{ "info": { "author": "Ken Kundert", "author_email": "ken@designers-guide.com", "bugtrack_url": null, "classifiers": [ "Development Status :: 3 - Alpha", "Environment :: Console", "Intended Audience :: End Users/Desktop", "License :: OSI Approved :: GNU General Public License v3 or later (GPLv3+)", "Natural Language :: English", "Operating System :: POSIX :: Linux", "Programming Language :: Python :: 2.7", "Programming Language :: Python :: 3.3", "Programming Language :: Python :: 3.4", "Programming Language :: Python :: 3.5", "Topic :: Utilities" ], "description": "SSH Config\n==========\n\nInstallation Requirements\n-------------------------\n\nUses docopt::\n\n yum install python-docopt (or python3-docopt)\n\nor::\n\n pip install docopt (or pip3 install docopt)\n\nAlso requires my scripts package::\n\n git clone https://github.com/KenKundert/scripts.git\n cd scripts\n ./install\n\n\nIntroduction\n------------\nSSH Config generates an ssh config file adapted to the network you are currently \nusing. In this way, you always use the fastest paths available for your ssh \nrelated activities (sshfs, email, vnc, mercurial, etc.). You can also easily \nreconfigure ssh to make use of proxies as needed or select certain servers or \nports based on your location or restrictions on the network.\n\nThe following situations are supported:\n\n#. You may give the mac address or addresses for your router or routers and your \n network will automatically be recognized.\n#. You can configure which hostname or IP address is used for a particular host \n depending on which network you are on. In this way you always use the fastest \n connection available for each host.\n#. You can specify that certain hosts are hidden behind other hosts, so that \n a SSH proxy should be used to access them.\n#. You can specify port forwarding information for each host. Then, two SSH \n configurations will be created for those hosts, one that includes port \n forwarding and one that does not. That way, once the port forwards are \n established, you can open additional shells on that host without SSH trying \n to create conflicting port forwards.\n#. You can enter multiple hostnames or IP addresses and give their locations. \n Then, if you specify your location, the closest server will be used \n automatically.\n#. You can specify proxy configurations and specify that one should be used for \n all hosts not on your current network.\n#. You can specify port restrictions and have SSH work around them if possible \n (if your server supports alternative ports).\n#. You can configure a default location, proxy, or set of port restrictions for \n each of your known networks.\n#. Once host names are defined, they do not change even though you are using \n different configurations (different networks, locations, proxies, and port \n restrictions). In this way you can hard code your host names in applications \n such as Mercurial or Git, and they automatically adapt to your existing \n network.\n#. The entire application, including the configuration files, are Python code, \n so you have considerable freedom to change the configuration based on things \n like the name of the machine or the user when generating the SSH config file.\n\nTrivial Configuration\n---------------------\n\nThe hosts that you would like to connect to are described in the hosts.py file. \nA very simple hosts.py file would look like this::\n\n from sshconfig import HostEntry\n\n class Zeebra(HostEntry):\n user = 'herbie'\n hostname = 'zeebra.he.net'\n\nHosts are described by directly subclassing HostEntry. Attributes are added \nthat are generally converted to fields in the ssh config file. \n\nThe contents of ~/.ssh/config are replaced when you run::\n\n gensshconfig\n\nThe above hosts.py file is converted into the following ssh config file::\n\n # SSH Configuration for generic network\n # Generated at 1:04 PM on 22 July 2014.\n\n #\n # HOSTS\n #\n\n host zeebra\n user herbie\n hostname zeebra.he.net\n forwardAgent no\n\nThe transformation between a host entry in the hosts.py file and the ssh config \nfile could be affected by the network you are on and any command line options \nthat are specified to gensshconfig, but in this case it is not. Notice that the \nclass name is converted to lower case when creating the hostname.