Tunnelling from one SSH connection into another one

I have a machine called ic that I can ssh to. There is another machine, fw, that is on a completely different VLAN, and I cannot talk to it. ic is on both my VLAN and the VLAN that fw uses, and so my usual procedure for sshing to fw is to ssh into ic and from there ssh into fw. If I wanted to script this action, however, how could I get it to work?

I tried ssh root@ic "ssh root@fw", but this results in the message Pseudo-terminal will not be allocated because stdin is not a terminal, and then I get three messages from fw, presumably because it has null input:

Permission denied, please try again.
Permission denied, please try again.
Permission denied (publickey,password).

What's the best way to script this?

Matthieu Cartier

Posted 2011-07-14T13:29:48.283

Reputation: 3 422

Answers

By default, ssh doesn't allocate a pty when a command is given. For interactive use, you can override this by using the -t option.

For authentication, if you are using public keys and a properly configured ssh-agent, you can use the -A option to enable agent forwarding.

ssh -t -A user@ic ssh root@fw

_{(What's it with using root everywhere? Don't be lazy, create an account.)}

Another method, using TCP forwarding over SSH:

First establish a connection to ic with the -L (local tunnel) option:

ssh -L 7890:fw:22 -fN user@ic

Now all connections to localhost:7890 will be forwarded through ic to fw:22. (The port 7890 is arbitrary; you can pick any unused port you like.)

(The -fN options will make this connection keep running in background.)

Second, connect through the tunnel:

ssh root@localhost -p 7890

user1686

Posted 2011-07-14T13:29:48.283

Reputation: 283 655

True, I don't need to be root on ic. Thanks! – Matthieu Cartier – 2011-07-15T09:53:43.080

Excellent answer. The local tunnel option allowed me to scp and git over a gateway, for which I continuously got the error messages in the question, and no other solution worked. Thanks! – Yuval – 2012-05-25T20:21:29.540

FWIW you can do the same with putty, which also uses the -t option. – congusbongus – 2013-02-10T23:48:25.350

Other method is using ProxyCommand:

ssh root@fw -o "ProxyCommand=ssh root@ic nc $FW_VLAN_IP %p"

This connects to ic, creates a netcat TCP proxy to fw and lends it to your local ssh client, which means that it will use your local authentication systems instead of the remote ones.

Yajo

Posted 2011-07-14T13:29:48.283

Reputation: 163