Feature request: SFTP ssh pivot (ProxyJump/ProxyCommand)

Support for Android version of Total Commander

Moderators: white, Hacker, petermad, Stefan2

Post Reply
Tsunulukai
Junior Member
Junior Member
Posts: 66
Joined: 2003-02-07, 23:44 UTC

Feature request: SFTP ssh pivot (ProxyJump/ProxyCommand)

Post by *Tsunulukai »

Hello,

It would be great if the Android SFTP plugin for TotalCommander allowed the use of pivot host to access remote servers.

It could be like the firewall option in the ftp plugin or the equivalent of the ssh ProxyJump or ProxyCommand option.
User avatar
ghisler(Author)
Site Admin
Site Admin
Posts: 48021
Joined: 2003-02-04, 09:46 UTC
Location: Switzerland
Contact:

Re: Feature request: SFTP ssh pivot (ProxyJump/ProxyCommand)

Post by *ghisler(Author) »

I don't know whether this was added yet to the used library sshj or not, see this github discussion:
https://github.com/hierynomus/sshj/pull/337
Author of Total Commander
https://www.ghisler.com
Tsunulukai
Junior Member
Junior Member
Posts: 66
Joined: 2003-02-07, 23:44 UTC

Re: Feature request: SFTP ssh pivot (ProxyJump/ProxyCommand)

Post by *Tsunulukai »

Well, the discussion page is tagged as 'merged'.

The merge (commit 9e8bef2) happened on July 6 2017:
https://github.com/hierynomus/sshj/commit/9e8bef24c5dcf5353677333037d5a52ac3f3a34f

There's even an example provided: https://github.com/hierynomus/sshj/blob/master/examples/src/main/java/net/schmizz/sshj/examples/Jump.java

Given the commit date, one could only hope it's available in the compiled builds :-)
User avatar
ghisler(Author)
Site Admin
Site Admin
Posts: 48021
Joined: 2003-02-04, 09:46 UTC
Location: Switzerland
Contact:

Re: Feature request: SFTP ssh pivot (ProxyJump/ProxyCommand)

Post by *ghisler(Author) »

So how do I test this? I have SFTP servers on ghisler.com and ghisler.ch, can I connect to ghisler.com and then forward the connection to ghisler.ch? Or do I need a special SFTP proxy server software or special configuration on the server?
Author of Total Commander
https://www.ghisler.com
Tsunulukai
Junior Member
Junior Member
Posts: 66
Joined: 2003-02-07, 23:44 UTC

Re: Feature request: SFTP ssh pivot (ProxyJump/ProxyCommand)

Post by *Tsunulukai »

Let's say that ghisler.ch is in a private network and ghisler.com can be used as a gateway to reach it from the Internet.
You can test if your SSH/SFTP server would support the scenario with the following ssh config file in a linux VM:

~/.ssh/config

Code: Select all

Host public
    Hostname ghisler.com
    User <username>
    IdentityFile <path_to_ssh_private_key>
    
Host private
    Hostname ghisler.ch
    User <username>
    IdentityFile <path_to_ssh_private_key>
    ProxyJump public
    #ProxyCommand ssh -W %h:%p public  #use as an alternative if your ssh client doesn't support the ProxyJump directive
Once configured in you ssh config file, you should be able to access ghisler.ch through ghisler.com just by typing

Code: Select all

sftp private
or

Code: Select all

ssh private
and you system will automatically connect through to the private target through the public one.

By enabling verbosity in the ssh client you can confirm the use of the proxy host which should look more or less like this:

Code: Select all

ssh -v private
...
debug1: Setting implicit ProxyCommand from ProxyJump: ssh -v -W '[%h]:%p' public
...
debug1: Executing proxy command: exec ssh -v -W '[ghisler.ch]:22' public
...
[Banner of ghisler.com SSH server]
...
[Banner of ghisler.ch SSH server]
Once you validated it's OK with a regular linux client, you're safe to test it within the plugin implementation.

Of course, it doesn't make much sense to do this with two public hosts, but it allows you to test the jump functionality nevertheless.

