ssh login with a tunnel through intermediate server in a single command? Announcing the arrival of Valued Associate #679: Cesar Manara Planned maintenance scheduled April 17/18, 2019 at 00:00UTC (8:00pm US/Eastern) 2019 Community Moderator Election Results Why I closed the “Why is Kali so hard” questionHow to copy remote NAS file behind a routerRemote desktop over SSH reverse tunnel to replace TeamViewerSingle command to login to SSH and run program?Why SSH login works in shell but fails in all third parties via ssh tunnel?Correct ssh config file settings to tunnel to a 3rd machineSSH tunnel via MySQL WorkbenchSSH ProxyCommand one host to reach anotherConnect DMZ database using SSH tunnelPasswordless ssh tunnelJava KVM Console with an SSH Tunnel Through a JumphostCreating a ssh config for a reverse tunnel + local forward
What are the out-of-universe reasons for the references to Toby Maguire-era Spider-Man in ITSV
Maximum summed powersets with non-adjacent items
What does "lightly crushed" mean for cardamon pods?
Do jazz musicians improvise on the parent scale in addition to the chord-scales?
Would "destroying" Wurmcoil Engine prevent its tokens from being created?
What is the longest distance a player character can jump in one leap?
Is grep documentation wrong?
Is it cost-effective to upgrade an old-ish Giant Escape R3 commuter bike with entry-level branded parts (wheels, drivetrain)?
How to answer "Have you ever been terminated?"
How could we fake a moon landing now?
What do you call the main part of a joke?
What is the meaning of the new sigil in Game of Thrones Season 8 intro?
If a contract sometimes uses the wrong name, is it still valid?
Is this homebrew Lady of Pain warlock patron balanced?
Do I really need to have a message in a novel to appeal to readers?
Why wasn't DOSKEY integrated with COMMAND.COM?
Do square wave exist?
Amount of permutations on an NxNxN Rubik's Cube
When a candle burns, why does the top of wick glow if bottom of flame is hottest?
What does the "x" in "x86" represent?
What causes the direction of lightning flashes?
Is it ethical to give a final exam after the professor has quit before teaching the remaining chapters of the course?
What is homebrew?
Generate an RGB colour grid
ssh login with a tunnel through intermediate server in a single command?
Announcing the arrival of Valued Associate #679: Cesar Manara
Planned maintenance scheduled April 17/18, 2019 at 00:00UTC (8:00pm US/Eastern)
2019 Community Moderator Election Results
Why I closed the “Why is Kali so hard” questionHow to copy remote NAS file behind a routerRemote desktop over SSH reverse tunnel to replace TeamViewerSingle command to login to SSH and run program?Why SSH login works in shell but fails in all third parties via ssh tunnel?Correct ssh config file settings to tunnel to a 3rd machineSSH tunnel via MySQL WorkbenchSSH ProxyCommand one host to reach anotherConnect DMZ database using SSH tunnelPasswordless ssh tunnelJava KVM Console with an SSH Tunnel Through a JumphostCreating a ssh config for a reverse tunnel + local forward
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;
Is there a way in a single SSH command to login via SSH to a remote server passing through an intermediate server? In essence, I need to create a tunnel to my "bridge server" and via the tunnel to login to the remote server.
For example, I'm trying to compress the following into a single ssh command:
- ssh -N -L 2222:remoteserver.com:22 bridge_userid@bridgemachine.com
- ssh -p 2222 remote_userid@localhost
This currently works, but I would rather be able to squeeze everything into a single command such that if I exit my ssh shell, my tunnel closes at the same time.
I have tried the following in my config but to no avail:
Host axp
User remote_userid
HostName remoteserver.com
IdentityFile ~/.ssh/id_rsa.eric
ProxyCommand ssh -W %h:%p bridge_userid@bridgemachine.com
As per @jasonwryan comments and the transparent-mulithop link, I'm able to get the following command working:
ssh -A -t bridge_userid@bridgemachine.com ssh -A remote_userid@remoteserver.com
but now I would like to package that up neatly into my .ssh/config file, and not quite sure what I need to use as my ProxyCommand. I've seen a couple of links online as well as @boomshadow's answer that requires nc, but unfortunately the AIX server I'm using as my bridge machine does not have netcat installed on it.
ssh ssh-tunneling port-forwarding
asked Jul 14 '15 at 18:26
Eric B.Eric B.
193128
|
show 1 more comment
Is there a way in a single SSH command to login via SSH to a remote server passing through an intermediate server? In essence, I need to create a tunnel to my "bridge server" and via the tunnel to login to the remote server.
