ssh login with a tunnel through intermediate server in a single command? Announcing the arrival of Valued Associate #679: Cesar Manara Planned maintenance scheduled April 17/18, 2019 at 00:00UTC (8:00pm US/Eastern) 2019 Community Moderator Election Results Why I closed the “Why is Kali so hard” questionHow to copy remote NAS file behind a routerRemote desktop over SSH reverse tunnel to replace TeamViewerSingle command to login to SSH and run program?Why SSH login works in shell but fails in all third parties via ssh tunnel?Correct ssh config file settings to tunnel to a 3rd machineSSH tunnel via MySQL WorkbenchSSH ProxyCommand one host to reach anotherConnect DMZ database using SSH tunnelPasswordless ssh tunnelJava KVM Console with an SSH Tunnel Through a JumphostCreating a ssh config for a reverse tunnel + local forward

What are the out-of-universe reasons for the references to Toby Maguire-era Spider-Man in ITSV

Maximum summed powersets with non-adjacent items

What does "lightly crushed" mean for cardamon pods?

Do jazz musicians improvise on the parent scale in addition to the chord-scales?

Would "destroying" Wurmcoil Engine prevent its tokens from being created?

What is the longest distance a player character can jump in one leap?

Is grep documentation wrong?

Is it cost-effective to upgrade an old-ish Giant Escape R3 commuter bike with entry-level branded parts (wheels, drivetrain)?

How to answer "Have you ever been terminated?"

How could we fake a moon landing now?

What do you call the main part of a joke?

What is the meaning of the new sigil in Game of Thrones Season 8 intro?

If a contract sometimes uses the wrong name, is it still valid?

Is this homebrew Lady of Pain warlock patron balanced?

Do I really need to have a message in a novel to appeal to readers?

Why wasn't DOSKEY integrated with COMMAND.COM?

Do square wave exist?

Amount of permutations on an NxNxN Rubik's Cube

When a candle burns, why does the top of wick glow if bottom of flame is hottest?

What does the "x" in "x86" represent?

What causes the direction of lightning flashes?

Is it ethical to give a final exam after the professor has quit before teaching the remaining chapters of the course?

What is homebrew?

Generate an RGB colour grid



ssh login with a tunnel through intermediate server in a single command?



Announcing the arrival of Valued Associate #679: Cesar Manara
Planned maintenance scheduled April 17/18, 2019 at 00:00UTC (8:00pm US/Eastern)
2019 Community Moderator Election Results
Why I closed the “Why is Kali so hard” questionHow to copy remote NAS file behind a routerRemote desktop over SSH reverse tunnel to replace TeamViewerSingle command to login to SSH and run program?Why SSH login works in shell but fails in all third parties via ssh tunnel?Correct ssh config file settings to tunnel to a 3rd machineSSH tunnel via MySQL WorkbenchSSH ProxyCommand one host to reach anotherConnect DMZ database using SSH tunnelPasswordless ssh tunnelJava KVM Console with an SSH Tunnel Through a JumphostCreating a ssh config for a reverse tunnel + local forward



.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;








4















Is there a way in a single SSH command to login via SSH to a remote server passing through an intermediate server? In essence, I need to create a tunnel to my "bridge server" and via the tunnel to login to the remote server.



For example, I'm trying to compress the following into a single ssh command:



  1. ssh -N -L 2222:remoteserver.com:22 bridge_userid@bridgemachine.com

  2. ssh -p 2222 remote_userid@localhost

This currently works, but I would rather be able to squeeze everything into a single command such that if I exit my ssh shell, my tunnel closes at the same time.



I have tried the following in my config but to no avail:



Host axp
 User remote_userid
 HostName remoteserver.com
 IdentityFile ~/.ssh/id_rsa.eric
 ProxyCommand ssh -W %h:%p bridge_userid@bridgemachine.com


As per @jasonwryan comments and the transparent-mulithop link, I'm able to get the following command working:



ssh -A -t bridge_userid@bridgemachine.com ssh -A remote_userid@remoteserver.com


but now I would like to package that up neatly into my .ssh/config file, and not quite sure what I need to use as my ProxyCommand. I've seen a couple of links online as well as @boomshadow's answer that requires nc, but unfortunately the AIX server I'm using as my bridge machine does not have netcat installed on it.






ssh ssh-tunneling port-forwarding







share|improve this question



















  • 1





    ProxyCommand ssh -W %h:%p bridge...

    – jasonwryan
    Jul 14 '15 at 18:34











  • @jasonwryan I think I might have something wrong in my config as it is not working. I've got the following in my .ssh/config for my remoteserver: ProxyCommand ssh -W %h:%p bridge_userid@bridgemachine.com.

    – Eric B.
    Jul 14 '15 at 18:52











  • Edit that into your question: it will get lost in the comments. You need to declare the host, Host Remote... See sshmenu.sourceforge.net/articles/transparent-mulithop.html

    – jasonwryan
    Jul 14 '15 at 19:12












  • Can't you just log into the bridge server and ssh to your target server from there?