\n\nConfiguration\n-------------\n\nThe configuration of sshconfig involves two files, config.py and hosts.py. In \nconfig.py you describe networks, proxies, locations, and general defaults. In \nhosts.py, you describe the machines you would like to connect to on a regular \nbasis.\n\nConfig\n''''''\nA typical config.py file would start with would look like::\n\n #\n # SSH Config -- Basic Network Configuration\n #\n # Defines known networks. Recognizes networks by the MAC addresses of their \n # routers, can use this information to set default location, ports, init \n # script and proxy.\n #\n\n from sshconfig import NetworkEntry\n\n # Characteristics of the known networks\n class Home(NetworkEntry):\n routers = ['a8:93:14:8a:e4:31'] # Router MAC addresses\n location = 'home'\n\n class Work(NetworkEntry):\n routers = ['f0:90:76:9c:b1:37'] # Router MAC addresses\n location = 'home'\n\n class WorkWireless(NetworkEntry):\n routers = ['8b:38:10:3c:1e:fe'] # Router MAC addresses\n location = 'home'\n\n class Library(NetworkEntry):\n # Blocks port 22\n routers = [\n 'e4:c7:22:f2:9a:46', # Wireless\n '00:15:c7:01:a7:00', # Wireless\n '00:13:c4:80:e2:89', # Ethernet\n '00:15:c7:01:a7:00', # Ethernet\n ]\n ports = [80, 443]\n location = 'home'\n init_script = 'activate_library_network'\n\n class DC_Peets(NetworkEntry):\n routers = ['e4:15:c4:01:1e:95'] # Wireless\n location = 'washington'\n init_script = 'unlock-peets'\n\n # Preferred networks, in order. If one of these networks are not available,\n # another will be chosen at random from the available networks.\n PREFERRED_NETWORKS = ['Work']\n\n # Location of output file (must be an absolute path)\n CONFIG_FILE = \"~/.ssh/config\"\n\n # Attribute overrides for all hosts\n OVERRIDES = \"\"\"\n Ciphers aes256-ctr,aes128-ctr,arcfour256,arcfour,aes256-cbc,aes128-cbc\n \"\"\"\n\n # Attribute defaults for all hosts\n DEFAULTS = \"\"\"\n ForwardX11 no\n\n # This will keep a seemingly dead connection on life support for 10 \n # minutes before giving up on it.\n TCPKeepAlive no\n ServerAliveInterval 60\n ServerAliveCountMax 10\n\n # Enable connection sharing\n ControlMaster auto\n ControlPath /tmp/ssh_mux_%h_%p_%r\n \"\"\"\n\n # Known proxies\n PROXIES = {\n 'work_proxy': 'socat - PROXY:webproxy.ext.workinghard.com:%h:%p,proxyport=80',\n 'school_proxy': 'proxytunnel -q -p sproxy.fna.learning.edu:1080 -d %h:%p',\n 'tunnelr_proxy': 'ssh tunnelr -W %h:%p',\n # it is not necessary to add tunnelr as a proxy, you can always \n # specify a host as a proxy, and if you do you will get this \n # proxyCommand by default. The only benefit adding this entry to \n # PROXIES provides is that tunnelr is listed in the available proxies \n # when using the --available command line option.\n }\n\n # My locations\n LOCATIONS = {\n 'home': 'San Francisco California',\n 'washington': 'Washington DC',\n 'toulouse': 'Toulouse France',\n }\n\nAll of these entries are optional.\n\nSubclassing NetworkEntry creates a network description that is described with \nthe attributes. A subclass will inherit all the attributes of its parent. The \nfollowing attributes are interpreted.\n\nkey:\n Name used when specifying the network. If not present, the class name in \n lower case is used.\n\ndescription:\n A description of the network. If not given, the class name is use with the \n following modifications:\n - underscores are replaced by spaces\n - a space is added to separate a lower case to upper case transition\n - double underscores are replaced by ' - '\n\nrouters:\n A list of MAC addresses for the router that are used to identify the network. \n To find these, connect to the network and run the /sbin/arp command.\n\nlocation:\n The default setting for the location (value should be chosen from LOCATIONS) \n when this network is active.\n\nports:\n The default list of ports that should be available when this network is \n active.\n\ninit_script:\n A script that should be run when on this network. May be a string or a list \n of strings. If it is a list of strings they are joined together to form \n a command.\n\n The unlock-peets script is included as an example of such a script. It is \n used to automate the process of accepting the terms & conditions on the \n click-through page. Unfortunately, while unlock-peets represents a reasonable \n example, each organization requires the basic script to be customized to fit \n their particular click-through pages.