11
3
I can't sftp directly into a particular host. To move a file from my home machine to the host, I must sftp a file to an intermediate host; ssh into the intermediate host; and sftp the file to the final destination. Is it possible to avoid such madness?
user74094
Posted 2011-03-26T22:24:09.590
Reputation: 262
28
From your local machine you can create am SSH tunnel through the intermediate host to the final host:
ssh user@intermediate -L 2000:final:22 -N
This will open port 2000 on your localhost that will connect directly to the final server on port 22, by tunneling through the intermediate host. Now in another prompt connect with sftp on port 2000 to be tunneled through to the final server, noting that the user specified here is for the final host:
sftp -P 2000 user@localhost
Seems like this belongs on superuser.com or serverfault.com though.
WhiteFang34
Posted 2011-03-26T22:24:09.590
Reputation: 381
14
You can use SFTP's ProxyCommand option to transparently tunnel an SFTP connection over an SSH connection (a bit similar to WhiteFang34's answer, but over the SSH connection's stdin&stdout, rather than a forwarded local TCP port):
sftp -o "ProxyCommand=ssh -e none user@intermediatehost exec /usr/bin/nc %h %p 2>/dev/null" user@finalhost
(That's assuming the intermediate host has netcat installed as /usr/bin/nc -- if not, you may have to find/install some equivalent way of gatewaying stdin&stdout into a TCP session.)
What's really cool about this option is that you can add it to your ~/.ssh/config file, which makes it transparent:
Host finalhost
ProxyCommand ssh -e none user@intermediatehost exec nc %h %p 2>/dev/null
With that entry, you can use sftp, scp, and ssh to finalhost, and it'll automatically invoke the tunnel. The only nontransparent part is that it'll prompt for two passwords (intermediatehost followed by finalhost), but if you want you can eliminate that as well with SSH keypairs...
Gordon Davisson
Posted 2011-03-26T22:24:09.590
Reputation: 28 538
Is the exec necessary? (It works fine here without that part.) – equaeghe – 2016-02-09T13:37:55.220
Thanks Gordon. It takes both passwords then halts with the message: Received message too long 1131376238 – user74094 – 2011-03-29T23:08:46.573
It sounds like something in the connection -- maybe a login script at one of the hosts, maybe nc -- is writing some extra text over the connection that's confusing sftp (see this FAQ at snailbook.com). 1131376238 is the decimal encoding of the ascii characters "Conn", so it's probably a message like "Connecting to..." "Connected from..." or maybe "Connection failed". Try it with ssh instead of sftp, see if the message is printed visibly and maybe you can tell where it's coming from.
– Gordon Davisson – 2011-03-29T23:42:07.120ssh worked fine. I should also mention that I am often faced with this question:The authenticity of host 'xxxxx (<no hostip for proxy command>)' can't be established. RSA key fingerprint is 37:40:d4:c7:etc.. Are you sure you want to continue connecting (yes/no)? yes – user74094 – 2011-04-01T23:49:17.533
Gordon, very useful! I'm adding this to my text file of command line fu oneliners. Thanks a ton! – Travis Leleu – 2012-05-15T19:48:36.723
3
You can pipe data to the ssh process running on your machine, then run a command on the intermediate machine which reads stdin and sends it to sftp as appropriate.
This can be done in a oneliner on your local machine, though the quoting of arguments to ssh will require care. I am on my phone right now so unfortunately cannot type the details. Perhaps somebody else can complete this answer as an exercise!
jl6
Posted 2011-03-26T22:24:09.590
Reputation: 1 025
0
I'm assuming the final host is firewalled and I can only guess at methods you could use to go around it.
For example - expose ssh from your local machine, then ssh to the first host, then ssh to the second and sftp from the final host to your machine.
0
lets say A and B are the first and second hosts. And the file to be copied is foo
Instead of sftp, you can use the following
cat foo | ssh A "cat - > foo"
Now, you can daisy-chain 2 of these together
cat foo| ssh A "cat - | ssh B \"cat - > foo\" "
I like it, so I tried it. It took the password for A, then produced the message: Host key verification failed. – user74094 – 2011-03-29T23:06:07.263
Thanks, I'll try that; and you're right it is the wrong forum; sorry. – None – 2011-03-26T22:58:34.627
After giving the user@localhost password I received the message: Received message too long 1131376238 – user74094 – 2011-03-29T23:14:55.553