For example, I'm trying to compress the following into a single ssh command:
- ssh -N -L 2222:remoteserver.com:22 bridge_userid@bridgemachine.com
- ssh -p 2222 remote_userid@localhost
This currently works, but I would rather be able to squeeze everything into a single command such that if I exit my ssh shell, my tunnel closes at the same time.
I have tried the following in my config but to no avail:
Host axp
User remote_userid
HostName remoteserver.com
IdentityFile ~/.ssh/id_rsa.eric
ProxyCommand ssh -W %h:%p bridge_userid@bridgemachine.com
As per @jasonwryan comments and the transparent-mulithop link, I'm able to get the following command working:
ssh -A -t bridge_userid@bridgemachine.com ssh -A remote_userid@remoteserver.com
but now I would like to package that up neatly into my .ssh/config file, and not quite sure what I need to use as my ProxyCommand. I've seen a couple of links online as well as @boomshadow's answer that requires nc, but unfortunately the AIX server I'm using as my bridge machine does not have netcat installed on it.
ssh ssh-tunneling port-forwarding
asked Jul 14 '15 at 18:26
Eric B.Eric B.
193128
1
ProxyCommand ssh -W %h:%p bridge...
– jasonwryan
Jul 14 '15 at 18:34
@jasonwryan I think I might have something wrong in my config as it is not working. I've got the following in my .ssh/config for my remoteserver: ProxyCommand ssh -W %h:%p bridge_userid@bridgemachine.com.
– Eric B.
Jul 14 '15 at 18:52
Edit that into your question: it will get lost in the comments. You need to declare the host,Host Remote... See sshmenu.sourceforge.net/articles/transparent-mulithop.html
– jasonwryan
Jul 14 '15 at 19:12
Can't you just log into the bridge server and ssh to your target server from there?
– daniel kullmann
Jul 14 '15 at 20:18
@danielkullmann Sure I can. I'm just trying to avoid doing that, and I would rather keep my ssh key on my local machine instead of having to put it on the bridge server as well.
– Eric B.
Jul 14 '15 at 20:44
|
show 1 more comment
Is there a way in a single SSH command to login via SSH to a remote server passing through an intermediate server? In essence, I need to create a tunnel to my "bridge server" and via the tunnel to login to the remote server.
For example, I'm trying to compress the following into a single ssh command:
- ssh -N -L 2222:remoteserver.com:22 bridge_userid@bridgemachine.com
- ssh -p 2222 remote_userid@localhost
This currently works, but I would rather be able to squeeze everything into a single command such that if I exit my ssh shell, my tunnel closes at the same time.
I have tried the following in my config but to no avail:
Host axp
User remote_userid
HostName remoteserver.com
IdentityFile ~/.ssh/id_rsa.eric
ProxyCommand ssh -W %h:%p bridge_userid@bridgemachine.com
As per @jasonwryan comments and the transparent-mulithop link, I'm able to get the following command working:
ssh -A -t bridge_userid@bridgemachine.com ssh -A remote_userid@remoteserver.com
but now I would like to package that up neatly into my .ssh/config file, and not quite sure what I need to use as my ProxyCommand. I've seen a couple of links online as well as @boomshadow's answer that requires nc, but unfortunately the AIX server I'm using as my bridge machine does not have netcat installed on it.
ssh ssh-tunneling port-forwarding
asked Jul 14 '15 at 18:26
Eric B.Eric B.
193128
Is there a way in a single SSH command to login via SSH to a remote server passing through an intermediate server? In essence, I need to create a tunnel to my "bridge server" and via the tunnel to login to the remote server.
For example, I'm trying to compress the following into a single ssh command:
- ssh -N -L 2222:remoteserver.com:22 bridge_userid@bridgemachine.com
- ssh -p 2222 remote_userid@localhost
This currently works, but I would rather be able to squeeze everything into a single command such that if I exit my ssh shell, my tunnel closes at the same time.
I have tried the following in my config but to no avail:
Host axp
User remote_userid
HostName remoteserver.com
IdentityFile ~/.ssh/id_rsa.eric
ProxyCommand ssh -W %h:%p bridge_userid@bridgemachine.com
As per @jasonwryan comments and the transparent-mulithop link, I'm able to get the following command working:
ssh -A -t bridge_userid@bridgemachine.com ssh -A remote_userid@remoteserver.com
but now I would like to package that up neatly into my .ssh/config file, and not quite sure what I need to use as my ProxyCommand. I've seen a couple of links online as well as @boomshadow's answer that requires nc, but unfortunately the AIX server I'm using as my bridge machine does not have netcat installed on it.
ssh ssh-tunneling port-forwarding
ssh ssh-tunneling port-forwarding
asked Jul 14 '15 at 18:26
Eric B.Eric B.