\n\n To write a script it is helpful to understand how the unlocking process \n works. The organizations that lock their wifi generally allow your computer \n to directly connect to their access point, however their firewall is \n configured to block any network traffic from unapproved devices. As you \n connect, they grab the MAC address of your computer's wifi. They then watch \n for web requests emanating from your computer, which they then discard and \n redirect your browser to their router which offers up a page that allows you \n to accept their terms and conditions. This page is customized particularly \n for you: it contains your MAC address. When you accept, your MAC address is \n returned to the router along with your acceptance, and the router then \n rewrites its firewall rules to allow your computer to access the internet. \n After some period of time (an hour? a day?) the rules are discarded and you \n loose your connection to the Internet. All of this tremendously abuses \n Internet protocols, and causes its visitors headaches because this hack is \n not compatible with HTTPS or VPN traffic. So for it to work, you must request \n a plain HTTP site with any VPNs disabled, and plain HTTP sites are \n disappearing. The headaches this cause seems to provide very little value to \n anyone. They break the Internet so as to force you to accept their terms and \n conditions, which they presumably feel protects them from lawsuits, but it is \n hard to imagine anybody suing the owner of a public wifi for the actions of \n an anonymous user. But I digress.\n\n Debugging init scripts can be difficult because once you successfully unlock \n the wifi, it generally remains unlocked for at least an hour, and maybe until \n the next day, which limits your ability to test your script. However, in \n Linux it is possible to change your MAC address. If you do so, the router no \n longer recognizes you and you have to go through the unlock process again, \n which allows you to thoroughly exercise and debug your script. To change \n your MAC address, right-click on the Network Manager applet, and select 'Edit \n Connection ...', select the connection you are using, and click 'Edit', then \n copy the 'Device MAC address' into 'Cloned MAC address' and change a few \n digits. The digits are hexadecimal, so choose values between 0-9A-F. Then \n click 'Save', 'Close', and restart your network connection.\n \nproxy:\n The name of the proxy to use by default when this network is active.\n\nPREFERRED_NETWORKS specifies a list of preferred networks. It is useful your \ncomputer can access multiple networks simultaneously, such as when you are using \na laptop connected to a wired network but you did not turn off the wireless \nnetworking. SSH is configured for the first network on the PREFERRED_NETWORKS \nlist that is available. If none of the preferred networks are available, then an \navailable known network is chosen at random. If no known networks are available, \nSSH is configured for a generic network. In the example, the *Work* network is \nlisted in the preferred networks because *Work* and *WorkWireless* would \nexpected to often be available simultaneously, and *Work* is the wired network \nand is considerably faster than *WorkWireless*.\n\nCONFIG_FILE specifies the name of the ssh config file; the default is \n~/.ssh/config. The path to the SSH config file should be an absolute path.\n\nOVERRIDES contains ssh directives that are simply added to the top of the ssh \nconfig file. Such settings override any settings specified in the host entries. \nDo not place ForwardAgent in OVERRIDES. It will be added on the individual \nhosts and only set to yes if they are trusted.\n\nDEFAULTS contains ssh directives that are added to the bottom of the ssh config \nfile. Such settings act as defaults.\n\nPROXIES allows you to give names to proxyCommand values. These names can then be \nspecified on the command line so that all hosts use the proxy.\n\nLOCATIONS is a dictionary of place names and descriptions of where you are \nlikely to be located. It is needed only if you use the locations feature.\n\n\nHosts\n'''''\nA more typical hosts.py file would generally contain many host specifications.\n\nYou subclass HostEntry to specify a host and then add attributes to configure \nits behavior. Information you specify is largely just placed in the ssh config \nfile unmodified except:\n\n1. The class name is converted to lower case to make it easier to type.\n2. 