Skip to content

Instantly share code, notes, and snippets.

@fumiyas
Last active Mar 24, 2021
Embed
What would you like to do?
Proxy server to connect over SSH
## Allow the key to execute the specific socat command-line only
restrict,command="exec socat -lh -d STDIO TCP-CONNECT:10.0.0.1:389" ssh-...
ssh_destination=proxyuser@sshserver.example.jp
listen_socket=127.0.0.1:8389
connect_socket=10.0.0.1:389
#!/bin/bash
##
## Proxy server to connect over SSH
## Copyright (c) 2021 SATOH Fumiyasu @ OSS Technology Corp., Japan
##
## License: GNU General Public License version 3
##
set -u
set -e
## ======================================================================
perr()
{
echo "$0: ERROR: $1" 1>&2
}
pdie()
{
perr "$1"
exit "${2-1}"
}
## ======================================================================
ssh="ssh"
ssh_options=(
-q ## Quiet
-C ## Compression
-T ## Disable pseudo-terminal allocation
-a ## Disable authn agent connection forwarding
-k ## Disable GSSAPI credentials forwarding
-x ## Disable X11 forwarding
)
local_socat="socat"
local_socat_options=(-lh -d)
remote_socat="socat"
remote_socat_options=(-lh -d)
listen_socket=""
connect_socket=""
ssh_destination=""
ssh_identity_file=""
ssh_config_file=""
## ----------------------------------------------------------------------
if [[ ${1-} == -h ]]; then
echo "Usage: $0 [CONFIG_FILE]"
exit 1
fi
if [[ -n ${1+set} ]]; then
. "$1" || pdie "Invalid configuration file"
fi
listen_socket="${PROXYOSSH_LISTEN_SOCKET-$listen_socket}"
if [[ -z $listen_socket ]]; then
pdie "No listen_socket parameter"
fi
connect_socket="${PROXYOSSH_CONNECT_SOCKET-$connect_socket}"
if [[ -z $connect_socket ]]; then
pdie "No connect_socket parameter"
fi
ssh_destination="${PROXYOSSH_SSH_DESTINATION-$ssh_destination}"
if [[ -z $ssh_destination ]]; then
pdie "No ssh_destination parameter"
fi
ssh_identity_file="${PROXYOSSH_SSH_IDENTITY_FILE-$ssh_identity_file}"
ssh_config_file="${PROXYOSSH_SSH_CONFIG_FILE-$ssh_config_file}"
## ======================================================================
if [[ $listen_socket == */* ]]; then
local_socat_socket="UNIX-LISTEN:$listen_socket"
else
if [[ $listen_socket == *:* ]]; then
## FIXME: Support `[<IPv6-address>]:<port>` style
local_socat_socket="TCP-LISTEN:${listen_socket##*:},bind=${listen_socket%:*}"
else
local_socat_socket="TCP-LISTEN:$listen_socket"
fi
fi
if [[ $connect_socket == */* ]]; then
remote_socat_socket="UNIX-CONNECT:$connect_socket"
else
remote_socat_socket="TCP-CONNECT:$connect_socket"
fi
## ----------------------------------------------------------------------
remote_socat_argv=(
"$remote_socat"
"${remote_socat_options[@]}"
STDIO
"$remote_socat_socket"
)
local_socat_exec_argv=(
"$ssh"
"${ssh_options[@]}"
${ssh_identity_file:+-i "$ssh_identity_file"}
${ssh_config_file:+-F "$ssh_config_file"}
--
"$ssh_destination"
exec
"${remote_socat_argv[@]}"
)
local_socat_exec="EXEC:${local_socat_exec_argv[*]//:/\\:}"
## ======================================================================
exec -a "$0: $local_socat" \
"$local_socat" \
"${local_socat_options[@]}" \
"$local_socat_socket,reuseaddr,fork" \
"$local_socat_exec" \
;
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment