How do I configure ssh proxycommand correctly to run docker exec?

Question

I have a host defined in /etc/hosts called web1 . There is a docker container with the name store .

While on my workstation I can ssh into the machine and execute the command to enter the container interactively like this

ssh -t -t web1 docker exec -ti store /bin/bash

It properly drops me right into the container as root as I had hoped.

However, I really want to define a pseudo host named store and set it up in my ~/.ssh/config file like this using ProxyCommand so I can use ssh store

Host store
ProxyCommand ssh -t -t web1 docker exec -ti store /bin/bash

But it fails with the following error:

Bad packet length 218958363.
ssh_dispatch_run_fatal: Connection to UNKNOWN: message authentication code incorrect
Killed by signal 1.

If I add -v for some debugging, the last two lines just before the block above are

debug1: Authenticating to store:22 as 'user1'
debug1: SSH2_MSG_KEXINIT sent

1. I think it is trying ssh into the store container instead of just executing the command which is throwing that error, is that correct? If not what is the issue?
2. Is there a way to do this using ProxyCommand without trying to ssh into the container but instead just use the docker exec?
3. Is it easy enough to also setup the ssh into the container? We currently aren't doing that as a matter of practice.
4. Is there another option other than an alias for ssh-store ?

The end goal is to have a virtual host defined that I can just say ssh store and have it end up in the store container on web1 .

Edited:

Solution:

As Jakuje indicated, using the ProxyCommand with ssh is not going to allow a non-ssh further command. Therefore I am just using an alias and potentially a bash function for this to accomplish it. I've setup both.

Also per Jakuje's recommendation in ~/.ssh/config

Host web1
RequestTTY yes

in ~/.bash_aliases

alias ssh-store="ssh web1 docker exec -ti store /bin/bash"

so I can do ssh-store and end up in the container

or in ~/.bashrc

function ssh-web1 { ssh web1 docker exec -ti $1 /bin/bash; }

so I can do ssh-web1 store and also end up in the container

Answer 1

I think it is trying ssh into the store container instead of just executing the command which is throwing that error, is that correct? If not what is the issue?

Yes

Is there a way to do this using ProxyCommand without trying to ssh into the container but instead just use the docker exec?

No. It does not work this way. ProxyCommand expects the other step to be also SSH session and not direct bash prompt.

Is it easy enough to also setup the ssh into the container? We currently aren't doing that as a matter of practice.

I think this is unnecessary overhead. But it is possible as described in many other questions around here.

At least you can get rid of -t -t by specifying RequestTTY in your ~/.ssh/config . But the rest have to be bash alias or function (if you have more host function is more appropriate).

function ssh-docker {
    ssh web1 docker exec -ti $1 /bin/bash
}

and then you can call it regardless the container like this:

ssh-docker store

You just store such function into your .bashrc or where you stored your aliases.