193128
asked Jul 14 '15 at 18:26
Eric B.Eric B.
193128
edited Jul 15 '15 at 14:47
Eric B.
asked Jul 14 '15 at 18:26
Eric B.Eric B.
193128
asked Jul 14 '15 at 18:26
Eric B.Eric B.
193128
asked Jul 14 '15 at 18:26
Eric B.Eric B.
193128
193128
1
ProxyCommand ssh -W %h:%p bridge...
– jasonwryan
Jul 14 '15 at 18:34
@jasonwryan I think I might have something wrong in my config as it is not working. I've got the following in my .ssh/config for my remoteserver: ProxyCommand ssh -W %h:%p bridge_userid@bridgemachine.com.
– Eric B.
Jul 14 '15 at 18:52
Edit that into your question: it will get lost in the comments. You need to declare the host,Host Remote... See sshmenu.sourceforge.net/articles/transparent-mulithop.html
– jasonwryan
Jul 14 '15 at 19:12
Can't you just log into the bridge server and ssh to your target server from there?
– daniel kullmann
Jul 14 '15 at 20:18
@danielkullmann Sure I can. I'm just trying to avoid doing that, and I would rather keep my ssh key on my local machine instead of having to put it on the bridge server as well.
– Eric B.
Jul 14 '15 at 20:44
|
show 1 more comment
1
ProxyCommand ssh -W %h:%p bridge...
– jasonwryan
Jul 14 '15 at 18:34
@jasonwryan I think I might have something wrong in my config as it is not working. I've got the following in my .ssh/config for my remoteserver: ProxyCommand ssh -W %h:%p bridge_userid@bridgemachine.com.
– Eric B.
Jul 14 '15 at 18:52
Edit that into your question: it will get lost in the comments. You need to declare the host,Host Remote... See sshmenu.sourceforge.net/articles/transparent-mulithop.html
– jasonwryan
Jul 14 '15 at 19:12
Can't you just log into the bridge server and ssh to your target server from there?
– daniel kullmann
Jul 14 '15 at 20:18
@danielkullmann Sure I can. I'm just trying to avoid doing that, and I would rather keep my ssh key on my local machine instead of having to put it on the bridge server as well.
– Eric B.
Jul 14 '15 at 20:44
1
1
ProxyCommand ssh -W %h:%p bridge...– jasonwryan
Jul 14 '15 at 18:34
ProxyCommand ssh -W %h:%p bridge...– jasonwryan
Jul 14 '15 at 18:34
@jasonwryan I think I might have something wrong in my config as it is not working. I've got the following in my .ssh/config for my remoteserver: ProxyCommand ssh -W %h:%p bridge_userid@bridgemachine.com.
– Eric B.
Jul 14 '15 at 18:52
@jasonwryan I think I might have something wrong in my config as it is not working. I've got the following in my .ssh/config for my remoteserver: ProxyCommand ssh -W %h:%p bridge_userid@bridgemachine.com.
– Eric B.
Jul 14 '15 at 18:52
Edit that into your question: it will get lost in the comments. You need to declare the host,
Host Remote... See sshmenu.sourceforge.net/articles/transparent-mulithop.html– jasonwryan
Jul 14 '15 at 19:12
Edit that into your question: it will get lost in the comments. You need to declare the host,
Host Remote... See sshmenu.sourceforge.net/articles/transparent-mulithop.html– jasonwryan
Jul 14 '15 at 19:12
Can't you just log into the bridge server and ssh to your target server from there?
– daniel kullmann
Jul 14 '15 at 20:18
Can't you just log into the bridge server and ssh to your target server from there?
– daniel kullmann
Jul 14 '15 at 20:18
@danielkullmann Sure I can. I'm just trying to avoid doing that, and I would rather keep my ssh key on my local machine instead of having to put it on the bridge server as well.
– Eric B.
Jul 14 '15 at 20:44
@danielkullmann Sure I can. I'm just trying to avoid doing that, and I would rather keep my ssh key on my local machine instead of having to put it on the bridge server as well.
– Eric B.
Jul 14 '15 at 20:44
|
show 1 more comment
2 Answers
2
active
oldest
votes
The ProxyCommand is what you need. At my company, all the DevOps techs have to use a "jumpstation" in order to access the rest of the VPC's. The jumpstation is VPN access-controlled.