'forwardAgent' is added and set based on whether the host is trusted.\n3. Any attribute that starts with underscore (_) is ignored and so can be used \n to hold intermediate values.\n\nIn most cases, whatever attributes you add to your class get converted into \nfields in the ssh host description. However, there are several attributes that \nare intercepted and used by SSH Config. They are:\n\ndescription:\n A string that is added as a comment above the ssh host description.\n\naliases:\n A list of strings, each of which is added to the list of names that can be \n used to refer to this host.\n\ntrusted:\n Indicates that the base host should be trusted. Currently that means that \n agent forwarding will be configured for the non-tunneling version of the \n host.\n\ntun_trusted:\n Indicates that the tunneling version of the host should be trusted. Currently \n that means that agent forwarding will be configured for the tunneling version \n of the host.\n\nguests:\n A list of machines that are accessed using this host as a proxy.\n\nHere is a example::\n\n class DigitalOcean(HostEntry):\n description = \"Web server\"\n aliases = ['do', 'web']\n user = 'herbie'\n hostname = '107.170.65.89'\n identityFile = 'digitalocean'\n\nThis results in the following entry in the ssh config file::\n\n # Web server\n host digitalocean do web\n user herbie\n hostname 107.170.65.89\n identityFile /home/herbie/.ssh/digitalocean\n identitiesOnly yes\n forwardAgent no\n\nWhen specifying the identityFile, you can either use an absolute or relative \npath. The relative path will be relative to the directory that will contain the \nssh config file. Specifying identityFile results in identitiesOnly being added.\n\nSSHconfig provides two utility functions that you can use in your hosts file to \ncustomize it based on either the hostname or username that are being used when \ngensshconfig is run. They are gethostname() and getusername() and both can be \nimported from sshconfig. For example, I generally use a different identity (ssh \nkey) from each machine I operate from. To implement this, at the top of my hosts \nfile I have::\n\n from sshconfig import gethostname\n\n class DigitalOcean(HostEntry):\n description = \"Web server\"\n aliases = ['do', 'web']\n user = 'herbie'\n hostname = '107.170.65.89'\n identityFile = gethostname()\n\n\nPorts\n'''''\n\nIf a host is capable of accepting connections on more than one port, you should \nuse the choose() method of the ports object to select the appropriate port.\n\nFor example::\n\n from sshconfig import HostEntry, ports\n\n class Tunnelr(HostEntry):\n description = \"Proxy server\"\n user = 'kundert'\n hostname = 'fremont.tunnelr.com'\n port = ports.choose([22, 80, 443])\n identityFile = 'tunnelr'\n\nAn entry such as this would be used when sshd on the host has been configured to \naccept ssh traffic on a number of ports, in this case, ports 22, 80 and 443.\n\nThe actual port used is generally the first port given in the list provided to \nchoose(). However this behavior can be overridden with the --ports (or -p) \ncommand line option. For example::\n\n gensshconfig --ports=80,443\n\nor::\n\n gensshconfig -p80,443\n\nThis causes ports.choose() to return the first port given in the --ports \nspecification if it is given anywhere in the list of available ports given as an \nargument to choose(). If the first port does not work, it will try to return the \nnext one given, and so on. So in this example, port 80 would be returned. If \n-p443,80 were specified, then port 443 would be used.\n\nYou can specify as many ports as you like in a --ports specification, just \nseparate them with a comma and do not add spaces.\n\nIn this next example, we customize the proxy command based on the port chosen::\n\n class Home(HostEntry):\n description = \"Home server\"\n user = 'herbie'\n hostname = {\n 'home': '192.168.1.32',\n 'default': '231.91.164.05'\n }\n port = ports.choose([22, 80])\n if port in [80]:\n proxyCommand = 'socat - PROXY:%h:127.0.0.1:22,proxyport=%p'\n identityFile = 'my2014key'\n dynamicForward = 9999\n\nAn entry such as this would be used if sshd is configured to directly accept \ntraffic on port 22, and Apache is configured to act as a proxy for ssh on ports \n80 and 443 (see `SSH via HTTP \n`.