    – daniel kullmann
    Jul 14 '15 at 20:18











  • @danielkullmann Sure I can. I'm just trying to avoid doing that, and I would rather keep my ssh key on my local machine instead of having to put it on the bridge server as well.

    – Eric B.
    Jul 14 '15 at 20:44

















4















Is there a way in a single SSH command to login via SSH to a remote server passing through an intermediate server? In essence, I need to create a tunnel to my "bridge server" and via the tunnel to login to the remote server.



For example, I'm trying to compress the following into a single ssh command:



  1. ssh -N -L 2222:remoteserver.com:22 bridge_userid@bridgemachine.com

  2. ssh -p 2222 remote_userid@localhost

This currently works, but I would rather be able to squeeze everything into a single command such that if I exit my ssh shell, my tunnel closes at the same time.



I have tried the following in my config but to no avail:



Host axp
 User remote_userid
 HostName remoteserver.com
 IdentityFile ~/.ssh/id_rsa.eric
 ProxyCommand ssh -W %h:%p bridge_userid@bridgemachine.com


As per @jasonwryan comments and the transparent-mulithop link, I'm able to get the following command working:



ssh -A -t bridge_userid@bridgemachine.com ssh -A remote_userid@remoteserver.com


but now I would like to package that up neatly into my .ssh/config file, and not quite sure what I need to use as my ProxyCommand. I've seen a couple of links online as well as @boomshadow's answer that requires nc, but unfortunately the AIX server I'm using as my bridge machine does not have netcat installed on it.






ssh ssh-tunneling port-forwarding







share|improve this question



















  • 1





    ProxyCommand ssh -W %h:%p bridge...

    – jasonwryan
    Jul 14 '15 at 18:34











  • @jasonwryan I think I might have something wrong in my config as it is not working. I've got the following in my .ssh/config for my remoteserver: ProxyCommand ssh -W %h:%p bridge_userid@bridgemachine.com.

    – Eric B.
    Jul 14 '15 at 18:52











  • Edit that into your question: it will get lost in the comments. You need to declare the host, Host Remote... See sshmenu.sourceforge.net/articles/transparent-mulithop.html

    – jasonwryan
    Jul 14 '15 at 19:12












  • Can't you just log into the bridge server and ssh to your target server from there?

    – daniel kullmann
    Jul 14 '15 at 20:18











  • @danielkullmann Sure I can. I'm just trying to avoid doing that, and I would rather keep my ssh key on my local machine instead of having to put it on the bridge server as well.

    – Eric B.
    Jul 14 '15 at 20:44













4












4








4








Is there a way in a single SSH command to login via SSH to a remote server passing through an intermediate server? In essence, I need to create a tunnel to my "bridge server" and via the tunnel to login to the remote server.



For example, I'm trying to compress the following into a single ssh command:



  1. ssh -N -L 2222:remoteserver.com:22 bridge_userid@bridgemachine.com

  2. ssh -p 2222 remote_userid@localhost

This currently works, but I would rather be able to squeeze everything into a single command such that if I exit my ssh shell, my tunnel closes at the same time.



I have tried the following in my config but to no avail:



Host axp
 User remote_userid
 HostName remoteserver.com
 IdentityFile ~/.ssh/id_rsa.eric
 ProxyCommand ssh -W %h:%p bridge_userid@bridgemachine.com


As per @jasonwryan comments and the transparent-mulithop link, I'm able to get the following command working:



ssh -A -t bridge_userid@bridgemachine.com ssh -A remote_userid@remoteserver.com


but now I would like to package that up neatly into my .ssh/config file, and not quite sure what I need to use as my ProxyCommand. I've seen a couple of links online as well as @boomshadow's answer that requires nc, but unfortunately the AIX server I'm using as my bridge machine does not have netcat installed on it.






ssh ssh-tunneling port-forwarding







share|improve this question
















Is there a way in a single SSH command to login via SSH to a remote server passing through an intermediate server? In essence, I need to create a tunnel to my "bridge server" and via the tunnel to login to the remote server.



For example, I'm trying to compress the following into a single ssh command:



  1. ssh -N -L 2222:remoteserver.com:22 bridge_userid@bridgemachine.com

  2. ssh -p 2222 remote_userid@localhost

This currently works, but I would rather be able to squeeze everything into a single command such that if I exit my ssh shell, my tunnel closes at the same time.



I have tried the following in my config but to no avail:



Host axp
 User remote_userid
 HostName remoteserver.com
 IdentityFile ~/.ssh/id_rsa.eric
 ProxyCommand ssh -W %h:%p bridge_userid@bridgemachine.com


As per @jasonwryan comments and the transparent-mulithop link, I'm able to get the following command working:



ssh -A -t bridge_userid@bridgemachine.com ssh -A remote_userid@remoteserver.com


but now I would like to package that up neatly into my .ssh/config file, and not quite sure what I need to use as my ProxyCommand. I've seen a couple of links online as well as @boomshadow's answer that requires nc, but unfortunately the AIX server I'm using as my bridge machine does not have netcat installed on it.






ssh ssh-tunneling port-forwarding




ssh ssh-tunneling port-forwarding






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Jul 15 '15 at 14:47







Eric B.

















asked Jul 14 '15 at 18:26









Eric B.Eric B.

