SFTP over double server hop

I'm trying to work out a method to allow me to access files on an SFTP server than I cannot access from my local machine. Currently, I have to SSH to a remote server (it is in a certain IP block that the final SFTP server will accept from), then from there SFTP to the destination server. From there, I get the files I am interested in, thereby dropping them onto the middleman server, from which I can get the files either over a Samba share or with a direct scp. I also work in the reverse, where I drop the files onto the middleman, SSH to it then SFTP to the destination and put them into the appropriate folders.

My goal is to shorten this. The unfortunate restrictions are that my machine is Windows (I use KiTTy and/or Cygwin) and I cannot modify the middleman server (or destination server) in any way. I am willing to use command line or GUI programs so long as it works and is free.

Any ideas?

josh.trow

Posted 2011-06-28T15:38:28.153

Reputation: 341

Answers

In essence, without the GUI or other conveniences:

ssh -o ProxyCommand='ssh myfirsthop nc -w 10 %h %p' mydestination

You can make this default by editing the config file, by default ~/.ssh/config

Host mydestination, mydest2, mydest3
ProxyCommand ssh myfirsthop nc -w 10 %h %p

This then allows you to do

ssh mydestination
scp mydest2:file.txt ./
scp file.txt mydest3:/tmp/

Of course, with that kind of magic you can easily

mkdir -pv /tmp/mydest3tmp          # create mountpoint
sshfs mydest3:/tmp /tmp/dest3tmp/  # mount :)

On windows, you'd use WinSCP which comes with (I think IIRC) PLINK (from Putty suite). I suppose the default location for the ssh config file is different (I'd have to google for it), but I'm sure it works more or less the same.

Note that the only thing you need for this to work is 'netcat (nc)' on the middle server (first hop). It is an ubiquitous tool on linux/UNIX[1]; It is quite easy to build a statically linked version that should work if you can copy it there in the first place.

[1] note that there are some flavours, so the -w option might need to be dropped/spelled differently

sehe

Posted 2011-06-28T15:38:28.153

Reputation: 1 796

1You sir, have no idea how happy this just made me :) Perfect! – josh.trow – 2011-06-28T16:10:30.640

@josh.trow: No, but I'm glad you told me :) Anytime – sehe – 2011-06-28T16:28:09.590

Although, as @josh.trow has found already, WinSCP has tunneling feature built in (see the other answer), if you ever need to actually use tunnel setup by an external application, here's a guide: http://winscp.net/eng/docs/guide_tunnel

– Martin Prikryl – 2013-12-17T09:59:27.813

I'm not going to set this as the accepted answer because I never would have found it without @sehe and @Jakub, but here is what I found that simplifies everything...

WinSCP has the ability to use an SSH tunnel built-in. I don't know when this feature arrived, but I never noticed it before somehow.

WinSCP Tunnel settings

josh.trow

Posted 2011-06-28T15:38:28.153

Reputation: 341

works in filezilla too ! – Hayden Thring – 2016-04-04T21:11:08.533

this feature only allows single tunnel... how to add 2nd tunnel? – zeetit – 2016-08-22T07:21:19.840

@zeetit Then you have to use an external tunnel. All tunneling options are documented in WinSCP guide on tunneling.

– Martin Prikryl – 2017-06-19T08:10:05.747

Documentation of the tunneling feature: http://winscp.net/eng/docs/tunneling and http://winscp.net/eng/docs/ui_login_tunnel

– Martin Prikryl – 2013-12-17T09:58:04.493

One of my suggestions would be to create a socks proxy using putty (from your windows box), and then proxy your SFTP client over it (say Filezilla sftp).

You would not need to do anything special that way, just turn on your putty socks5 proxy, and turn on filezilla, and sftp your files over to the destination server.

(you ==socks5 proxy==> middle server) ==> destination server

Jakub

Posted 2011-06-28T15:38:28.153

Reputation: 3 111

It seems you are solving a different problem, a tougher one really. The problem of the OP is that the final destination is not routable from the client - outbound SSH traffic is ok. (I believe your solution is needed to 'tunnel' SSH traffic over a proxy?) – sehe – 2011-06-28T16:32:17.153

@sehe.. what? You setup an SSH socks 5 proxy (ssh tunnel to the middle box) then you simply proxy your SFTP traffic to the destination box, there by masquerading as the middle server. What other problem am I solving? – Jakub – 2011-06-28T16:43:45.057