14

We have the following situation:

  1. My machine
  2. A gateway machine
  3. The target machine

I have no root rights on both #2 and #3. I can also not really store information (no more then 200 MiB) on machine #2 (since it is ment to be a gateway into the rest of the network, not more then that). On machine #3 there is a folder, about 3 GiB in size, that I want to copy to local. I cannot SSH from #1 to #3, but I can SSH to #2 and then to #3. It is also not possible to set up a public private keypair between #2 and #3, but there is a keypair installed between #1 and #2.

Normally I use the combination of SSH and tar to get this done:

ssh name@host "tar cf - folder" > folder.tar

But in this case that would require some sort of nesting, and I cannot seem to get this done.

So, what would be a good way to get the data from #3 to #1?

Freiheit
  • 201
  • 1
  • 2
  • 15
Cheiron
  • 458
  • 1
  • 4
  • 10

2 Answers2

27

You can create an SSH tunnel through machine2 then in another session connect to the tunnel.

For example, open two CLI sessions on machine1. In the first session run the following:

MACHINE1$ ssh -L 2022:MACHINE3:22 <user>@MACHINE2

In the second session run the following:

MACHINE1 $ ssh -p 2022 <user>@localhost

What's happening with the first command is a local port (2022 on machine1) is being tunneled to port 22 on machine3 using your SSH connection to machine2.

With the second command you are connecting to the newly opened local port (2022) and it's like you're connecting directly to machine3.

Now if you want to use your typical file transfer process you could do the following:

ssh -p 2022 <user>@localhost "tar cf - /path/to/remote/directory/" > filename.tar

Alternatively, you can familiarise yourself with rsync and do something like this instead:

rsync -aHSv --progress -e 'ssh -p 2022' <user>@localhost:/path/to/remote/directory/ /path/to/local/directory/

Assuming the end goal isn't to get a tarball.

Cheiron
  • 458
  • 1
  • 4
  • 10
Gene
  • 3,633
  • 19
  • 39
  • 2
    Using `ProxyCommand` and `ssh -W` the two `ssh` commands can be combined into a single command line. If you have a very recent version of the OpenSSH client there is an argument which will let you do it all with a single `ssh` command. – kasperd Sep 21 '17 at 18:20
  • I use tar because transferring a lot of files takes more time then transferring one big file. Does rsync solve this? – Cheiron Sep 24 '17 at 12:10
  • When doing remote transfers rsync checksums the data in transit (on the receiving end, before it writes it to disk), so it will take more time to transfer a file. However, that's time well spent. – Gene Oct 12 '17 at 18:52
5

You can also use Master session capability of newer versions of SSH. It's described here:

https://en.wikibooks.org/wiki/OpenSSH/Cookbook/Multiplexing

Probably all that you need is to edit/create your .ssh/config. Add there definitions which control the Master sessions:

ControlMaster auto
ControlPath ~/.ssh/cm_socket/%r@%h:%p
ControlPersist 4h
ServerAliveInterval 30

Then you can specify your first hop server definition like:

Host first_hop
Hostname <your first host FQDN or IP>
User <your user>

And the second hop will use your first hop server as proxy:

Host second_hop
Hostname <your second host FQDN or IP>
User <your user>
ProxyCommand ssh -W %h:%p first_hop

Don't forget to create the ~/.ssh/cm_socket directory and config permissions should be 644.

Then you should be able to SSH or SCP directly to/from your second server. There can be more servers chained like this.

IMSoP
  • 480
  • 2
  • 10
Jaroslav Kucera
  • 1,435
  • 10
  • 16
  • 3
    From reading your link, I don't think Multiplexing / `ControlMaster` is needed in order to to the proxying. The more relevant page in that wikibook is this one: https://en.wikibooks.org/wiki/OpenSSH/Cookbook/Proxies_and_Jump_Hosts – IMSoP Sep 21 '17 at 13:23
  • Yes, I agree. There are multiple ways. However I consider the Master session the most elegant. It's just about personal preferences ;-) – Jaroslav Kucera Sep 22 '17 at 06:55
  • One or other of us had misunderstood something. As far as I can see, the "master connection" is about making efficient use of network resources, and has nothing to do with the question. It's not a different way of doing it, it's just irrelevant to the task at hand. – IMSoP Sep 23 '17 at 12:52