193128




193128







  • 1





    ProxyCommand ssh -W %h:%p bridge...

    – jasonwryan
    Jul 14 '15 at 18:34











  • @jasonwryan I think I might have something wrong in my config as it is not working. I've got the following in my .ssh/config for my remoteserver: ProxyCommand ssh -W %h:%p bridge_userid@bridgemachine.com.

    – Eric B.
    Jul 14 '15 at 18:52











  • Edit that into your question: it will get lost in the comments. You need to declare the host, Host Remote... See sshmenu.sourceforge.net/articles/transparent-mulithop.html

    – jasonwryan
    Jul 14 '15 at 19:12












  • Can't you just log into the bridge server and ssh to your target server from there?

    – daniel kullmann
    Jul 14 '15 at 20:18











  • @danielkullmann Sure I can. I'm just trying to avoid doing that, and I would rather keep my ssh key on my local machine instead of having to put it on the bridge server as well.

    – Eric B.
    Jul 14 '15 at 20:44












  • 1





    ProxyCommand ssh -W %h:%p bridge...

    – jasonwryan
    Jul 14 '15 at 18:34











  • @jasonwryan I think I might have something wrong in my config as it is not working. I've got the following in my .ssh/config for my remoteserver: ProxyCommand ssh -W %h:%p bridge_userid@bridgemachine.com.

    – Eric B.
    Jul 14 '15 at 18:52











  • Edit that into your question: it will get lost in the comments. You need to declare the host, Host Remote... See sshmenu.sourceforge.net/articles/transparent-mulithop.html

    – jasonwryan
    Jul 14 '15 at 19:12












  • Can't you just log into the bridge server and ssh to your target server from there?

    – daniel kullmann
    Jul 14 '15 at 20:18











  • @danielkullmann Sure I can. I'm just trying to avoid doing that, and I would rather keep my ssh key on my local machine instead of having to put it on the bridge server as well.

    – Eric B.
    Jul 14 '15 at 20:44







1




1





ProxyCommand ssh -W %h:%p bridge...

– jasonwryan
Jul 14 '15 at 18:34





ProxyCommand ssh -W %h:%p bridge...

– jasonwryan
Jul 14 '15 at 18:34













@jasonwryan I think I might have something wrong in my config as it is not working. I've got the following in my .ssh/config for my remoteserver: ProxyCommand ssh -W %h:%p bridge_userid@bridgemachine.com.

– Eric B.
Jul 14 '15 at 18:52





@jasonwryan I think I might have something wrong in my config as it is not working. I've got the following in my .ssh/config for my remoteserver: ProxyCommand ssh -W %h:%p bridge_userid@bridgemachine.com.

– Eric B.
Jul 14 '15 at 18:52













Edit that into your question: it will get lost in the comments. You need to declare the host, Host Remote... See sshmenu.sourceforge.net/articles/transparent-mulithop.html

– jasonwryan
Jul 14 '15 at 19:12






Edit that into your question: it will get lost in the comments. You need to declare the host, Host Remote... See sshmenu.sourceforge.net/articles/transparent-mulithop.html

– jasonwryan
Jul 14 '15 at 19:12














Can't you just log into the bridge server and ssh to your target server from there?

– daniel kullmann
Jul 14 '15 at 20:18





Can't you just log into the bridge server and ssh to your target server from there?

– daniel kullmann
Jul 14 '15 at 20:18













@danielkullmann Sure I can. I'm just trying to avoid doing that, and I would rather keep my ssh key on my local machine instead of having to put it on the bridge server as well.

– Eric B.
Jul 14 '15 at 20:44





@danielkullmann Sure I can. I'm just trying to avoid doing that, and I would rather keep my ssh key on my local machine instead of having to put it on the bridge server as well.

– Eric B.
Jul 14 '15 at 20:44










2 Answers
2






active

oldest

votes


















6














The ProxyCommand is what you need. At my company, all the DevOps techs have to use a "jumpstation" in order to access the rest of the VPC's. The jumpstation is VPN access-controlled.



We've got our SSH config setup to automatically go through the jumpstation automatically.



Here is an edited version of my .ssh/config file:



Host *.internal.company.com
User jacob
IdentityFile ~/.ssh/id_rsa
ProxyCommand ssh -q -A jacob@company-internal-jumphost nc -q0 %h %p


Every time I do an 'ssh' to a server on that 'internal' subdomain, it will automatically jump through the jumpstation first.