\n\nIf you prefer, you can use proxytunnel rather than socat in the proxy command::\n\n proxyCommand = 'proxytunnel -q -p %h:%p -d 127.0.0.1:22'\n\n\nAttribute Descriptions\n''''''''''''''''''''''\n\nMost attributes can be given as a two element tuple. The first value in the pair \nis used as the value of the attribute, and the second should be a string that is \nadded as a comment to describe the attribute. For example::\n\n hostname = '65.19.130.60', 'fremont.tunnelr.com'\n\nis converted to::\n\n hostname 65.19.130.60\n # fremont.tunnelr.com\n\n\nHostname\n''''''''\n\nThe hostname may be a simple string, or it may be a dictionary. If given as \na dictionary, each entry will have a string key and string value. The key would \nbe the name of the network (in lower case) and the value would be the hostname \nor IP address to use when on that network. One of the keys may be 'default', \nwhich is used if the network does not match one of the given networks. For \nexample::\n\n class Home(HostEntry):\n hostname = {\n 'home': '192.168.0.1',\n 'default': '74.125.232.64'\n }\n\nWhen on the home network, this results in an ssh host description of::\n\n host home\n hostname 192.168.0.1\n forwardAgent no\n\nWhen not on the home network, it results in an ssh host description of::\n\n host home\n hostname 74.125.232.64\n forwardAgent no\n\nThe ssh config file entry for this host will not be generated if not on one of \nthe specified networks and if default is not specified.\n\nIt is sometimes appropriate to set the hostname based on which host you are on \nrather than on which network. For example, if a sshconfig host configuration \nfile is shared between multiple machines, then it is appropriate to give the \nfollowing for a host which may become localhost:: \n\n class Home(HostEntry):\n if gethostname() == 'home':\n hostname = '127.0.0.1'\n else:\n hostname = '192.168.1.4'\n\nLocation\n''''''''\n\nIt is also possible to choose the hostname based on location. The user specifies \nlocation using::\n\n gensshconfig --location=washington\n\nor::\n\n gensshconfig -lwashington\n\nYou can get a list of the known locations using::\n\n gensshconfig --available\n\nTo configure support for locations, you first specify your list of known \nlocations in LOCATIONS::\n\n LOCATIONS = {\n 'home': 'San Francisco California',\n 'washington': 'Washington DC',\n 'toulouse': 'Toulouse France',\n }\n\nThen you must configure your hosts to use the location. To do so, you use the \nchoose() method to set the location. The choose() method requires three things:\n\n1. A dictionary that gives hostnames or IP addresses and perhaps descriptive \n comment as a function of the location. These locations are generally specific \n to the host.\n2. Another dictionary that maps the user's locations into the host's locations.\n3. A default location.\n\nFor example::\n\n from sshconfig import HostEntry, locations, ports\n\n class Tunnelr(HostEntry):\n description = \"Commercial proxy server\"\n user = 'kundert'\n hostname = locations.choose(\n locations = {\n 'sf': (\"65.19.130.60\", \"Fremont, CA, US (fremont.tunnelr.com)\"),\n 'la': (\"173.234.163.226\", \"Los Angeles, CA, US (la.tunnelr.com)\"),\n 'wa': (\"209.160.33.99\", \"Seattle, WA, US (seattle.tunnelr.com)\"),\n 'tx': (\"64.120.56.66\", \"Dallas, TX, US (dallas.tunnelr.com)\"),\n 'va': (\"209.160.73.168\", \"McLean, VA, US (mclean.tunnelr.com)\"),\n 'nj': (\"66.228.47.107\", \"Newark, NJ, US (newark.tunnelr.com)\"),\n 'ny': (\"174.34.169.98\", \"New York City, NY, US (nyc.tunnelr.com)\"),\n 'london': (\"109.74.200.165\", \"London, UK (london.tunnelr.com)\"),\n 'uk': (\"31.193.133.168\", \"Maidenhead, UK (maidenhead.tunnelr.com)\"),\n 'switzerland': (\"178.209.52.219\", \"Zurich, Switzerland (zurich.tunnelr.com)\"),\n 'sweden': (\"46.246.93.78\", \"Stockholm, Sweden (stockholm.tunnelr.com)\"),\n 'spain': (\"37.235.53.245\", \"Madrid, Spain (madrid.tunnelr.com)\"),\n 'netherlands': (\"89.188.9.54\", \"Groningen, Netherlands (groningen.tunnelr.com)\"),\n 'germany': (\"176.9.242.124\", \"Falkenstein, Germany (falkenstein.tunnelr.com)\"),\n 'france': (\"158.255.215.77\", \"Paris, France (paris.tunnelr.com)\"),\n },\n maps={\n 'home': 'sf',\n 'washington': 'va',\n 'toulouse': 'france',\n },\n default='sf'\n )\n port = ports.choose([\n 22, 21, 23, 25, 53, 80, 443, 524, 5555, 8888\n ])\n identityFile = 'tunnelr'\n\nNow if the user specifies --location=washington on the command line, then it is \nmapped to the host location of va, which becomes mclean.tunnelr.com \n(209.160.73.168). Normally, users are expected to choose a location from the \nlist given in LOCATIONS. As such, every maps argument should support each of \nthose locations. However, a user may given any location they wish. If the \nlocation given is not found in maps, then it will be looked for in locations, \nand if it is not in locations, the default location is used.\n\n\nForwards\n''''''''\n\nWhen forwards are specified, two ssh host entries are created. The first does \nnot include forwarding. The second has the same name with '-tun' appended, and \nincludes the forwarding. The reason this is done is that once one connection is \nsetup with forwarding, a second connection that also attempts to performing \nforwarding will produce a series of error messages indicating that the ports are \nin use and so cannot be forwarded. Instead, you should only use the tunneling \nversion once when you want to set up the port forwards, and you the base entry \nat all other times. Often forwarding connections are setup to run in the \nbackground as follows::\n\n ssh -f -N home-tun\n\nIf you have set up connection sharing using ControlMaster and then run::\n\n ssh home\n\nSSH will automatically share the existing connection rather than starting a new \none.\n\nBoth local and remote forwards should be specified as lists. The lists can \neither be simple strings, or can be tuple pairs if you would like to give \na description for the forward. The string that describes the forward has the \nsyntax: 'lclHost:lclPort rmtHost:rmtPort' where lclHost and rmtHost can be \neither a host name or an IP address and lclPort and rmtPort are port numbers.\nFor example::\n\n '11025 localhost:25'\n\nThe local host is used to specify what machines can connect to the port locally.\nIf the GatewayPorts setting is set to *yes* on the SSH server, then forwarded \nports are accessible to any machine on the network. If the GatewayPorts setting \nis *no*, then the forwarded ports are only available from the local host. \nHowever, if GatewayPorts is set to *clientspecified*, then the accessibility of \nthe forward address is set by the local host specified. For example:\n\n=============================== ==============================\n5280 localhost:5280 accessible only from localhost\nlocalhost:5280 localhost:5280 accessible only from localhost\n\\*:5280 localhost:5280 accessible from anywhere\n0.0.0.0:5280 localhost:5280 accessible from anywhere\nlucifer:5280 localhost:5280 accessible from lucifer\n192.168.0.1:5280 localhost:5280 accessible from 192.168.0.1\n=============================== ==============================\n\nThe VNC function is provided for converting VNC host and display number \ninformation into a setting suitable for a forward. You can give the local \ndisplay number, the remote display number, and the remote host name (from the \nperspective of the remote ssh server) and the local host name. For example::\n\n VNC(lclDispNum=1, rmtHost='localhost', rmtDispNum=12)\n\nThis allows a local VNC client viewing display 1 to show the VNC server running \non display 12 of the SSH server host.\n\nIf you give a single number, it will use it for both display numbers. If you \ndon't give a name, it will use *localhost* as the remote host (in this case \n*localhost* represents the remote ssh server). So the above VNC section to the \nlocal forwards could be shortened to::\n\n VNC(12)\n\nif you configured the local VNC client to connect to display 12.\n\nAn example of many of these features::\n\n from sshconfig import HostEntry, ports, locations, VNC\n\n class Home(HostEntry):\n description = \"Lucifer Home Server\"\n aliases = ['lucifer']\n user = 'herbie'\n hostname = {\n 'home': '192.168.0.1',\n 'default': '74.125.232.64'\n }\n port = ports.choose([22, 80])\n if port in [80]:\n proxyCommand = 'socat - PROXY:%h:127.0.0.1:22,proxyport=%p'\n trusted = True\n identityFile = gethostname()\n localForward = [\n ('30025 localhost:25', \"Mail - SMTP\"),\n ('30143 localhost:143', \"Mail - IMAP\"),\n ('34190 localhost:4190', \"Mail - Seive\"),\n ('39100 localhost:9100', \"Printer\"),\n (VNC(lclDispNum=1, rmtDispNum=12), \"VNC\"),\n ]\n dynamicForward = 9999\n\nOn a foreign network it produces::\n\n # Lucifer Home Server\n host home lucifer\n user herbie\n hostname 74.125.232.64\n port = 22\n identityFile /home/herbie/.ssh/teneya\n identitiesOnly yes\n forwardAgent yes\n\n # Lucifer Home Server (with forwards)\n host home-tun lucifer-tun\n user herbie\n