We've got our SSH config setup to automatically go through the jumpstation automatically.
Here is an edited version of my .ssh/config file:
Host *.internal.company.com
User jacob
IdentityFile ~/.ssh/id_rsa
ProxyCommand ssh -q -A jacob@company-internal-jumphost nc -q0 %h %p
Every time I do an 'ssh' to a server on that 'internal' subdomain, it will automatically jump through the jumpstation first.
Edit:
Here is the entire section of the .ssh/config for the 'Internal' VPC for us to log into it:
# Internal VPC
Host company-internal-jumphost
Hostname 10.210.x.x #(edited out IP for security)
IdentityFile ~/.ssh/id_rsa
Host 10.210.*
User ubuntu
IdentityFile ~/.ssh/company-id_rsa
ProxyCommand ssh -q -A jacob@company-internal-jumphost nc -q0 %h %p
Host *.internal.company.com
User jacob
IdentityFile ~/.ssh/id_rsa
ProxyCommand ssh -q -A jacob@company-internal-jumphost nc -q0 %h %p
edited 9 hours ago
Rui F Ribeiro
42.1k1484142
answered Jul 14 '15 at 21:08
BoomShadowBoomShadow
436167
Thanks for the suggestion. Unfortunately, I don't havenetcat(ie: nc) available on the server. (It's an AIX server)
– Eric B.
Jul 15 '15 at 1:28
2
There is a more elegant sollution based on ProxyCommand and the -W option which allows you to do things likessh user@hostA/hostB/hostCto connect to hostC through 2 intermediates, see: dmitry.khlebnikov.net/2015/08/…
– galaxy
Sep 4 '15 at 13:39
Will this work if you have a different username on the intermediary hosts? Can you usessh user@hostA/otheruser@hostB/someone@hostC?
– DopeGhoti
Jan 17 '17 at 17:50
@DopeGhoti, yes you can. In my 2nd code block, I've got user 'ubuntu' specified for the 10.210.* hosts. Also, you can change your user on the intermediary host (jump host) using the ProxyCommand. See how I've got "jacob@company....". You can also specify a different user there as well.
– BoomShadow
Jan 17 '17 at 18:56
Why not usessh -Win theProxyCommand, provided the SSH version isn't too old (5.4)? en.wikibooks.org/wiki/OpenSSH/Cookbook/Proxies_and_Jump_Hosts
– 0xC0000022L
Mar 27 '18 at 19:22
add a comment |
If OpenSSH 7.3 or later is used then you can use ProxyJump like this:
$ ssh -o ProxyJump=user1@gateway user2@remote
If either user is omitted then the local user is implied.
A variation on the indirect login theme is indirect file transfer. You can use scp and rsync with indirect ssh to copy files through the intermediate server.
To copy through the gateway using scp:
$ scp -oProxyJump=root@gateway myfile user@remote:path
If user is omitted, the local user is used.
The ProxyJump was introduced in OpenSSH 7.3. An alternative is to use ProxyCommand:
$ scp -oProxyCommand="ssh -W %h:%p root@gateway" myfile user@remote:path
To copy through the gateway using rsync:
$ rsync -av -e 'ssh -o "ProxyJump root@gateway"' myfile user@remote@path
Or
$ rsync -av -e 'ssh -o "ProxyCommand ssh -A root@gateway -W %h:%p"' myfile user@remote@path
I paraphrase other answers (on superuser) that cover indirect scp and indirect rsync in more detail.
answered Oct 20 '17 at 8:08
starfrystarfry
3,31313051
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "106"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f215986%2fssh-login-with-a-tunnel-through-intermediate-server-in-a-single-command%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
The ProxyCommand is what you need. At my company, all the DevOps techs have to use a "jumpstation" in order to access the rest of the VPC's. The jumpstation is VPN access-controlled.
We've got our SSH config setup to automatically go through the jumpstation automatically.
Here is an edited version of my .ssh/config file:
Host *.internal.company.com
User jacob
IdentityFile ~/.ssh/id_rsa
ProxyCommand ssh -q -A jacob@company-internal-jumphost nc -q0 %h %p
Every time I do an 'ssh' to a server on that 'internal' subdomain, it will automatically jump through the jumpstation first.
