How to create a ssh tunnel chain in one command?

We have a serverA to connect to. Then we use serverA to connect to databaseB. Setup like this in Putty (windows):

Session1:
1. connect to admin@serverA
2. setup tunnel local port 10022 to databaseB:22
3. run 'vi'

Session2:
1. connect to admin@localhost:10022
2. setup tunnel local port 1521 to database 1521
3. run 'vi'

(vi is used to hold session)

Then program use localhost:1521 for database connection.

I wonder if I can do it in a single command or a batch file in cygwin? Note that I cannot open port on serverA

jackysee

Posted 2011-03-04T10:50:25.433

Reputation: 231

Answers

ssh -L 1521:127.0.0.1:61521 admin@serverA ssh -L 61521:127.0.0.1:1521 admin@databaseB

or using plink (Putty link) from a command window:

plink -ssh -L 1521:127.0.0.1:61521 admin@serverA ssh -L 61521:127.0.0.1:1521 admin@databaseB

Cristian Ciupitu

Posted 2011-03-04T10:50:25.433

Reputation: 4 515

As to running this as a single command, the previous answer is correct but if the second ssh requires a password, it will probably not work (depending on ssh default configuration). You will have to force the allocation of a pseudo-tty by using the -t option, as in:

ssh -t -L 1521:127.0.0.1:61521 admin@serverA ssh -L 61521:127.0.0.1:1521 admin@databaseB

(this works using cygwin's ssh command)

Nicolas Bonnefon

Posted 2011-03-04T10:50:25.433

Reputation: 321

You can use the ProxyCommand option for that. Put the following into your ssh configuration file (which is usually at ~/.ssh/config):

Host direct-serverB
ProxyCommand ssh admin@serverA ssh admin@serverB sshd -i

Then you can connect to the serverB as if it was directly available:

% ssh -L 1521:localhost:1521 admin@direct-serverB

This command does not open any ports on the intermediate serverA. However, it has a drawback that you need to authenticate to serverB both from serverA and from your local machine.

If the serverA has netcat installed, then you could write this into your ssh config:

Host direct-serverB
ProxyCommand ssh admin@serverA nc -q0 serverB 22

and drop the serverA→serverB authentication step.

liori

Posted 2011-03-04T10:50:25.433

Reputation: 3 044

I'd try running:

ssh admin@serverA -L 10022:databaseB:22
ssh admin@localhost -p 10022 -L 1521:database2:1521

But man, I cringe even suggesting it. The people who firewalled off DatabaseB probably had a good reason for doing so. Talk with them.

sarnold

Posted 2011-03-04T10:50:25.433

Reputation: 2 988

The following is what worked for me.
-- My goal was to point the client application to localhost:1115 and have it actually be connecting to target_db_server:1433.
-- target_db_server is only accessible from jumpserver2.
-- jumpserver2 is only accessible from jumpserver1.
-- The command therefore connects to jumpserver1, prompts for a token (in my case), then connects to jumpserver2 and asks for the password for that server then the local client can make the connection.

ssh -L 1115:127.0.0.1:1115 username@jumpserver1 -tt ssh -L 1115:target_db_server:1433  username@jumpserver2

I found that the connection would time out, which was not ideal. The following fixed that:

echo "Host *" >> ~/.ssh/config
echo "ServerAliveInterval 60" >> ~/.ssh/config

Dan

Posted 2011-03-04T10:50:25.433

Reputation: 1