hostname 74.125.232.64\n port = 22\n identityFile /home/herbie/.ssh/teneya\n identitiesOnly yes\n forwardAgent yes\n localForward 11025 localhost:25\n # Mail - SMTP\n localForward 11143 localhost:143\n # Mail - IMAP\n localForward 14190 localhost:4190\n # Mail - Sieve\n localForward 19100 localhost:9100\n # Printer\n localForward 5901 localhost:5912\n # VNC\n dynamicForward 9999\n exitOnForwardFailure yes\n\n\nGuests\n''''''\n\nThe 'guests' attribute is a list of hostnames that would be accessed by using \nthe host being described as a proxy. The attributes specified are shared with \nits guests (other than hostname, port, and port forwards). The name used for \nthe guest in the ssh config file would be the hostname combined with the guest \nname using a hyphen.\n\nFor example::\n\n class Farm(HostEntry):\n description = \"Entry Host to Machine farm\"\n aliases = ['earth']\n user = 'herbie'\n hostname = {\n 'work': '192.168.1.16',\n 'default': '231.91.164.92'\n }\n trusted = True\n identityFile = 'my2014key'\n guests = [\n ('jupiter', \"128GB Compute server\"),\n ('saturn', \"96GB Compute server\"),\n ('neptune', \"64GB Compute server\"),\n ]\n localForward = [\n (VNC(dispNum=21, rmtHost=jupiter), \"VNC on Jupiter\"),\n (VNC(dispNum=22, rmtHost=saturn), \"VNC on Saturn\"),\n (VNC(dispNum=23, rmtHost=neptune), \"VNC on Neptune\"),\n ]\n\nOn a foreign network produces::\n\n # Entry Host to Machine Farm\n host farm earth\n user herbie\n hostname 231.91.164.92\n identityFile /home/herbie/.ssh/my2014key\n identitiesOnly yes\n forwardAgent yes\n\n # Entry Host to Machine Farm (with forwards)\n host farm-tun earth-tun\n user herbie\n hostname 231.91.164.92\n identityFile /home/herbie/.ssh/my2014key\n identitiesOnly yes\n forwardAgent yes\n localForward 5921 jupiter:5921\n # VNC on jupiter\n localForward 5922 saturn:5922\n # VNC on Saturn\n localForward 5923 neptune:5923\n # VNC on Neptune\n\n # 128GB Compute Server\n host farm-jupiter\n hostname jupiter\n proxyCommand ssh host -W %h:%p\n user herbie\n identityFile /home/herbie/.ssh/my2014key\n identitiesOnly yes\n forwardAgent yes\n\n # 96GB Compute Server\n host farm-saturn\n hostname saturn\n proxyCommand ssh host -W %h:%p\n user herbie\n identityFile /home/herbie/.ssh/my2014key\n identitiesOnly yes\n forwardAgent yes\n\n # 64GB Compute Server\n host farm-netpune\n hostname neptune\n proxyCommand ssh host -W %h:%p\n user herbie\n identityFile /home/herbie/.ssh/my2014key\n identitiesOnly yes\n forwardAgent yes\n\n\nSubclassing\n'''''''''''\n\nSubclassing is an alternative to guests that gives more control over how the \nattributes are set. When you create a host that is a subclass of another host \n(the parent), the parent is configured to be the proxy and only the 'user' and \n'identityFile' attributes are copied over from the parent, but these can be \noverridden locally.\n\nFor example::\n\n class Jupiter(Farm):\n description = \"128GB Compute Server\"\n hostname = 'jupiter'\n tun_trusted = True\n remoteForward = [\n ('14443 localhost:22', \"Reverse SSH tunnel used by sshfs\"),\n ]\n\nNotice, that Jupiter subclasses Farm, which was described in an example above. \nThis generates::\n\n # 128GB Compute Server\n host jupiter\n user herbie\n hostname jupiter\n identityFile /home/herbie/.ssh/my2014key\n identitiesOnly yes\n forwardAgent no\n proxyCommand ssh farm -W %h:%p\n\n # 128GB Compute Server (with forwards)\n host jupiter-tun\n user herbie\n hostname jupiter\n identityFile /home/herbie/.ssh/my2014key\n identitiesOnly yes\n forwardAgent no\n proxyCommand ssh farm -W %h:%p\n remoteForward 14443 localhost:22\n\nIf you contrast this with farm-jupiter above, you will see that the name is \ndifferent, as is the trusted status (farm-jupiter inherits 'trusted' from Host, \nwhereas jupiter does not). Also, there are two versions, one with port \nforwarding and one without.\n\n\nProxies\n-------\n\nSome networks block connections to port 22. If your desired host accepts \nconnections on other ports, you can use the --ports feature described above to \nwork around these blocks. However, some networks block all ports and force you \nto use a proxy. Or, if you do have open ports but your host does not accept ssh \ntraffic on those ports, you can sometimes use a proxy to access your host.