Edit:
Here is the entire section of the .ssh/config for the 'Internal' VPC for us to log into it:



# Internal VPC
Host company-internal-jumphost
 Hostname 10.210.x.x #(edited out IP for security)
 IdentityFile ~/.ssh/id_rsa
Host 10.210.*
 User ubuntu
 IdentityFile ~/.ssh/company-id_rsa
 ProxyCommand ssh -q -A jacob@company-internal-jumphost nc -q0 %h %p
Host *.internal.company.com
 User jacob
 IdentityFile ~/.ssh/id_rsa
 ProxyCommand ssh -q -A jacob@company-internal-jumphost nc -q0 %h %p





share|improve this answer

























  • Thanks for the suggestion. Unfortunately, I don't have netcat (ie: nc) available on the server. (It's an AIX server)

    – Eric B.
    Jul 15 '15 at 1:28






  • 2





    There is a more elegant sollution based on ProxyCommand and the -W option which allows you to do things like ssh user@hostA/hostB/hostC to connect to hostC through 2 intermediates, see: dmitry.khlebnikov.net/2015/08/…

    – galaxy
    Sep 4 '15 at 13:39











  • Will this work if you have a different username on the intermediary hosts? Can you use ssh user@hostA/otheruser@hostB/someone@hostC?

    – DopeGhoti
    Jan 17 '17 at 17:50











  • @DopeGhoti, yes you can. In my 2nd code block, I've got user 'ubuntu' specified for the 10.210.* hosts. Also, you can change your user on the intermediary host (jump host) using the ProxyCommand. See how I've got "jacob@company....". You can also specify a different user there as well.

    – BoomShadow
    Jan 17 '17 at 18:56











  • Why not use ssh -W in the ProxyCommand, provided the SSH version isn't too old (5.4)? en.wikibooks.org/wiki/OpenSSH/Cookbook/Proxies_and_Jump_Hosts

    – 0xC0000022L
    Mar 27 '18 at 19:22



















2














If OpenSSH 7.3 or later is used then you can use ProxyJump like this:



$ ssh -o ProxyJump=user1@gateway user2@remote


If either user is omitted then the local user is implied.



A variation on the indirect login theme is indirect file transfer. You can use scp and rsync with indirect ssh to copy files through the intermediate server.



To copy through the gateway using scp:



$ scp -oProxyJump=root@gateway myfile user@remote:path


If user is omitted, the local user is used.



The ProxyJump was introduced in OpenSSH 7.3. An alternative is to use ProxyCommand:



$ scp -oProxyCommand="ssh -W %h:%p root@gateway" myfile user@remote:path


To copy through the gateway using rsync:



$ rsync -av -e 'ssh -o "ProxyJump root@gateway"' myfile user@remote@path


Or



$ rsync -av -e 'ssh -o "ProxyCommand ssh -A root@gateway -W %h:%p"' myfile user@remote@path


I paraphrase other answers (on superuser) that cover indirect scp and indirect rsync in more detail.






share|improve this answer























    Your Answer








    StackExchange.ready(function()
    var channelOptions =
    tags: "".split(" "),
    id: "106"
    ;
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function()
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled)
    StackExchange.using("snippets", function()
    createEditor();
    );

    else
    createEditor();

    );

    function createEditor()
    StackExchange.prepareEditor(
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: false,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: null,
    bindNavPrevention: true,
    postfix: "",
    imageUploader:
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    ,
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    );



    );













    draft saved

    draft discarded


















    StackExchange.ready(
    function ()
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f215986%2fssh-login-with-a-tunnel-through-intermediate-server-in-a-single-command%23new-answer', 'question_page');

    );

    Post as a guest















    Required, but never shown

























    2 Answers
    2






    active

    oldest

    votes








    2 Answers
    2






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    6














    The ProxyCommand is what you need. At my company, all the DevOps techs have to use a "jumpstation" in order to access the rest of the VPC's. The jumpstation is VPN access-controlled.



    We've got our SSH config setup to automatically go through the jumpstation automatically.



    Here is an edited version of my .ssh/config file:



    Host *.internal.company.com
    User jacob
    IdentityFile ~/.ssh/id_rsa
    ProxyCommand ssh -q -A jacob@company-internal-jumphost nc -q0 %h %p


    Every time I do an 'ssh' to a server on that 'internal' subdomain, it will automatically jump through the jumpstation first.



    Edit:
    Here is the entire section of the .ssh/config for the 'Internal' VPC for us to log into it:



    # Internal VPC
    Host company-internal-jumphost
     Hostname 10.210.x.x #(edited out IP for security)
     IdentityFile ~/.ssh/id_rsa
    Host 10.210.*
     User ubuntu
     IdentityFile ~/.ssh/company-id_rsa
     ProxyCommand ssh -q -A jacob@company-internal-jumphost nc -q0 %h %p
    Host *.internal.company.com
     User jacob
     IdentityFile ~/.ssh/id_rsa
     ProxyCommand ssh -q -A jacob@company-internal-jumphost nc -q0 %h %p





    share|improve this answer

























    • Thanks for the suggestion. Unfortunately, I don't have netcat (ie: nc) available on the server. (It's an AIX server)

      – Eric B.
      Jul 15 '15 at 1:28






    • 2





      There is a more elegant sollution based on ProxyCommand and the -W option which allows you to do things like ssh user@hostA/hostB/hostC to connect to hostC through 2 intermediates, see: dmitry.khlebnikov.net/2015/08/…

      – galaxy
      Sep 4 '15 at 13:39











    • Will this work if you have a different username on the intermediary hosts? Can you use ssh user@hostA/otheruser@hostB/someone@hostC?

      – DopeGhoti
      Jan 17 '17 at 17:50











    • @DopeGhoti, yes you can. In my 2nd code block, I've got user 'ubuntu' specified for the 10.210.* hosts. Also, you can change your user on the intermediary host (jump host) using the ProxyCommand. See how I've got "jacob@company....". You can also specify a different user there as well.

      – BoomShadow
      Jan 17 '17 at 18:56











    • Why not use ssh -W in the ProxyCommand, provided the SSH version isn't too old (5.4)? en.wikibooks.org/wiki/OpenSSH/Cookbook/Proxies_and_Jump_Hosts

      – 0xC0000022L
      Mar 27 '18 at 19:22
















    6














    The ProxyCommand is what you need. At my company, all the DevOps techs have to use a "jumpstation" in order to access the rest of the VPC's. The jumpstation is VPN access-controlled.



    We've got our SSH config setup to automatically go through the jumpstation automatically.



    Here is an edited version of my .ssh/config file:



    Host *.internal.company.com
    User jacob
    IdentityFile ~/.ssh/id_rsa
    ProxyCommand ssh -q -A jacob@company-internal-jumphost nc -q0 %h %p


    Every time I do an 'ssh' to a server on that 'internal' subdomain, it will automatically jump through the jumpstation first.



    Edit:
    Here is the entire section of the .ssh/config for the 'Internal' VPC for us to log into it:



    # Internal VPC
    Host company-internal-jumphost
     Hostname 10.210.x.x #(edited out IP for security)
     IdentityFile ~/.ssh/id_rsa
    Host 10.210.*
     User ubuntu
     IdentityFile ~/.ssh/company-id_rsa
     ProxyCommand ssh -q -A jacob@company-internal-jumphost nc -q0 %h %p
    Host *.internal.company.com
     User jacob
     IdentityFile ~/.ssh/id_rsa
     ProxyCommand ssh -q -A jacob@company-internal-jumphost nc -q0 %h %p





    share|improve this answer

























    • Thanks for the suggestion. Unfortunately, I don't have netcat (ie: nc) available on the server. (It's an AIX server)

      – Eric B.
      Jul 15 '15 at 1:28






    • 2





      There is a more elegant sollution based on ProxyCommand and the -W option which allows you to do things like ssh user@hostA/hostB/hostC to connect to hostC through 2 intermediates, see: dmitry.khlebnikov.net/2015/08/…

      – galaxy
      Sep 4 '15 at 13:39











    • Will this work if you have a different username on the intermediary hosts? Can you use ssh user@hostA/otheruser@hostB/someone@hostC?

      – DopeGhoti
      Jan 17 '17 at 17:50











    • @DopeGhoti, yes you can. In my 2nd code block, I've got user 'ubuntu' specified for the 10.210.* hosts. Also, you can change your user on the intermediary host (jump host) using the ProxyCommand. See how I've got "jacob@company....". You can also specify a different user there as well.

      – BoomShadow
      Jan 17 '17 at 18:56











    • Why not use ssh -W in the ProxyCommand, provided the SSH version isn't too old (5.4)? en.wikibooks.org/wiki/OpenSSH/Cookbook/Proxies_and_Jump_Hosts

      – 0xC0000022L
      Mar 27 '18 at 19:22














    6












    6








    6







    The ProxyCommand is what you need. At my company, all the DevOps techs have to use a "jumpstation" in order to access the rest of the VPC's. The jumpstation is VPN access-controlled.



    We've got our SSH config setup to automatically go through the jumpstation automatically.



    Here is an edited version of my .ssh/config file:



    Host *.internal.company.com
    User jacob
    IdentityFile ~/.ssh/id_rsa
    ProxyCommand ssh -q -A jacob@company-internal-jumphost nc -q0 %h %p


    Every time I do an 'ssh' to a server on that 'internal' subdomain, it will automatically jump through the jumpstation first.



    Edit:
    Here is the entire section of the .ssh/config for the 'Internal' VPC for us to log into it:



    # Internal VPC
    Host company-internal-jumphost
     Hostname 10.210.x.x #(edited out IP for security)
     IdentityFile ~/.ssh/id_rsa
    Host 10.210.*
     User ubuntu
     IdentityFile ~/.ssh/company-id_rsa
     ProxyCommand ssh -q -A jacob@company-internal-jumphost nc -q0 %h %p
    Host *.internal.company.com
     User jacob
     IdentityFile ~/.ssh/id_rsa
     ProxyCommand ssh -q -A jacob@company-internal-jumphost nc -q0 %h %p





    share|improve this answer















    The ProxyCommand is what you need. At my company, all the DevOps techs have to use a "jumpstation" in order to access the rest of the VPC's. The jumpstation is VPN access-controlled.



    We've got our SSH config setup to automatically go through the jumpstation automatically.



    Here is an edited version of my .ssh/config file:



    Host *.internal.company.com
    User jacob
    IdentityFile ~/.ssh/id_rsa
    ProxyCommand ssh -q -A jacob@company-internal-jumphost nc -q0 %h %p


    Every time I do an 'ssh' to a server on that 'internal' subdomain, it will automatically jump through the jumpstation first.