Edit:
Here is the entire section of the .ssh/config for the 'Internal' VPC for us to log into it:
# Internal VPC
Host company-internal-jumphost
Hostname 10.210.x.x #(edited out IP for security)
IdentityFile ~/.ssh/id_rsa
Host 10.210.*
User ubuntu
IdentityFile ~/.ssh/company-id_rsa
ProxyCommand ssh -q -A jacob@company-internal-jumphost nc -q0 %h %p
Host *.internal.company.com
User jacob
IdentityFile ~/.ssh/id_rsa
ProxyCommand ssh -q -A jacob@company-internal-jumphost nc -q0 %h %p
edited 9 hours ago
Rui F Ribeiro
42.1k1484142
answered Jul 14 '15 at 21:08
BoomShadowBoomShadow
436167
Thanks for the suggestion. Unfortunately, I don't havenetcat(ie: nc) available on the server. (It's an AIX server)
– Eric B.
Jul 15 '15 at 1:28
2
There is a more elegant sollution based on ProxyCommand and the -W option which allows you to do things likessh user@hostA/hostB/hostCto connect to hostC through 2 intermediates, see: dmitry.khlebnikov.net/2015/08/…
– galaxy
Sep 4 '15 at 13:39
Will this work if you have a different username on the intermediary hosts? Can you usessh user@hostA/otheruser@hostB/someone@hostC?
– DopeGhoti
Jan 17 '17 at 17:50
@DopeGhoti, yes you can. In my 2nd code block, I've got user 'ubuntu' specified for the 10.210.* hosts. Also, you can change your user on the intermediary host (jump host) using the ProxyCommand. See how I've got "jacob@company....". You can also specify a different user there as well.
– BoomShadow
Jan 17 '17 at 18:56
Why not usessh -Win theProxyCommand, provided the SSH version isn't too old (5.4)? en.wikibooks.org/wiki/OpenSSH/Cookbook/Proxies_and_Jump_Hosts
– 0xC0000022L
Mar 27 '18 at 19:22
add a comment |
The ProxyCommand is what you need. At my company, all the DevOps techs have to use a "jumpstation" in order to access the rest of the VPC's. The jumpstation is VPN access-controlled.
We've got our SSH config setup to automatically go through the jumpstation automatically.
Here is an edited version of my .ssh/config file:
Host *.internal.company.com
User jacob
IdentityFile ~/.ssh/id_rsa
ProxyCommand ssh -q -A jacob@company-internal-jumphost nc -q0 %h %p
Every time I do an 'ssh' to a server on that 'internal' subdomain, it will automatically jump through the jumpstation first.
Edit:
Here is the entire section of the .ssh/config for the 'Internal' VPC for us to log into it:
# Internal VPC
Host company-internal-jumphost
Hostname 10.210.x.x #(edited out IP for security)
IdentityFile ~/.ssh/id_rsa
Host 10.210.*
User ubuntu
IdentityFile ~/.ssh/company-id_rsa
ProxyCommand ssh -q -A jacob@company-internal-jumphost nc -q0 %h %p
Host *.internal.company.com
User jacob
IdentityFile ~/.ssh/id_rsa
ProxyCommand ssh -q -A jacob@company-internal-jumphost nc -q0 %h %p
edited 9 hours ago
Rui F Ribeiro
42.1k1484142
answered Jul 14 '15 at 21:08
BoomShadowBoomShadow
436167
Thanks for the suggestion. Unfortunately, I don't havenetcat(ie: nc) available on the server. (It's an AIX server)
– Eric B.
Jul 15 '15 at 1:28
2
There is a more elegant sollution based on ProxyCommand and the -W option which allows you to do things likessh user@hostA/hostB/hostCto connect to hostC through 2 intermediates, see: dmitry.khlebnikov.net/2015/08/…
– galaxy
Sep 4 '15 at 13:39
Will this work if you have a different username on the intermediary hosts? Can you usessh user@hostA/otheruser@hostB/someone@hostC?
– DopeGhoti
Jan 17 '17 at 17:50
@DopeGhoti, yes you can. In my 2nd code block, I've got user 'ubuntu' specified for the 10.210.* hosts. Also, you can change your user on the intermediary host (jump host) using the ProxyCommand. See how I've got "jacob@company....". You can also specify a different user there as well.
– BoomShadow
Jan 17 '17 at 18:56
Why not usessh -Win theProxyCommand, provided the SSH version isn't too old (5.4)? en.wikibooks.org/wiki/OpenSSH/Cookbook/Proxies_and_Jump_Hosts
– 0xC0000022L
Mar 27 '18 at 19:22
add a comment |
The ProxyCommand is what you need. At my company, all the DevOps techs have to use a "jumpstation" in order to access the rest of the VPC's. The jumpstation is VPN access-controlled.
We've got our SSH config setup to automatically go through the jumpstation automatically.
