14

In order to ssh into my work computer from home, let's call it C I have to do the following:

ssh -t user@B ssh C

B is a server that I can connect to from home but C can only be connected to from B. This works fine.

If I want to copy a file that is on C to my home computer using scp, what command do I need from my home computer?

DopeGhoti
  • 76,081
Simd
  • 335

3 Answers3

17

I’d suggest the following in your .ssh/config:

Host C
    User user
    ProxyCommand ssh -W %h:%p user@B

I’t much safer if host B is untrusted, and works for scp and sftp.

user2233709
  • 1,669
10

As described in this answer, you can use the ProxyCommand directive to have an ssh host bounce you to a third host transparently:

Let's say you have the following three hosts:

  • workstation.example.com - This is the machine you're physically working on
  • proxy.example.com - This is the machine you're routing your SSH traffic through
  • endpoint.example.com - This is where you want the traffic to ultimately end up

In ~/.ssh/config on workstation, add the following:

Host endpoint
    User endpointUser # set this to the username on the endpoint host
    HostName endpoint.example.com
    ProxyCommand ssh proxyusername@proxy.example.com nc %h %p 2> /dev/null

On the proxy host, make sure nc (netcat) is installed.

Then, on workstation, you can ssh endpoint or sftp endpoint and you will be transparently proxied to the machine by way of your proxy host. scp will also work.

Community
  • 1
DopeGhoti
  • 76,081
  • What permissions does .ssh/config need? – Simd Apr 03 '17 at 16:12
  • 0644; the configuration needs to be readable by the ssh client. – DopeGhoti Apr 03 '17 at 16:13
  • 1
    @Lembik chmod 0711 ~/.ssh; chmod 0600 ~/.ssh/config – Satō Katsura Apr 03 '17 at 16:14
  • I prefer ssh -W over ssh nc because nc might be missing in the proxy host. – user2233709 Apr 03 '17 at 16:16
  • Generally inclined to agree, but I have had issues where using netcat worked and ssh -W did not, so I tend to fall back on netcat. – DopeGhoti Apr 03 '17 at 16:18
  • @DopeGhoti Good to know, if I ever have problems with ssh -W. – user2233709 Apr 03 '17 at 16:20
  • Sadly it's not working for me. It asks for my password for proxy.example.com but never asks for the password for endpoint.example.com. Ends with "ssh_exchange_identification: Connection closed by remote host". See https://bpaste.net/show/5ef06924ef3e – Simd Apr 03 '17 at 16:22
  • If you have different usernames at the proxy and the endpoint, be sure to specify them as shown. You could also use keypair authentication on both hosts to not need to present your password (after giving your private key's passphrase, of course). – DopeGhoti Apr 03 '17 at 16:24
  • The username for B and C are the same as each other but different from my local user name. – Simd Apr 03 '17 at 16:27
  • Okay, so in the configuration, specify that username both on the User line and in the ProxyCommand line (i. e. replace proxyuser with the actual username). – DopeGhoti Apr 03 '17 at 16:28
7

It's possible and relatively easy, even when you need to use certificates for authentication (typical in AWS environments).

The command below will copy files from a remotePath on server2 directly into your machine at localPath. Internally the scp request is proxied via server1.

scp -i user2-cert.pem -o ProxyCommand="ssh -i user1-cert.pem -W %h:%p user1@server1" user2@server2:/<remotePath> <localpath>

If you use password authentication instead, try with

scp -o ProxyCommand="ssh -W %h:%p user1@server1" user2@server2:/<remotePath> <localpath>

If you use the same user credentials in both servers:

scp -o ProxyCommand="ssh -W %h:%p commonuser@server1" commonuser@server2:/<remotePath> <localpath>
Stephen Rauch
  • 4,239
user1687718
  • 71