Beware, the proxy host ssh daemon (the public one in this example, ghisler.com) has to allow proxying (which is usually enabled by default in regular distros, but might not be the case if you don't have full control over the host).
If the SSH server at ghisler.com does not allow this for whaterver reason and you prefer not to fiddle with its configuration, a standard Debian 10 VM with the ssh daemon enabled will do just fine as ProxyHost.
Tsunulukai
Junior Member
Junior Member
Posts: 66
Joined: 2003-02-07, 23:44 UTC

Re: Feature request: SFTP ssh pivot (ProxyJump/ProxyCommand)

Post by *Tsunulukai »

As I saw intered in the same feature for the SFTP plugin on Windows (https://www.ghisler.ch/board/viewtopic.php?t=77378), I thought it could be useful to bump up this thread to see if there's also interest for the same feature on Android...
Any plans to implement this leveraging the possibility offered in sshj ?
User avatar
ghisler(Author)
Site Admin
Site Admin
Posts: 48021
Joined: 2003-02-04, 09:46 UTC
Location: Switzerland
Contact:

Re: Feature request: SFTP ssh pivot (ProxyJump/ProxyCommand)

Post by *ghisler(Author) »

The used sshj library does indeed seem to support it:
https://github.com/hierynomus/sshj/blob/master/examples/src/main/java/net/schmizz/sshj/examples/Jump.java
Does this do what you want?
Author of Total Commander
https://www.ghisler.com
Tsunulukai
Junior Member
Junior Member
Posts: 66
Joined: 2003-02-07, 23:44 UTC

Re: Feature request: SFTP ssh pivot (ProxyJump/ProxyCommand)

Post by *Tsunulukai »

Yes, this seems to implement the SSH proxyjump feature. Would be great seing that feature available on the sftp plugin !
User avatar
AntonyD
Power Member
Power Member
Posts: 1231
Joined: 2006-11-04, 15:30 UTC
Location: Russian Federation

Re: Feature request: SFTP ssh pivot (ProxyJump/ProxyCommand)

Post by *AntonyD »

Perhaps it would be great if something like this could be translated to the Windows version of the SFTP plugin. There was already a topic on the forum, I don't remember where it is now - where this was discussed. It kind of turned out the same way there - there was just no right C/C++\Delphi library with support for the necessary functionality. Maybe this java code can be converted to fit these C/C++\Delphi needs?
#146217 personal license
Tsunulukai
Junior Member
Junior Member
Posts: 66
Joined: 2003-02-07, 23:44 UTC

Re: Feature request: SFTP ssh pivot (ProxyJump/ProxyCommand)

Post by *Tsunulukai »

Windows version of this feature has been requested in this thread:
https://www.ghisler.ch/board/viewtopic.php?t=77378
User avatar
ghisler(Author)
Site Admin
Site Admin
Posts: 48021
Joined: 2003-02-04, 09:46 UTC
Location: Switzerland
Contact:

Re: Feature request: SFTP ssh pivot (ProxyJump/ProxyCommand)

Post by *ghisler(Author) »

I have added this now to the Android SFTP plugin 2.60 beta 1. You can get the beta version via Play Store here:
https://play.google.com/apps/testing/com.ghisler.tcplugins.SFTP

It would be great if those who have requested this feature would test it and give me some feedback here.
The jump server (proxy) needs to be defined just like a regular connection, and can then be used in the connection settings of other servers. You can even define longer chains. Example:
server A uses server B as proxy.
server B uses server C as proxy.
Then the connection to server A will go like this:
client -> server C -> server B -> server A.
A maximum of 20 hops is supported. You will get an error when defining an infinite loop like server A -> server B -> server A.
Author of Total Commander
https://www.ghisler.com
Tsunulukai
Junior Member
Junior Member
Posts: 66
Joined: 2003-02-07, 23:44 UTC

Re: Feature request: SFTP ssh pivot (ProxyJump/ProxyCommand)

Post by *Tsunulukai »

Hi Christian, thank you for this first iteration !

I just tried it, but it fails with the following error message

Code: Select all

Connect call failed!
Opening 'direct-tcpip' channel failed: open failed
I have setup two SFTP hosts in the plugin:

Host A - 192.168.1.2
Host B - 192.168.1.3

When both are configured without the proxy feature enabled, no problem connecting to the hosts.
When I try to connect to host B with host A as proxy, I get the aforementioned error...