    Edit:
    Here is the entire section of the .ssh/config for the 'Internal' VPC for us to log into it:



    # Internal VPC
    Host company-internal-jumphost
     Hostname 10.210.x.x #(edited out IP for security)
     IdentityFile ~/.ssh/id_rsa
    Host 10.210.*
     User ubuntu
     IdentityFile ~/.ssh/company-id_rsa
     ProxyCommand ssh -q -A jacob@company-internal-jumphost nc -q0 %h %p
    Host *.internal.company.com
     User jacob
     IdentityFile ~/.ssh/id_rsa
     ProxyCommand ssh -q -A jacob@company-internal-jumphost nc -q0 %h %p






    share|improve this answer














    share|improve this answer



    share|improve this answer








    edited 9 hours ago









    Rui F Ribeiro

    42.1k1484142




    42.1k1484142










    answered Jul 14 '15 at 21:08









    BoomShadowBoomShadow

    436167




    436167












    • Thanks for the suggestion. Unfortunately, I don't have netcat (ie: nc) available on the server. (It's an AIX server)

      – Eric B.
      Jul 15 '15 at 1:28






    • 2





      There is a more elegant sollution based on ProxyCommand and the -W option which allows you to do things like ssh user@hostA/hostB/hostC to connect to hostC through 2 intermediates, see: dmitry.khlebnikov.net/2015/08/…

      – galaxy
      Sep 4 '15 at 13:39











    • Will this work if you have a different username on the intermediary hosts? Can you use ssh user@hostA/otheruser@hostB/someone@hostC?

      – DopeGhoti
      Jan 17 '17 at 17:50











    • @DopeGhoti, yes you can. In my 2nd code block, I've got user 'ubuntu' specified for the 10.210.* hosts. Also, you can change your user on the intermediary host (jump host) using the ProxyCommand. See how I've got "jacob@company....". You can also specify a different user there as well.

      – BoomShadow
      Jan 17 '17 at 18:56











    • Why not use ssh -W in the ProxyCommand, provided the SSH version isn't too old (5.4)? en.wikibooks.org/wiki/OpenSSH/Cookbook/Proxies_and_Jump_Hosts

      – 0xC0000022L
      Mar 27 '18 at 19:22


















    • Thanks for the suggestion. Unfortunately, I don't have netcat (ie: nc) available on the server. (It's an AIX server)

      – Eric B.
      Jul 15 '15 at 1:28






    • 2





      There is a more elegant sollution based on ProxyCommand and the -W option which allows you to do things like ssh user@hostA/hostB/hostC to connect to hostC through 2 intermediates, see: dmitry.khlebnikov.net/2015/08/…

      – galaxy
      Sep 4 '15 at 13:39











    • Will this work if you have a different username on the intermediary hosts? Can you use ssh user@hostA/otheruser@hostB/someone@hostC?

      – DopeGhoti
      Jan 17 '17 at 17:50











    • @DopeGhoti, yes you can. In my 2nd code block, I've got user 'ubuntu' specified for the 10.210.* hosts. Also, you can change your user on the intermediary host (jump host) using the ProxyCommand. See how I've got "jacob@company....". You can also specify a different user there as well.

      – BoomShadow
      Jan 17 '17 at 18:56











    • Why not use ssh -W in the ProxyCommand, provided the SSH version isn't too old (5.4)? en.wikibooks.org/wiki/OpenSSH/Cookbook/Proxies_and_Jump_Hosts

      – 0xC0000022L
      Mar 27 '18 at 19:22

















    Thanks for the suggestion. Unfortunately, I don't have netcat (ie: nc) available on the server. (It's an AIX server)

    – Eric B.
    Jul 15 '15 at 1:28





    Thanks for the suggestion. Unfortunately, I don't have netcat (ie: nc) available on the server. (It's an AIX server)

    – Eric B.
    Jul 15 '15 at 1:28




    2




    2





    There is a more elegant sollution based on ProxyCommand and the -W option which allows you to do things like ssh user@hostA/hostB/hostC to connect to hostC through 2 intermediates, see: dmitry.khlebnikov.net/2015/08/…

    – galaxy
    Sep 4 '15 at 13:39





    There is a more elegant sollution based on ProxyCommand and the -W option which allows you to do things like ssh user@hostA/hostB/hostC to connect to hostC through 2 intermediates, see: dmitry.khlebnikov.net/2015/08/…

    – galaxy
    Sep 4 '15 at 13:39













    Will this work if you have a different username on the intermediary hosts? Can you use ssh user@hostA/otheruser@hostB/someone@hostC?

    – DopeGhoti
    Jan 17 '17 at 17:50





    Will this work if you have a different username on the intermediary hosts? Can you use ssh user@hostA/otheruser@hostB/someone@hostC?

    – DopeGhoti
    Jan 17 '17 at 17:50













    @DopeGhoti, yes you can. In my 2nd code block, I've got user 'ubuntu' specified for the 10.210.* hosts. Also, you can change your user on the intermediary host (jump host) using the ProxyCommand. See how I've got "jacob@company....". You can also specify a different user there as well.

