45

Possible Duplicate:
ssh via multiple hosts

For connecting to server B I have to first ssh to server A. What's the command line to access server B?

Community
  • 1
Omid
  • 3,391

2 Answers2

70

If server B is reachable via ssh and you only need ssh (not direct scp or sftp), this also works very well:

ssh -t $SERVER_A ssh $SERVER_B

The -t option forces allocation of a pseudo-tty even when running a single command at the other end. This is helpful, since ssh needs a pseudo-tty.

Since you're using two nested instances of ssh, the escape character in the inner session is Enter ~ ~ (two tildes). One tilde will send the escape to the first shell.

Alexios
  • 19,157
  • 5
    Extra tip: you can add the -A argument to passthrough your identity keys. For example: ssh -A -t $SERVER_A ssh -A $SERVER_B, great solution for one of those oh-I-can't-access-this-server-directly-but-hey-I-can-reach-it-via-that-server-with-key-auth – Yvo Oct 19 '15 at 17:02
  • 2
    @Zyphrax ssh -A -t ssh -A doesn't work for forwarding the private key for me. It says - "Permission denied (publickey)". Am I wrong somewhere? – shivshnkr Apr 09 '17 at 02:46
  • @shivshnkr That's strange, it works fine for me. Does your command look like this? ssh -A -t user@host1.domain.com ssh -A host2.domain.com. You can also add user@ to host2.domain.com, but I don't think that is necessary. – Yvo Apr 11 '17 at 20:41
  • Yes, the command is exactly same : ssh -A -t @X1 ssh -A @X2, If I copy my private key to ~/.ssh/id_rsa in X1 host, it works but not the other way. weird. Do we need some extra configuration in ~/.ssh/config too ? – shivshnkr Apr 12 '17 at 03:43
  • I don't believe any extra configuration is necessary. Are you testing (like me) on MacOS? – Yvo Apr 20 '17 at 00:31
  • @shivshnkr I know what might be the issue with Permission denied (publickey). In your first part of the command you should take care that you specify a user that exists on the first server. For example: ssh -A -t host1-user@host1.domain.com ssh -A host2-user@host2.domain.com. Both servers should have your local public key in their authorized_keys files. – Yvo Dec 01 '17 at 02:18
  • What if I specify key file using -i <path-to-key> ? – Gtx Nov 22 '18 at 05:25
21

There isn't a built-in way in ssh to do this, other than to use port forwarding.

However, there is a way that works reasonably well - the ProxyCommand setting for ssh. You can specify that on a per-host basis in ~/.ssh/config and use it to specify the command to run to connect to the remote ssh port.

I use this on several hosts:

host serverB.example.com serverB
  ProxyCommand /usr/bin/ssh serverA.example.com /usr/bin/nc %h %p

See the ssh(1) manual page for the details, and nc(1) from the netcat package for the command I am using to forward on the connection. (You can use anything that makes a TCP connection and passes standard input and output through it, though.)

Daniel Pittman
  • 7,674
  • I replaced /usr/bin/nc with ssh. then after it asks for password of serverA I get this error(s): Permission denied, please try again. Permission denied, please try again. Permission denied (publickey,password). ssh_exchange_identification: Connection closed by remote host – Omid Jun 24 '12 at 07:20
  • There's no need to replace nc there. See, it's used for creating a TCP connection from serverA to serverB, which the ssh serverB command then uses to talk SSH. – sr_ Jun 24 '12 at 09:22
  • 15
    Just for the record newer versions of ssh support the -W option, you can do something like ProxyCommand ssh -W %h:%p gateway instead of depending on nc – Ulrich Dangel Jun 24 '12 at 09:48
  • 1
    @sr_: You are right! I thought it was mc(midnight commander) – Omid Jun 24 '12 at 19:39
  • @UlrichDangel you should add that as an answer to the other question: it is not included there. – jasonwryan Jun 24 '12 at 20:05
  • @jasonwryan ok i added an comment, i don't think it's necessary to add an extra answer as the underlying technique (ProxyCommand) is already described – Ulrich Dangel Jun 24 '12 at 23:40
  • pay attention to the keys you are using: the final server still needs to trust the key your client is giving. I had some trouble where the server only trusted the bastion key, and ssh complained about permissions. – igorsantos07 Sep 10 '18 at 06:01
  • In case someone else finds this question while looking for it -- https://askubuntu.com/a/1301548/444824 describes a method that works as of OpenSSH 7.3 – taxilian Jan 11 '21 at 16:18