Here is an edited version of my .ssh/config file:
Host *.internal.company.com
User jacob
IdentityFile ~/.ssh/id_rsa
ProxyCommand ssh -q -A jacob@company-internal-jumphost nc -q0 %h %p
Every time I do an 'ssh' to a server on that 'internal' subdomain, it will automatically jump through the jumpstation first.
Edit:
Here is the entire section of the .ssh/config for the 'Internal' VPC for us to log into it:
# Internal VPC
Host company-internal-jumphost
Hostname 10.210.x.x #(edited out IP for security)
IdentityFile ~/.ssh/id_rsa
Host 10.210.*
User ubuntu
IdentityFile ~/.ssh/company-id_rsa
ProxyCommand ssh -q -A jacob@company-internal-jumphost nc -q0 %h %p
Host *.internal.company.com
User jacob
IdentityFile ~/.ssh/id_rsa
ProxyCommand ssh -q -A jacob@company-internal-jumphost nc -q0 %h %p
edited 9 hours ago
Rui F Ribeiro
42.1k1484142
answered Jul 14 '15 at 21:08
BoomShadowBoomShadow
436167
The ProxyCommand is what you need. At my company, all the DevOps techs have to use a "jumpstation" in order to access the rest of the VPC's. The jumpstation is VPN access-controlled.
We've got our SSH config setup to automatically go through the jumpstation automatically.
Here is an edited version of my .ssh/config file:
Host *.internal.company.com
User jacob
IdentityFile ~/.ssh/id_rsa
ProxyCommand ssh -q -A jacob@company-internal-jumphost nc -q0 %h %p
Every time I do an 'ssh' to a server on that 'internal' subdomain, it will automatically jump through the jumpstation first.
Edit:
Here is the entire section of the .ssh/config for the 'Internal' VPC for us to log into it:
# Internal VPC
Host company-internal-jumphost
Hostname 10.210.x.x #(edited out IP for security)
IdentityFile ~/.ssh/id_rsa
Host 10.210.*
User ubuntu
IdentityFile ~/.ssh/company-id_rsa
ProxyCommand ssh -q -A jacob@company-internal-jumphost nc -q0 %h %p
Host *.internal.company.com
User jacob
IdentityFile ~/.ssh/id_rsa
ProxyCommand ssh -q -A jacob@company-internal-jumphost nc -q0 %h %p
edited 9 hours ago
Rui F Ribeiro
42.1k1484142
answered Jul 14 '15 at 21:08
BoomShadowBoomShadow
436167
edited 9 hours ago
Rui F Ribeiro
42.1k1484142
edited 9 hours ago
Rui F Ribeiro
42.1k1484142
edited 9 hours ago
Rui F Ribeiro
42.1k1484142
42.1k1484142
answered Jul 14 '15 at 21:08
BoomShadowBoomShadow
436167
answered Jul 14 '15 at 21:08
BoomShadowBoomShadow
436167
answered Jul 14 '15 at 21:08
BoomShadowBoomShadow
436167
436167
Thanks for the suggestion. Unfortunately, I don't havenetcat(ie: nc) available on the server. (It's an AIX server)
– Eric B.
Jul 15 '15 at 1:28
2
There is a more elegant sollution based on ProxyCommand and the -W option which allows you to do things likessh user@hostA/hostB/hostCto connect to hostC through 2 intermediates, see: dmitry.khlebnikov.net/2015/08/…
– galaxy
Sep 4 '15 at 13:39
Will this work if you have a different username on the intermediary hosts? Can you usessh user@hostA/otheruser@hostB/someone@hostC?
– DopeGhoti
Jan 17 '17 at 17:50
@DopeGhoti, yes you can. In my 2nd code block, I've got user 'ubuntu' specified for the 10.210.* hosts. Also, you can change your user on the intermediary host (jump host) using the ProxyCommand. See how I've got "jacob@company....". You can also specify a different user there as well.
– BoomShadow
Jan 17 '17 at 18:56
Why not usessh -Win theProxyCommand, provided the SSH version isn't too old (5.4)? en.wikibooks.org/wiki/OpenSSH/Cookbook/Proxies_and_Jump_Hosts
– 0xC0000022L
Mar 27 '18 at 19:22
add a comment |
Thanks for the suggestion. Unfortunately, I don't havenetcat(ie: nc) available on the server. (It's an AIX server)
– Eric B.