    – BoomShadow
    Jan 17 '17 at 18:56





    @DopeGhoti, yes you can. In my 2nd code block, I've got user 'ubuntu' specified for the 10.210.* hosts. Also, you can change your user on the intermediary host (jump host) using the ProxyCommand. See how I've got "jacob@company....". You can also specify a different user there as well.

    – BoomShadow
    Jan 17 '17 at 18:56













    Why not use ssh -W in the ProxyCommand, provided the SSH version isn't too old (5.4)? en.wikibooks.org/wiki/OpenSSH/Cookbook/Proxies_and_Jump_Hosts

    – 0xC0000022L
    Mar 27 '18 at 19:22






    Why not use ssh -W in the ProxyCommand, provided the SSH version isn't too old (5.4)? en.wikibooks.org/wiki/OpenSSH/Cookbook/Proxies_and_Jump_Hosts

    – 0xC0000022L
    Mar 27 '18 at 19:22














    2














    If OpenSSH 7.3 or later is used then you can use ProxyJump like this:



    $ ssh -o ProxyJump=user1@gateway user2@remote


    If either user is omitted then the local user is implied.



    A variation on the indirect login theme is indirect file transfer. You can use scp and rsync with indirect ssh to copy files through the intermediate server.



    To copy through the gateway using scp:



    $ scp -oProxyJump=root@gateway myfile user@remote:path


    If user is omitted, the local user is used.



    The ProxyJump was introduced in OpenSSH 7.3. An alternative is to use ProxyCommand:



    $ scp -oProxyCommand="ssh -W %h:%p root@gateway" myfile user@remote:path


    To copy through the gateway using rsync:



    $ rsync -av -e 'ssh -o "ProxyJump root@gateway"' myfile user@remote@path


    Or



    $ rsync -av -e 'ssh -o "ProxyCommand ssh -A root@gateway -W %h:%p"' myfile user@remote@path


    I paraphrase other answers (on superuser) that cover indirect scp and indirect rsync in more detail.






    share|improve this answer



























      2














      If OpenSSH 7.3 or later is used then you can use ProxyJump like this:



      $ ssh -o ProxyJump=user1@gateway user2@remote


      If either user is omitted then the local user is implied.



      A variation on the indirect login theme is indirect file transfer. You can use scp and rsync with indirect ssh to copy files through the intermediate server.



      To copy through the gateway using scp:



      $ scp -oProxyJump=root@gateway myfile user@remote:path


      If user is omitted, the local user is used.



      The ProxyJump was introduced in OpenSSH 7.3. An alternative is to use ProxyCommand:



      $ scp -oProxyCommand="ssh -W %h:%p root@gateway" myfile user@remote:path


      To copy through the gateway using rsync:



      $ rsync -av -e 'ssh -o "ProxyJump root@gateway"' myfile user@remote@path


      Or



      $ rsync -av -e 'ssh -o "ProxyCommand ssh -A root@gateway -W %h:%p"' myfile user@remote@path


      I paraphrase other answers (on superuser) that cover indirect scp and indirect rsync in more detail.






      share|improve this answer

























        2












        2








        2







        If OpenSSH 7.3 or later is used then you can use ProxyJump like this:



        $ ssh -o ProxyJump=user1@gateway user2@remote


        If either user is omitted then the local user is implied.



        A variation on the indirect login theme is indirect file transfer. You can use scp and rsync with indirect ssh to copy files through the intermediate server.



        To copy through the gateway using scp:



        $ scp -oProxyJump=root@gateway myfile user@remote:path


        If user is omitted, the local user is used.



        The ProxyJump was introduced in OpenSSH 7.3. An alternative is to use ProxyCommand:



        $ scp -oProxyCommand="ssh -W %h:%p root@gateway" myfile user@remote:path


        To copy through the gateway using rsync:



        $ rsync -av -e 'ssh -o "ProxyJump root@gateway"' myfile user@remote@path


        Or



        $ rsync -av -e 'ssh -o "ProxyCommand ssh -A root@gateway -W %h:%p"' myfile user@remote@path


        I paraphrase other answers (on superuser) that cover indirect scp and indirect rsync in more detail.






        share|improve this answer













        If OpenSSH 7.3 or later is used then you can use ProxyJump like this:



        $ ssh -o ProxyJump=user1@gateway user2@remote


        If either user is omitted then the local user is implied.



        A variation on the indirect login theme is indirect file transfer. You can use scp and rsync with indirect ssh to copy files through the intermediate server.



        To copy through the gateway using scp:



        $ scp -oProxyJump=root@gateway myfile user@remote:path


        If user is omitted, the local user is used.



