Core Tunnel - ProxyCommand with other ssh connection


I was wondering if it possible to setup a tunnel connection which uses another ssh connection in the ProxyCommand. Normally I would use the following ProxyCommand:

ProxyCommand ssh -W hostname %h:%p

Usually I would configure the connection to be used in the ProxyCommand as well in the same config file which is not possible with Core Tunnel. Then the connection can be user.

I also understood that the ProxyCommand cannot use the configuration available in the macOS config (~/.ssh/config).

Is there a way to achieve that in some way?

Actually, the workflow can be simplified if use ProxyJump option:

Core Tunnel can read options from ~/.ssh/config:

Thanks for that input … you are amazing fast. Awesome!

I have tried to change the Configuration to “system” but it asks me to install the helper which is already installed. (Need it for ProxyCommand “corkscrew”).

It seems I had to install it again. :frowning:

Strange. Is there anything known in that regards?

The Core Helper tool also evolves with Core Tunnel / Shell, you may have an outdated version of Core Helper.

I installed it again jesterday. Did you releasae a new one since that?

On the other topic, … The proxy command with another ssh connection, I tried it with the proxy jump and it did not work. So I added the Proxy Command as I am used to.

ProxyCommand ssh hostname -W %h:%p

These are the last log lines with the error …

14:44:17 ssh_exchange_identification: Connection closed by remote host
14:44:17 The Core Helper process exited or crashed.
14:44:17 The Core Helper connection has terminated.
14:44:17 Abnormal Disconnect
14:44:17 Connection failed, retry after 3s…
14:44:20 Disconnected

Could you please set debug level to DEBUG3 and paste the log again?

Don't forget remove sensitive information.


Here is the log output from Core Tunnel:

Equivalent Command: ssh -T -N -F "/Users/USER/Library/Group Containers/" -i "/Users/USER/Library/Group Containers/" -vvv -D 1234 -o ExitOnForwardFailure=yes -o ProxyCommand="ssh JUMPHOST -W %h:%p" -p 22 REMOTEUSER@HOST.EXAMPLE.COM
09:45:43 Connecting…
09:45:43 OpenSSH_7.5p1, LibreSSL 2.5.5
09:45:43 debug1: Reading configuration data /Users/USER/Library/Group Containers/
09:45:43 debug1: /Users/USER/Library/Group Containers/ line 7: Applying options for *
09:45:43 debug1: Executing proxy command: exec ssh JUMPHOST -W HOST.EXAMPLE.COM:22
09:45:43 Jumping…
09:45:43 debug1: key_load_public: No such file or directory
09:45:43 debug1: identity file /Users/USER/Library/Group Containers/ type -1
09:45:43 debug1: key_load_public: No such file or directory
09:45:43 debug1: identity file /Users/USER/Library/Group Containers/ type -1
09:45:43 debug1: Enabling compatibility mode for protocol 2.0
09:45:43 debug1: Local version string SSH-2.0-OpenSSH_7.5
Permission denied, please try again.
Permission denied, please try again.
Received disconnect from UNKNOWN port 65535:2: Too many authentication failures for REMOTEUSER
Disconnected from UNKNOWN port 65535
09:45:44 ssh_exchange_identification: Connection closed by remote host
09:45:44 The Core Helper process exited or crashed.
09:45:44 The Core Helper connection has terminated.
09:45:44 Abnormal Disconnect
09:45:44 Connection failed, retry after 3s…
09:45:46 Disconnected

From the log, it seems failed to authenticate the host JUMPHOST. Could you please try this command in, and paste the output?

ssh -T -N -F "/Users/USER/Library/Group Containers/" -i "/Users/USER/Library/Group Containers/" -vvv -D 1234 -o ExitOnForwardFailure=yes -o ProxyCommand="ssh JUMPHOST -W %h:%p" -p 22 REMOTEUSER@HOST.EXAMPLE.COM

I have checked the server logs too. It seems that the JUMPHOST authentication failed. The JUMPHOST config comes from the ~/.ssh/config and works for sure as I use it daily.

The only thing I can think of is that the ssh-agent used to unlock the ssh-key (by the way the same as used in the Tunnel configuration) is not accessable. Can that be the reason?

It seems that is the problem. If i use the ssh command listed as “Equivalent Command”, it works. Must be related to the sandboxing or the fact that the ssh-agent is not accessed.

Enabling the Authentication Agent in the settings does not work for some reason. When I click the checkbox, the check-mark apears for a very short moment and disappears again. I checked the ssh-agent is running and lists my ssh-key.

Could you please execute this command:


And also post your screenshot of Agent settings:

1 Like


I restarted my Mac in the meantime and restarted Core Tunnel twice. Now I can enable the ssh-agent. Strange.

Still the authentication fails the same way.

Please send me a screenshot of your agent setting in Preferences…

Now I reached a limit in the Support Website too ... :triumph:

You’ve reached the maximum number of replies a new user can create on their first day. Please wait 29 minutes before trying again.

So I have to wait before I can send the Screenshot ... :roll_eyes:
While waiting I took the time to write together my goal with Core Tunnel.

  • I have a ssh connection which should have a dynamic forward, lets kall it JUMPHOST
  • To reach JUMPHOST, I need "corkscrew" to get through the http proxy.
  • another connection to a server with another dynamic forward, lets call it DESTHOST
  • To connect to test host, the connection needs to go through JUMPHOST (corkscrew will not work here)

So in my ~/.ssh/config it looks similar to this:

    ProxyCommand corkscrew ...
    DynamicForward ...
    ProxyCommand ssh JUMPHOST -W %h:%p
    DynamicForward ...

That should be the most important settungs for that setup. Of course there are more but user name and host names are not important at this poiunt. This works greatr in the terminal. But when the connection(s) are dropped or disconnected for some reason, I have to manually start it again - annoing.

So I thought I can use Core Tunnel to do this. So far with limited luck. I am happy I did not buy it rigt away. So I am still in the testing phase ... Still hoping for the best.

Please try setting the path of auth agent to the value of env $SSH_AUTH_SOCK.

ssh reads auth agent socket path from $SSH_AUTH_SOCK, if you change the value in ~/.bash_profile or ~/.bash_rc, Core Tunnel does not know anything about this change, so we must set it explicitly in Preferences…

Just raise the number of replies limitation, sorry about that.

Thank you for raising the limit.

I will try setting the path to the value of $SSH_AUTH_SOCKET. But this is just a workaround, right? Because after a reboot, that path will change.

What is the solution to it?

What I do in the badh config is simply the following.

  • I check if a socket from ssh-agent can be found.
  • if found, It is exported as the SSH_AUTH_SOCKET env variable
    -if not, ssh-agent is started and the variable is set too.

Any way, the variable is set as soon as the Terminal is opened the first time. Question is what dies Core Tunnel when the ssh-agent is not yet running? The path it detects seems to be something completely different then what ssh-agent usually creates.

BTW, for Testing all functionality, it would be great to have two connections In the test version.