Here are the logs generated by the sshd on the jumphost when trying to use the proxyjump feature from the Android TotalCMD SFTP plugin

Code: Select all

Nov  8 18:10:58 jumphost sshd[1690780]: Accepted publickey for root from 12.34.56.78 port 36204 ssh2: RSA SHA256:O+ELCQbYr6e1qY9YWqT+SzEeamuPN69nGQWbtXh/GrY
Nov  8 18:10:58 jumphost sshd[1690780]: debug1: Entering interactive session for SSH2.
Nov  8 18:10:58 jumphost sshd[1690780]: debug1: server_init_dispatch
Nov  8 18:10:58 jumphost sshd[1690780]: debug1: server_input_channel_open: ctype direct-tcpip rchan 0 win 2097152 max 32768
Nov  8 18:10:58 jumphost sshd[1690780]: error: server_request_direct_tcpip: invalid originator port
Nov  8 18:10:58 jumphost sshd[1690780]: debug1: server_input_channel_open: failure direct-tcpip

When I try the proxyjump from a linux client, it works and here's sshd output on the jumphost:

Code: Select all

Nov  8 18:12:40 jumphost sshd[1690813]: Accepted publickey for root from 12.34.56.78 port 37630 ssh2: RSA SHA256:BtFXJsdLyaWtPSQdrDFIpRDsyMHaWw1l/eQPwzQkT2Q
Nov  8 18:12:40 jumphost sshd[1690813]: debug1: Entering interactive session for SSH2.
Nov  8 18:12:40 jumphost sshd[1690813]: debug1: server_init_dispatch
Nov  8 18:12:40 jumphost sshd[1690813]: debug1: server_input_channel_open: ctype direct-tcpip rchan 2 win 2097152 max 32768
Nov  8 18:12:40 jumphost sshd[1690813]: debug1: server_request_direct_tcpip: originator 127.0.0.1 port 65535, target 192.168.1.3 port 22
Nov  8 18:12:40 jumphost sshd[1690813]: debug1: connect_next: host 192.168.1.3 ([192.168.1.3]:22) in progress, fd=7
Nov  8 18:12:40 jumphost sshd[1690813]: debug1: channel 0: new [direct-tcpip]
Nov  8 18:12:40 jumphost sshd[1690813]: debug1: server_input_channel_open: confirm direct-tcpip
Nov  8 18:12:40 jumphost sshd[1690813]: debug1: channel 0: connected to 192.168.1.3 port 22
Let me know if I can provide you with anything extra to help make this work :)
User avatar
AntonyD
Power Member
Power Member
Posts: 1231
Joined: 2006-11-04, 15:30 UTC
Location: Russian Federation

Re: Feature request: SFTP ssh pivot (ProxyJump/ProxyCommand)

Post by *AntonyD »

In the history of development of the used sshj library there was a bug:
https://github.com/hierynomus/sshj/issues/555
its old realization had this line at file: sshj/src/main/java/net/schmizz/sshj/connection/channel/direct/DirectConnection.java

Code: Select all

public static final int LOCALPORT = 65536;
And because 65536 is not a valid port number - Error was happening.

But this was fixed almost 2 years ago!!!
So maybe when Mr.Ghisler was building his library on its basis for use in the newest SFTP plugin he accidentally repeated this error?
Last edited by AntonyD on 2022-11-09, 09:20 UTC, edited 1 time in total.
#146217 personal license
User avatar
ghisler(Author)
Site Admin
Site Admin
Posts: 48021
Joined: 2003-02-04, 09:46 UTC
Location: Switzerland
Contact:

Re: Feature request: SFTP ssh pivot (ProxyJump/ProxyCommand)

Post by *ghisler(Author) »

Indeed that seems to be the issue, all my servers are still using openssh 7.4p1 (older but fully patched version on centos).
I will update the library.
Author of Total Commander
https://www.ghisler.com
Tsunulukai
Junior Member
Junior Member
Posts: 66
Joined: 2003-02-07, 23:44 UTC

Re: Feature request: SFTP ssh pivot (ProxyJump/ProxyCommand)

Post by *Tsunulukai »

Beta2 solves the issue with OpenSSH v8. Proxyjump now works fine on my end.

Small usability annoyance: I'm using a password-protected ssh-keyfile to login to my servers.
When the same key is used to authenticate against both the proxy host(s) and the destination host, the plugin prompts for the key password twice (or more depending on the number of proxy hosts used).

Would it be possible to cache the password associated with the ssh keyfile for a short period of time to avoid having to type it multiple times ?
Another option could be to have the key and/or its password (user configurable) stored in the password safe behind the app master password. That could enhance UX while preserving security.

Anyways, thanks for implementing this feature that greatly enhances the usability & usefulness of the SFTP plugin !
Post Reply