
[Banner of ghisler.com SSH server]
...
[Banner of ghisler.ch SSH server]

Once you validated it's OK with a regular linux client, you're safe to test it within the plugin implementation.

Of course, it doesn't make much sense to do this with two public hosts, but it allows you to test the jump functionality nevertheless.

Beware, the proxy host ssh daemon (the public one in this example, ghisler.com) has to allow proxying (which is usually enabled by default in regular distros, but might not be the case if you don't have full control over the host).
If the SSH server at ghisler.com does not allow this for whaterver reason and you prefer not to fiddle with its configuration, a standard Debian 10 VM with the ssh daemon enabled will do just fine as ProxyHost.