11

Is there a way, in a single command, to establish a ssh connection from my computer A, through computer B, to computer C, such that I have access to the shell on computer C?

A wrinkle (which seems to rule out simply forwarding the ssh connection using the -L option) is that I have the password to the account on computer B, and the account on computer B is authorized to connect to the account on computer C, but I do not have the password to the account on computer C.

sanity
  • 709
  • 3
  • 9
  • 16
  • related: https://askubuntu.com/questions/311447/how-do-i-ssh-to-machine-a-via-b-in-one-command , https://unix.stackexchange.com/questions/25055/ssh-via-multiple-hosts – Trevor Boyd Smith Mar 06 '19 at 14:35

4 Answers4

8

I understood that you want just to log in to the computer C, not really tunnel anything from A to C. So, this should do the trick:

ssh -t computer-b "ssh computer-c"

You might have to enter passwords twice, first for computer B and then for computer C, but this can be avoided by using ssh's key-pair authentication.

af.
  • 999
  • 1
  • 8
  • 4
  • 1
    Thanks - it works! If I may be so-bold as to ask a follow-up. Any ideas how I can scp a file from A to C in a single command? – sanity Aug 25 '09 at 13:35
  • That's a bit tricky. It could be done by adding tar to the mix, but if it's only one file and computer B has the disk space to hold it for a while, it's a lot easier to copy it in two steps. – af. Aug 25 '09 at 13:40
  • You can also do this three times! `ssh -t computer-b "ssh -t computer-c 'ssh computer-d'"` :D – gak Aug 01 '13 at 02:06
0

You probably want to use SSH's ProxyCommand: http://benno.id.au/blog/2006/06/08/ssh_proxy_command

Amandasaurus
  • 30,211
  • 62
  • 184
  • 246
  • I can't find a way to make this work because I don't have the password for computer C, and this approach seems to require it. Open to suggestions though as this approach does seem more elegant. – sanity Aug 25 '09 at 14:05
0

If you're using ssh keys, you could generate a new key for machine B and use that to connection from A to B. On machine B, you can add

command="ssh C" ssh-....

in the ~/.ssh/authorized_keys file. That means that whenever you connect to B with that ssh key, it will execute the ssh C command.

I don't know if this works with scp.

Amandasaurus
  • 30,211
  • 62
  • 184
  • 246
0

Use ProxyCommand

See man ssh_config. I recommend making use of ProxyCommand. Let's take your original scenario:

  • Computer A (your computer)
  • Computer B (a proxy hostname)
  • Computer C (only reachable via SSH from Computer B)

Edit ~/.ssh/config with the following contents.

Host computerb
    HostName <hostname or IP of Computer B>

Host computerc 192.168.35.*
    ProxyCommand ssh computerb nc -w 180 %h %p

Now you'll be able to transparently reach Computer C. e.g.

ssh computerc

Advantages of this method

More secure

You only need your private key to be on Computer A (your computer). The nc command will act as a proxy in which SSH will encrypt traffic through. This includes authentication. It is a very bad idea to distribute your private key to multiple servers (as any compromised server with your private key ultimately compromises your private key).

Matches Multiple destinations

One can match multiple destination computers using Host. A single computer or any computer within a specific network (e.g. 192.168.35.0/24 in the above example) to proxy through Computer B. It also serves as an alias.

ssh 192.168.35.27

In the above example, it will proxy through Computer B to get to the IP address.

Daisy chain proxies

Using this method you can daisy chain as many automatic proxies as necessary. e.g. you can add a Computer D which is only reachable from Computer C and it will work transparently.

Host computerd
    ProxyCommand ssh computerc nc -w 180 %h %p

ssh computerd will automatically proxy through Computer C and Computer B in the above ssh_config examples.

Sam Gleske
  • 171
  • 5
  • I'm using [ProxyJump](https://man.openbsd.org/ssh_config.5#ProxyJump) instead of ProxyCommand and it works fine. It seems there are now more options. – fgiraldeau Mar 27 '20 at 14:07