{"id":351,"date":"2013-06-16T01:13:40","date_gmt":"2013-06-16T08:13:40","guid":{"rendered":"http:\/\/blog.ls-al.com\/?p=351"},"modified":"2013-06-16T16:20:35","modified_gmt":"2013-06-16T23:20:35","slug":"ssh-tunnelling-via-intermediate-host","status":"publish","type":"post","link":"https:\/\/blog.ls-al.com\/ssh-tunnelling-via-intermediate-host\/","title":{"rendered":"Ssh tunnelling via intermediate host"},"content":{"rendered":"

I recently needed to copy files using scp, while not able to copy directly to the target host.\u00a0 I had to use an intermediate firewall host. \u00a0There is a few ways to get this done and most requires netcat (nc) on the intermediate host for copying.<\/p>\n

Keep in mind using -t<\/strong> for just a ssh shell connection will work:<\/p>\n

\r\n$ ssh -t rrosso@backoffice.domain.com ssh admin@10.24.0.200\r\n<\/pre>\n
If needing scp below is a way to get this done when netcat is not a possibility.<\/p>\n
In a new terminal do this (command won't return a prompt and leave the terminal open):<\/p>\n
\r\n$ ssh rrosso@backoffice.domain.com -L 2000:10.24.0.200:22 -N\r\n<\/pre>\n
In a new terminal ssh as follow:<\/p>\n
\r\n$ ssh -p 2000 admin@localhost\r\n<\/pre>\n
Scp as follow:<\/p>\n
\r\n$ scp -P 2000 testfile admin@localhost:\/tmp\r\n<\/pre>\n
Sftp also possible:<\/p>\n
\r\n$ sftp -P 2000 admin@localhost\r\n<\/pre>\n
Update 1:<\/span><\/span><\/strong>\u00a0 Above will work fine but you can also consider the following to make things more transparent.<\/p>\n
\r\n$ vi .ssh\/config\r\nHost *\r\n ServerAliveCountMax 4\r\n #Note default is 3\r\n ServerAliveInterval 15\r\n #Note default is 0\r\n#snip\r\nhost work-tunnel\r\n hostname backoffice.domain.com\r\n port 22\r\n\r\n # SSH Server\r\n LocalForward localhost:2000 10.24.0.200:22\r\n user rrosso\r\n\r\n# Aliases as follow\r\nhost myhost.domain.com\r\n hostname localhost\r\n port 2000\r\n user admin\r\n<\/pre>\n
Then run the tunnel connect first (use ssh -v<\/strong> while still troubleshooting):<\/p>\n
\r\n$ ssh work-tunnel\r\n<\/pre>\n
Leave above terminal open to leave tunnel going. And now you can run commands in new terminals with syntax as if no tunnel required.<\/p>\n
\r\n$ scp testfile myhost.domain.com:\/tmp\r\n$ ssh myhost.domain.com\r\n<\/pre>\n
That should do it for a ssh shells.<\/p>\n
Example for other ports:<\/strong><\/span><\/p>\n
Note you can do a lot of other ports also in similar fashion.\u00a0 Here is an example you could play with.<\/p>\n
\r\nHost workTunnel\r\n    Host ssh.domain.com\r\n    Port 5001\r\n    # SMTP Server\r\n    LocalForward localhost:2525 smtp.domain.com:25\r\n    # Corporate Wiki.  Using IP address to show that you can.\r\n    LocalForward localhost:8080 192.168.0.110:8080\r\n    # IMAP Mail Server\r\n    LocalForward locahost:1430  imap.pretendco.com:143\r\n    # Subversion Server\r\n    LocalForward locahost:2222  svn.pretendco.com:22\r\n    # NFS Server\r\n    LocalForward locahost:2049  nfs.pretendco.com:2049\r\n    # SMB\/CIFS Server\r\n    LocalForward locahost:3020  smb.pretendco.com:3020\r\n    # SSH Server\r\n    LocalForward locahost:2220  dev.pretendco.com:22\r\n    # VNC Server\r\n    LocalForward locahost:5900  dev.pretendco.com:5900\r\n\r\n### Hostname aliases ###\r\n### These allow you to mimic hostnames as they appear at work.\r\n### Note that you don't need to use a FQDN; you can use a short name.\r\nHost smtp.domain.com\r\n    HostName localhost\r\n    Port 2525\r\nHost wiki.domain.com\r\n    HostName localhost\r\n    Port 8080\r\nHost imap.domain.com\r\n    HostName localhost\r\n    Port 1430\r\nHost svn.domain.com\r\n    HostName localhost\r\n    Port 2222\r\nHost nfs.domain.com\r\n    HostName localhost\r\n    Port 2049\r\nHost smb.domain.com\r\n    HostName localhost\r\n    Port 3020\r\nHost dev.domain.com\r\n    HostName localhost\r\n    Port 2220\r\nHost vnc.domain.com\r\n    HostName localhost\r\n    Port 5900\r\n<\/pre>\n","protected":false},"excerpt":{"rendered":"
I recently needed to copy files using scp, while not able to copy directly to the target host.\u00a0 I had<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[9,21],"tags":[],"class_list":["post-351","post","type-post","status-publish","format-standard","hentry","category-linux","category-ssh"],"_links":{"self":[{"href":"https:\/\/blog.ls-al.com\/wp-json\/wp\/v2\/posts\/351","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.ls-al.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.ls-al.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.ls-al.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.ls-al.com\/wp-json\/wp\/v2\/comments?post=351"}],"version-history":[{"count":0,"href":"https:\/\/blog.ls-al.com\/wp-json\/wp\/v2\/posts\/351\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.ls-al.com\/wp-json\/wp\/v2\/media?parent=351"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.ls-al.com\/wp-json\/wp\/v2\/categories?post=351"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.ls-al.com\/wp-json\/wp\/v2\/tags?post=351"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}