How to (S)FTP to hidden server?

0

1

Not sure how to phrase this exactly. I have a school web server which I have to access to sshing to one server, and then from there ssh to another. Is there anyway I can set something up to bypass the first server, so I can access the 2nd server directly?

Perhaps I should mention that I'm working from my home windows machine. I've mentioned sshing, but like the title says, I want to FTP my files using something like FileZilla, not some command-line interface (PuTTy).

mpen

Posted 2009-10-06T16:52:37.973

Reputation: 9 109

Duplicate: http://superuser.com/questions/49838/how-to-transfer-files-when-given-two-ssh-accounts

– Arjan – 2009-10-06T17:00:59.500

@Arjan true, but better answers have arisen. how are dupes handled? does the original get links to the dupes, or do we have to replicate useful answers to the original by hand? (yes i know that's better for meta....) – quack quixote – 2009-10-06T17:39:03.323

@~quack, true, meanwhile answers have been posted that were not posted at the other question. Too bad, if you'd ask me, but well. – Arjan – 2009-10-06T21:15:13.263

Answers

0

Just found out you can use PuTTY to set up a tunnel, and then connect to it with whatever FTP program you want. Works great :)

(For whoever needs that solution as well: see How to transfer files when given two SSH accounts?)

ExpanDrive also works wonderfully and is incredibly easy to use.

mpen

Posted 2009-10-06T16:52:37.973

Reputation: 9 109

If you remember, could you elaborate on how to set this up? In other words, which commands to use in PuTTY and then which settings to use in an FTP client? – Bram Vanroy – 2016-03-25T19:57:41.517

@BramVanroy Uhh..no, I don't remember how exactly. PuTTy has a Tunnels and Proxy option, maybe one of those will be useful? Maybe also take a look at WinSCP if you need SFTP. These days I'd probably just SSH into one server and then SSH into the next. It's rare that I need to send files through a tunnel.

– mpen – 2016-03-27T00:39:45.233

Thanks a lot! I looked WinSCP up and they have a really nice guide for this. So, I added my own illustrative answer below. Thanks for the directions! – Bram Vanroy – 2016-03-27T10:03:41.783

3

You might want to check out OpenSSH's ProxyCommand, which allows you to specify an arbitrary command to establish a tunnel. In this case, you'd use an ssh connection to the first server, running something like netcat to connect to the second server. This is especially handy if you use public key authentification to connect to the first server, otherwise, you need to enter two passwords.

The relevant .ssh/config-snippet looks like this:

Host hidden-server
HostKeyAlias hidden-server
ProxyCommand ssh first-server nc -w1 hidden-server 22

mmarx

Posted 2009-10-06T16:52:37.973

Reputation: 76

Hang on, I put this file on the first server? – mpen – 2009-10-06T18:19:19.327

you'd use this on your local client. the client is your starting point. the first-server is the proxy, the route you need to take to get to your destination. the hidden-server is the destination. – quack quixote – 2009-10-06T18:57:09.830

My local machine is windows... I've been using PuTTy... how would this work? – mpen – 2009-10-06T20:44:57.083

it's an OpenSSH feature, which is a particular SSH implementation. PuTTY doesn't use .ssh/config so you'd need to install OpenSSH (via Cygwin is one way) or use a different solution. – quack quixote – 2009-10-07T00:05:16.463

2

After @mpen linked me to WinSCP I simply followed direction there, and made it work with Filezilla. Process is the same as described here.

These directions are for Windows only.

  1. Make sure you have downloaded Putty somewhere. Simply having putty.exe is sufficient (the command line interface). E.g. on your desktop
  2. Have an SFTP client installed (Filezilla or WinSCP for instance)
  3. Run this code from command line (The first path is obviously the directory where to execute the command):

C:\Users\<username>\Desktop> .\putty.exe <tunnel.server> -L 3111:<server-destination>:22

Example:

C:\Users\Bram\Desktop> .\putty.exe my.domain.com -L 3111:sub.domain.com:22
  1. Open up your SFTP client and use your normal credentials, but instead of the server address you use localhost with port 3111.
  2. You're done. Don't forget to keep the tunnel open until you're done!

Bram Vanroy

Posted 2009-10-06T16:52:37.973

Reputation: 1 486

WinSCP supports tunneled connections directly, so there’s no need to run an extra program.

– Daniel B – 2016-03-27T10:59:18.477

@DanielB I see, I used Filezilla so I wasn't sure. – Bram Vanroy – 2016-03-28T19:49:02.580

1

~/.ssh/config:

Host internalmachine.mynet.com
    ProxyCommand ssh gateway.mynet.com exec nc %h %p

phresus

Posted 2009-10-06T16:52:37.973

Reputation: 866

And then what? When I try to connect to the first server via my favorite ftp program it will reroute to the 2nd server? – mpen – 2009-10-06T18:33:22.980

Rather than 2 SSH connections, this will get you straight to the internal host, so whatever you normally do once you get to that point will work.

Notably, this is only going to work for SSH. Not FTP. – phresus – 2009-10-06T18:53:03.083

If you want to do this via FTP, the easiest way would be to set up SSH port forwarding via the same ProxyCommand. – phresus – 2009-10-06T18:53:41.693

0

Well, it depends. If the second server actually has a routable address (ie, its IP doesn't start with 10 or 192.168 or 172.16..-172.31..), then it should be possible. Except that its SSH server might only allow connections from the first server that you connect to. There are good security reasons for doing this - namely, that a public SSH server that does something important (like serving web pages) generally likes to be accessible from only a few IP addresses in order to keep people from breaking the passwords with dictionary attacks.

We are not the people to ask this question of. You should ask the administrator of the system in question why this is, and possibly if you can get your (fixed!) IP address set up as a trusted address on the final SSH server.

Ernie Dunbar

Posted 2009-10-06T16:52:37.973

Reputation: 679

+1 security insight. you're wrong that we aren't the people to ask -- he asked about setting something up to bypass it (read: "make it easier on the user"), not why it was set up that way. but your explanation of the related issues is worthy. – quack quixote – 2009-10-06T17:45:13.843

Perhaps, but ultimately the administrator can provide the most elegant solution. All we can do is suggest ugly hacks to work around the "problem". – Ernie Dunbar – 2009-10-06T18:04:34.193

1nope. intelligently configuring SSH to do two logins with one user action isn't an "ugly hack" -- it's understanding the situation and working with the tools. the admin doesn't want to provide the user with solutions; they want to admin. – quack quixote – 2009-10-06T18:53:50.770

It's for a school project... we'll be using it for about 4 months just to show our work to the prof... I don't think security is paramount. It's just a pain in the butt to have to transfer files to the first server, and then try and remember the darn linux command to move em to the second... every time I want to edit a stinkin file. – mpen – 2009-10-06T18:54:07.103

As a systems administrator, any admin that doesn't want to provide the user with solutions is a damn poor admin. They may as well shut down the server if they don't want to provide solutions to users. The entire raison d'etre of servers is to provide service. There are much better, much more secure solutions to this security problem than the one that is in place. For example, the admin could assign you a key with which to log in, instead of using passwords, then disable all password logins. – Ernie Dunbar – 2009-10-06T23:47:33.877

Asked: 2009-10-06T16:52:37.973

Viewed: 843 times

Active: 2018-01-16T12:44:05.597