Jul 15 '15 at 1:28
2
There is a more elegant sollution based on ProxyCommand and the -W option which allows you to do things likessh user@hostA/hostB/hostCto connect to hostC through 2 intermediates, see: dmitry.khlebnikov.net/2015/08/…
– galaxy
Sep 4 '15 at 13:39
Will this work if you have a different username on the intermediary hosts? Can you usessh user@hostA/otheruser@hostB/someone@hostC?
– DopeGhoti
Jan 17 '17 at 17:50
@DopeGhoti, yes you can. In my 2nd code block, I've got user 'ubuntu' specified for the 10.210.* hosts. Also, you can change your user on the intermediary host (jump host) using the ProxyCommand. See how I've got "jacob@company....". You can also specify a different user there as well.
– BoomShadow
Jan 17 '17 at 18:56
Why not usessh -Win theProxyCommand, provided the SSH version isn't too old (5.4)? en.wikibooks.org/wiki/OpenSSH/Cookbook/Proxies_and_Jump_Hosts
– 0xC0000022L
Mar 27 '18 at 19:22
Thanks for the suggestion. Unfortunately, I don't have
netcat (ie: nc) available on the server. (It's an AIX server)– Eric B.
Jul 15 '15 at 1:28
Thanks for the suggestion. Unfortunately, I don't have
netcat (ie: nc) available on the server. (It's an AIX server)– Eric B.
Jul 15 '15 at 1:28
2
2
There is a more elegant sollution based on ProxyCommand and the -W option which allows you to do things like
ssh user@hostA/hostB/hostC to connect to hostC through 2 intermediates, see: dmitry.khlebnikov.net/2015/08/…– galaxy
Sep 4 '15 at 13:39
There is a more elegant sollution based on ProxyCommand and the -W option which allows you to do things like
ssh user@hostA/hostB/hostC to connect to hostC through 2 intermediates, see: dmitry.khlebnikov.net/2015/08/…– galaxy
Sep 4 '15 at 13:39
Will this work if you have a different username on the intermediary hosts? Can you use
ssh user@hostA/otheruser@hostB/someone@hostC?– DopeGhoti
Jan 17 '17 at 17:50
Will this work if you have a different username on the intermediary hosts? Can you use
ssh user@hostA/otheruser@hostB/someone@hostC?– DopeGhoti
Jan 17 '17 at 17:50
@DopeGhoti, yes you can. In my 2nd code block, I've got user 'ubuntu' specified for the 10.210.* hosts. Also, you can change your user on the intermediary host (jump host) using the ProxyCommand. See how I've got "jacob@company....". You can also specify a different user there as well.
– BoomShadow
Jan 17 '17 at 18:56
@DopeGhoti, yes you can. In my 2nd code block, I've got user 'ubuntu' specified for the 10.210.* hosts. Also, you can change your user on the intermediary host (jump host) using the ProxyCommand. See how I've got "jacob@company....". You can also specify a different user there as well.
– BoomShadow
Jan 17 '17 at 18:56
Why not use
ssh -W in the ProxyCommand, provided the SSH version isn't too old (5.4)? en.wikibooks.org/wiki/OpenSSH/Cookbook/Proxies_and_Jump_Hosts– 0xC0000022L
Mar 27 '18 at 19:22
Why not use
ssh -W in the ProxyCommand, provided the SSH version isn't too old (5.4)? en.wikibooks.org/wiki/OpenSSH/Cookbook/Proxies_and_Jump_Hosts– 0xC0000022L
Mar 27 '18 at 19:22
add a comment |
If OpenSSH 7.3 or later is used then you can use ProxyJump like this:
$ ssh -o ProxyJump=user1@gateway user2@remote
If either user is omitted then the local user is implied.
A variation on the indirect login theme is indirect file transfer. You can use scp and rsync with indirect ssh to copy files through the intermediate server.
To copy through the gateway using scp:
$ scp -oProxyJump=root@gateway myfile user@remote:path
If user is omitted, the local user is used.
The ProxyJump was introduced in OpenSSH 7.3. An alternative is to use ProxyCommand:
$ scp -oProxyCommand="ssh -W %h:%p root@gateway" myfile user@remote:path
To copy through the gateway using rsync:
$ rsync -av -e 'ssh -o "ProxyJump root@gateway"' myfile user@remote@path
Or
$ rsync -av -e 'ssh -o "ProxyCommand ssh -A root@gateway -W %h:%p"' myfile user@remote@path
I paraphrase other answers (on superuser) that cover indirect scp and indirect rsync in more detail.
answered Oct 20 '17 at 8:08
starfrystarfry
3,31313051
add a comment |
If OpenSSH 7.3 or later is used then you can use ProxyJump like this:
$ ssh -o ProxyJump=user1@gateway user2@remote
If either user is omitted then the local user is implied.