\n\nAvailable proxies are specified by adding PROXIES to the hosts.py file. Then, if \nyou would like to use a proxy, you use the --proxy (or -P) command line argument \nto specify the proxy by name. For example::\n\n PROXIES = {\n 'work_proxy': 'corkscrew webproxy.ext.workinghard.com 80 %h %p',\n 'school_proxy': 'corkscrew sproxy.fna.learning.edu 1080 %h %p',\n }\n\nTwo HTTP proxies are described, the first capable of bypassing the corporate \nfirewall and the second does the same for the school's firewall. Each is \na command that takes its input from stdin and produces its output on stdout. \nThe program 'corkscrew' is designed to proxy a TCP connection through an HTTP \nproxy. The first two arguments are the host name and port number of the proxy. \ncorkscrew connects to the proxy and passes the third and fourth arguments, the \nhost name and port number of desired destination.\n\nThere are many alternatives to corkscrew. One is socat::\n\n PROXIES = {\n 'work_proxy': 'socat - PROXY:webproxy.ext.workinghard.com:%h:%p,proxyport=80',\n 'school_proxy': 'socat - PROXY:sproxy.fna.learning.edu:%h:%p,proxyport=1080',\n }\n\nAnother alternative is proxytunnel::\n\n PROXIES = {\n 'work_proxy': 'proxytunnel -q -p webproxy.ext.workinghard.com:80 -d %h:%p',\n 'school_proxy': 'proxytunnel -q -p sproxy.fna.learning.edu:1080 -d %h:%p',\n }\n\nWhen at work, you should generate your ssh config file using::\n\n gensshconfig --proxy=work_proxy\n\nor::\n\n gensshconfig --Pwork_proxy\n\nYou can get a list of the pre-configured proxies using::\n\n gensshconfig --available\n\nIt is also possible to use ssh hosts as proxies. For example, when at an \ninternet cafe that blocks port 22, you can work around the blockage \neven if your host only supports 22 using::\n\n gensshconfig --ports=80 --proxy=tunnelr\n\nor::\n\n gensshconfig -p80 --Ptunnelr\n\nUsing the --proxy command line argument adds a proxyCommand entry to every host \nthat does not already have one (except the host being used as the proxy). In \nthat way, proxies are automatically chained. For example, in the example given \nabove Jupiter subclasses Farm, and so it naturally gets a proxyCommand that \ncauses it to be proxied through Farm, but Farm does not have a proxyCommand. By \nrunning gensshconfig with --proxy=tunnelr, Farm will get the proxyCommand \nindicating it should proxy through tunnelr, but Jupiter retains its original \nproxyCommand. So when connecting to jupiter a two link proxy chain is used: \npackets are first sent to tunnelr, which then forwards them to farm, which \nforwards them to jupiter.\n\nYou can specify a proxy on the NetworkEntry for you network. If you do, that \nproxy will be used by default when on that network for all hosts that not on \nthat network. A host is said to be on the network if the hostname is \nspecifically given for that network. For example, assume you have a network \nconfigured for work::\n\n class Work(NetworkEntry):\n # Work network\n routers = ['78:92:4d:2b:30:c6']\n proxy = 'work_proxy'\n\nThen assume you have a host that is not configured for that network (Home) and \none that is (Farm)::\n\n class Home(HostEntry):\n description = \"Home Server\"\n aliases = ['lucifer']\n user = 'herbie'\n hostname = {\n 'home': '192.168.0.1',\n 'default': '74.125.232.64'\n }\n proxyCommand = 'socat - PROXY:webproxy.ext.workinghard.com:%h:%p,proxyport=80'\n\n class Farm(HostEntry):\n description = \"Entry Host to Machine farm\"\n aliases = ['mercury']\n user = 'herbie'\n hostname = {\n 'work': '192.168.1.16',\n 'default': '231.91.164.92'\n }\n\nWhen on the work network, when you connect to Home you will use the proxy and \nwhen you connect to farm, you will not.", "description_content_type": null, "docs_url": null, "download_url": "https://github.com/kenkundert/sshconfig/tarball/master", "downloads": { "last_day": -1, "last_month": -1, "last_week": -1 }, "home_page": "http://nurdletech.com/linux-utilities/sshconfig", "keywords": null, "license": "GPLv3+", "maintainer": null, "maintainer_email": null, "name": "sshconfig", "package_url": "https://pypi.org/project/sshconfig/", "platform": "UNKNOWN", "project_url": "https://pypi.org/project/sshconfig/", "project_urls": { "Download": "https://github.com/kenkundert/sshconfig/tarball/master", "Homepage": "http://nurdletech.com/linux-utilities/sshconfig" }, "release_url": "https://pypi.org/project/sshconfig/1.0/", "requires_dist": null, "requires_python": null, "summary": "generate ssh config", "version": "1.0" }, "last_serial": 1933175, "releases": { "1.0": [] }, "urls": [] }