often I have to download a file that isn’t directly accessable via the first SSH connection. For example I’m on a Windows machine and I want to access another machine that is only accessable from lan. That means that I must first connect to a intermediate machine and SSH to the next one.
It would be easy to use pscp to get the file, if it were available for the first machine. Could SSH port forwarding be used in this scenario?
Answers:
Thank you for visiting the Q&A section on Magenaut. Please note that all the answers may not help you solve the issue immediately. So please treat them as advisements. If you found the post helpful (or not), leave a comment & I’ll get back to you as soon as possible.
Method 1
I add to the .ssh/config such definition:
Host SERVER-A
ProxyCommand ssh SERVER-B nc -q0 %h %p 2> /dev/null
and then just use ssh or scp in normal way:
ssh <a href="https://getridbug.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="0e7b7d6b7c4e5d4b5c584b5c234f">[email protected]</a>
or
scp file.tar.gz <a href="https://getridbug.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="fe8b8d9b8cbeadbbaca8bbacd3bf">[email protected]</a>:~
During setting the connection with SERVER-A the ssh library finds these configuration. It tells that ssh should use some proxy command to connect. The proxy commands connect with SERVER-B and then execute nc command (netcat) wich forward all output from proxy command to given server for given port, its define by %h and %p parameters.
Such construction also allow you to use key authentication. you have just copy your public from client machine on both servers: SERVER-A and SERVER-B.
Such configuration is also compatible with others application which use ssh library, for example rsync, sftp or GUI clients.
Method 2
Yes, SSH port forwarding can be used in this case, but you can also get warnings about invalid or incorrect host keys when attempting this. Some SSH clients like OpenSSH track SSH host keys by domain or IP only and don’t include the port number with it. PuTTY appears to record the port number with the host key and should not suffer from this problem as long as your consistent with which port numbers you use for each host. I’d recommend adding the port forwardings to a saved session in PuTTY. You can then also save the additional sessions for the various remote hosts as saved sessions and use that with pscp/psftp. You can start with any high number port for the forwarding such as 2220 and go up by one from there for each host you need to forward through an intermediate host. Add to the saved session for intermediate local port forwards like port 2220 and destination remote1:22 and port 2221 with destination remote2:22 for remote hosts remote1 and remote2 Then create sessions for remote1 with destination localhost and SSH port 2220 and a session for remote2 with destination localhost and SSH port 2221. To use sessions with pcsp/psftp use @session-name for the host.
The problem occurs when either you have somehow associated a SSH host key with localhost and you attempt to connect to a local port that’s being forwarded to a different computer. With OpenSSH, I fixed this problem by using HostKeyAlias. I added entries to my ~/.ssh/config like this:
Host intermediate HostName intermediate.example.org LocalForward 2220 remote1.example.org:22 LocalForward 2222 remote2.example.org:22 Host remote1 HostName localhost Port 2220 HostKeyAlias remote1.example.org Host remote2 HostName localhost Port 2221 HostKeyAlias remote2.example.org
My preferred fix, though, was when I deployed IPv6 on my home and work network and I no longer had to worry about connecting to an intermediate server first to get to my final destination.
Method 3
You can use the intermediate machine as a proxy. Make sure it has netcat (nc) installed. Put the following lines in your ~/.ssh/config (foo is a nickname for the inaccessible machine, foo.example.com is its name as seen from the intermediate machine, and gateway.example.com is the intermediate machine):
Host foo HostName foo.example.com ProxyCommand ssh gateway.example.com nc %h %p
Then ssh foo will connect (in two hops, but that’s completely transparent) to the inaccessible machine.
Method 4
You can use SSH port forwarding:
ssh server-a -L2022:server-b:22
After this you will have port 2022 on client machine forwarded to port 22 of server-b. And you can connect to it with:
ssh 127.0.0.1 -p 2022
Method 5
Following gelraen’s answer.
You can use port forwarding pretty nicely when in conjunction with the .ssh/config. that is, you set a proxy command for a specific imaginary hostname which does nothing but tcp-forward through an already open tunnel:
Host imag ProxyCommand socat - tcp-connect:localhost:2022
Then you can just use ssh imag to connect to server-b:22 when the tunnel is up.
socat is just what I used, netcat should do es well 😉
One nifty thing about ProxyCommand is that it interpolates environment variables – so… give it a try.
Method 6
ssh server1 'ssh server2'
seems a little bit simpler to me. One can even copy files like this:
ssh server1 "ssh server2 'cat myFile'" >myFile
or
ssh server1 "ssh server2 'cat >myFile'" <myFile
All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0