        The ProxyJump was introduced in OpenSSH 7.3. An alternative is to use ProxyCommand:



        $ scp -oProxyCommand="ssh -W %h:%p root@gateway" myfile user@remote:path


        To copy through the gateway using rsync:



        $ rsync -av -e 'ssh -o "ProxyJump root@gateway"' myfile user@remote@path


        Or



        $ rsync -av -e 'ssh -o "ProxyCommand ssh -A root@gateway -W %h:%p"' myfile user@remote@path


        I paraphrase other answers (on superuser) that cover indirect scp and indirect rsync in more detail.







        share|improve this answer












        share|improve this answer



        share|improve this answer










        answered Oct 20 '17 at 8:08









        starfrystarfry

        3,31313051




        3,31313051



























            draft saved

            draft discarded
















































            Thanks for contributing an answer to Unix & Linux Stack Exchange!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid


            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.

            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f215986%2fssh-login-with-a-tunnel-through-intermediate-server-in-a-single-command%23new-answer', 'question_page');

            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            -port-forwarding, ssh, ssh-tunneling
            -

            Popular posts from this blog

            Frič See also Navigation menuinternal link

            Image
            SurnamesCzech-language surnames ‹ The template Infobox surname is being considered for merging. › Frič Origin Language(s) Czechized German (eastern Middle German dialects and Alemannic German) - Thuringian, Upper Saxon, Low Lusatian, Silesian Meaning derived from German: Friedrich Other names Variant(s) Fritsch, Fritzsch, Frycz, Fricz, Fryczyński, Frietsch, Fritsche, Fritzsche; Fritschi (Alemannic), Fritz, Fritze, Fritzel, Fritzl, Fritzke, Fritzen Frič is a Czechized German surname. Notable people with the surname include: Alberto Vojtěch Frič, Czech botanist Antonín Jan Frič (Fritsch) , Czech paleontologist Jaroslav Erik Frič, Czech poet Martin Frič, Czech film director, screenwriter and actor See also Fričovce (Hungarian: Frics ) .mw-parser-output table.dmboxclear:both;margin:0.9em 1em;border-top:1px solid #ccc;border-bottom:1px solid #ccc;background-color:transparent Surname list This page lists people with the surname Frič . If an internal link intending to refer to a specifi
            Read more

            Identify plant with long narrow paired leaves and reddish stems Planned maintenance scheduled April 17/18, 2019 at 00:00UTC (8:00pm US/Eastern) Announcing the arrival of Valued Associate #679: Cesar Manara Unicorn Meta Zoo #1: Why another podcast?What is this plant with long sharp leaves? Is it a weed?What is this 3ft high, stalky plant, with mid sized narrow leaves?What is this young shrub with opposite ovate, crenate leaves and reddish stems?What is this plant with large broad serrated leaves?Identify this upright branching weed with long leaves and reddish stemsPlease help me identify this bulbous plant with long, broad leaves and white flowersWhat is this small annual with narrow gray/green leaves and rust colored daisy-type flowers?What is this chilli plant?Does anyone know what type of chilli plant this is?Help identify this plant

            Image
            Apollo command module space walk? prime numbers and expressing non-prime numbers Can a non-EU citizen traveling with me come with me through the EU passport line? Extract all GPU name, model and GPU ram How to deal with a team lead who never gives me credit? Why was the term "discrete" used in discrete logarithm? Why do we bend a book to keep it straight? When do you get frequent flier miles - when you buy, or when you fly? How come Sam didn't become Lord of Horn Hill? At the end of Thor: Ragnarok why don't the Asgardians turn and head for the Bifrost as per their original plan? Is it true that "carbohydrates are of no use for the basal metabolic need"? Using et al. for a last / senior author rather than for a first author How to tell that you are a giant? How to react to hostile behavior from a senior developer? String `!23` is replaced with `docker` in command line How to find out what spells would be useless to a blind NPC sp
            Read more

            fontconfig warning: “/etc/fonts/fonts.conf”, line 100: unknown “element blank” The 2019 Stack Overflow Developer Survey Results Are In“tar: unrecognized option --warning” during 'apt-get install'How to fix Fontconfig errorHow do I figure out which font file is chosen for a system generic font alias?Why are some apt-get-installed fonts being ignored by fc-list, xfontsel, etc?Reload settings in /etc/fonts/conf.dTaking 30 seconds longer to boot after upgrade from jessie to stretchHow to match multiple font names with a single <match> element?Adding a custom font to fontconfigRemoving fonts from fontconfig <match> resultsBroken fonts after upgrading Firefox ESR to latest Firefox

            Image
            How to type this arrow in math mode? Multiply Two Integer Polynomials What do hard-Brexiteers want with respect to the Irish border? Why isn't the circumferential light around the M87 black hole's event horizon symmetric? For what reasons would an animal species NOT cross a *horizontal* land bridge? Can one be advised by a professor who is very far away? Identify boardgame from Big movie slides for 30min~1hr skype tenure track application interview Why do we hear so much about the Trump administration deciding to impose and then remove tariffs? If I score a critical hit on an 18 or higher, what are my chances of getting a critical hit if I roll 3d20? Can we generate random numbers using irrational numbers like π and e? Worn-tile Scrabble Output the Arecibo Message What is the meaning of Triage in Cybersec world? How are circuits which use complex ICs normally simulated? Shouldn't "much" here be used instead of "more"? Dele
            Read more