On Tue, Sep 23, 2014 at 12:29:13PM +0100, Brett Parker wrote:
OK - so lots and lots of going round in circles happened... and it was all tedious...
On 22 Sep 22:03, Chris Green wrote:
I think I have done it now with the following in my ~/.ssh/config file:-
Host halon HostName cheddar.halon.org.uk Match host chris exec "hostNotLocal chris" ProxyCommand ssh cheddar nc -q0 zbmc.eu 22... plus the script hostNotLocal which returns true if a host can't be found on the local LAN. Thus what happens when I enter 'ssh chris' is that the Match line looks to see if it can see 'chris' (that hostNotLocal just uses a ping), if it *can* see 'chris' then the ProxyCommand *doesn't* happen and the 'ssh chris' simply connects to the local 'chris'. On the other hand if 'chris' isn't there then the ProxyCommand does its work and my two stage login is done.
Yes, I know it's quite complicated in a way but it does make my life a little simpler. :-)
But, erm, you could have just done the easy method, and made the ProxyCommand a script, the script then does one of:
exec ssh cheddar nc -q0 zbmc.eu 22
Or
exec nc -q0 the.internal.ip.address 22
You could even make that script sensible and be able to cope with different networks and working out what network you're connected to.
Also has the advantage that you don't use Match in the ssh config, because, erm, that appears to be a recent addition (it has been in sshd_config for ages, it's not in wheezy's ssh_config), which means that it's more portable to other machines.
(I used exactly this style system for *ages* at a previous place of employ, so I know that it works).
Yes, I certainly could have done that if someone had come up with the idea when I first asked! :-) That was *exactly* the sort of thing I was hoping someone would know about. It just hadn't occurred to me to do it that way and I agree it is probably somewhat neater than the way I have used.