A variation on the indirect login theme is indirect file transfer. You can use scp and rsync with indirect ssh to copy files through the intermediate server.
To copy through the gateway using scp:
$ scp -oProxyJump=root@gateway myfile user@remote:path
If user is omitted, the local user is used.
The ProxyJump was introduced in OpenSSH 7.3. An alternative is to use ProxyCommand:
$ scp -oProxyCommand="ssh -W %h:%p root@gateway" myfile user@remote:path
To copy through the gateway using rsync:
$ rsync -av -e 'ssh -o "ProxyJump root@gateway"' myfile user@remote@path
Or
$ rsync -av -e 'ssh -o "ProxyCommand ssh -A root@gateway -W %h:%p"' myfile user@remote@path
I paraphrase other answers (on superuser) that cover indirect scp and indirect rsync in more detail.
answered Oct 20 '17 at 8:08
starfrystarfry
3,31313051
add a comment |
If OpenSSH 7.3 or later is used then you can use ProxyJump like this:
$ ssh -o ProxyJump=user1@gateway user2@remote
If either user is omitted then the local user is implied.
A variation on the indirect login theme is indirect file transfer. You can use scp and rsync with indirect ssh to copy files through the intermediate server.
To copy through the gateway using scp:
$ scp -oProxyJump=root@gateway myfile user@remote:path
If user is omitted, the local user is used.
The ProxyJump was introduced in OpenSSH 7.3. An alternative is to use ProxyCommand:
$ scp -oProxyCommand="ssh -W %h:%p root@gateway" myfile user@remote:path
To copy through the gateway using rsync:
$ rsync -av -e 'ssh -o "ProxyJump root@gateway"' myfile user@remote@path
Or
$ rsync -av -e 'ssh -o "ProxyCommand ssh -A root@gateway -W %h:%p"' myfile user@remote@path
I paraphrase other answers (on superuser) that cover indirect scp and indirect rsync in more detail.
answered Oct 20 '17 at 8:08
starfrystarfry
3,31313051
If OpenSSH 7.3 or later is used then you can use ProxyJump like this:
$ ssh -o ProxyJump=user1@gateway user2@remote
If either user is omitted then the local user is implied.
A variation on the indirect login theme is indirect file transfer. You can use scp and rsync with indirect ssh to copy files through the intermediate server.
To copy through the gateway using scp:
$ scp -oProxyJump=root@gateway myfile user@remote:path
If user is omitted, the local user is used.
The ProxyJump was introduced in OpenSSH 7.3. An alternative is to use ProxyCommand:
$ scp -oProxyCommand="ssh -W %h:%p root@gateway" myfile user@remote:path
To copy through the gateway using rsync:
$ rsync -av -e 'ssh -o "ProxyJump root@gateway"' myfile user@remote@path
Or
$ rsync -av -e 'ssh -o "ProxyCommand ssh -A root@gateway -W %h:%p"' myfile user@remote@path
I paraphrase other answers (on superuser) that cover indirect scp and indirect rsync in more detail.
answered Oct 20 '17 at 8:08
starfrystarfry
3,31313051
answered Oct 20 '17 at 8:08
starfrystarfry
3,31313051
answered Oct 20 '17 at 8:08
starfrystarfry
3,31313051
answered Oct 20 '17 at 8:08
starfrystarfry
3,31313051
3,31313051
add a comment |
add a comment |
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f215986%2fssh-login-with-a-tunnel-through-intermediate-server-in-a-single-command%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
-port-forwarding, ssh, ssh-tunneling
1
ProxyCommand ssh -W %h:%p bridge...– jasonwryan
Jul 14 '15 at 18:34
@jasonwryan I think I might have something wrong in my config as it is not working. I've got the following in my .ssh/config for my remoteserver: ProxyCommand ssh -W %h:%p bridge_userid@bridgemachine.com.
– Eric B.
Jul 14 '15 at 18:52
Edit that into your question: it will get lost in the comments. You need to declare the host,
Host Remote... See sshmenu.sourceforge.net/articles/transparent-mulithop.html– jasonwryan
Jul 14 '15 at 19:12
Can't you just log into the bridge server and ssh to your target server from there?
– daniel kullmann
Jul 14 '15 at 20:18
@danielkullmann Sure I can. I'm just trying to avoid doing that, and I would rather keep my ssh key on my local machine instead of having to put it on the bridge server as well.
– Eric B.
Jul 14 '15 at 20:44