An SSH tunnel via multiple hops

354

272

Tunneling data over SSH is pretty straight-forward:

ssh -D9999 username@example.com

sets up port 9999 on your localhost as a tunnel to example.com, but I have a more specific need:

  • I am working locally on localhost
  • host1 is accessible to localhost
  • host2 only accepts connections from host1
  • I need to create a tunnel from localhost to host2

Effectively, I want to create a "multi-hop" SSH tunnel. How can I do this? Ideally, I'd like to do this without needing to be superuser on any of the machines.

Mala

Posted 2010-01-16T05:58:48.590

Reputation: 5 998

@prongs Have you managed to use this for SOCKS proxy (all those years ago)? – Drux – 2017-12-08T07:32:16.857

2What did you use it for? I want to use it for socks proxy. Will it work? – prongs – 2012-02-29T13:57:54.117

2Yes, you should be able to use the tunneled connection as a SOCKS proxy, unless host2 denies forwarding – Mala – 2012-05-03T06:48:05.493

I was thinking about creating a wrapper over SSH that would set up that using multiple use of ProxyCommand. – Pavel Šimerda – 2013-10-19T20:52:18.257

Answers

341

You basically have three possibilities:

  1. Tunnel from localhost to host1:

    ssh -L 9999:host2:1234 -N host1
    

    As noted above, the connection from host1 to host2 will not be secured.

  2. Tunnel from localhost to host1 and from host1 to host2:

    ssh -L 9999:localhost:9999 host1 ssh -L 9999:localhost:1234 -N host2
    

    This will open a tunnel from localhost to host1 and another tunnel from host1 to host2. However the port 9999 to host2:1234 can be used by anyone on host1. This may or may not be a problem.

  3. Tunnel from localhost to host1 and from localhost to host2:

    ssh -L 9998:host2:22 -N host1
    ssh -L 9999:localhost:1234 -N -p 9998 localhost
    

    This will open a tunnel from localhost to host1 through which the SSH service on host2 can be used. Then a second tunnel is opened from localhost to host2 through the first tunnel.

Normally, I'd go with option 1. If the connection from host1 to host2 needs to be secured, go with option 2. Option 3 is mainly useful to access a service on host2 that is only reachable from host2 itself.

Mika Fischer

Posted 2010-01-16T05:58:48.590

Reputation: 4 159

17option 3 was what i was looking for, thanks! – Mala – 2010-01-25T01:38:37.097

What means normally? The reason host1 exists is in most cases to securely enter host2. If you don't secure the host1-host2 connection you violate the security premises, or not? – erikbwork – 2015-08-19T09:52:25.513

Notes: Option 1 if you using OSX then remove -N option which doesn't work – Satish – 2016-01-27T13:50:09.777

1Is it only me, but does option 2 leave one ssh listening on host1 when one Ctrl-Cs the local ssh? I am unable to execute the command twice in a row without going to host1 and killing the last ssh process which is still listening o post 9999. – musically_ut – 2016-11-16T06:20:14.010

2@musically_ut - that's correct, the 2nd ssh command is backgrounded on host1, so if you want to reconnect locally to it, you only need to rerun the first part again. If you add -f, it will immediately background locally, thus ssh -f -L 9999:localhost:9999 host1 will reconnect if you pressed ctrl-c in first case. Or add -f to the original double ssh command when first running it to background everything immediately. – Mark Fisher – 2017-02-25T15:10:31.910

When I tried option 3, and ran ssh -L 9999:localhost:1234 -N -p 9998 localhost, which password am I supposed to give? I tried both the passwords of the local and remote users, none worked. – Franck Dernoncourt – 2017-03-18T18:22:11.190

What exactly is insecure about option 1? Where is 'above'? – Xandaros – 2017-11-07T23:37:15.947

Hello, how can I extend this solution to another server? I'm trying to do the forwarding using vnc. Right now, I have a localhost, guard, jump_host, target_server and I want to port forward from localhost to target_server. Thanks! – zack – 2018-08-31T21:21:22.803

Thank you so much, the third option worked perfectly for me! :) – Yash Sodha – 2019-06-03T07:43:43.267

1I want to do browsing this way. Which one's best? I tried first one but it didn't work. I set a socks proxy in my browser localhost:1234 but no luck. :( please help.. – prongs – 2012-02-29T13:54:46.570

1@prongs try option 3 – Mala – 2012-05-03T06:49:52.153

1is there a way to forward my public key from localhost, through the tunnel of host 1, on to host2? – Noli – 2012-12-19T08:00:40.357

6@Noli If you use ssh-agent (which you should), you can forward it through the connections using the -A option to ssh. – Mika Fischer – 2012-12-19T11:36:52.967

I have an application that (apparently) uses its own ssh client to connect over SFTP (PHPStorm). Can you explain whether these options will help me? I can't use authorized keys because of this and I only have a single password field. It's not going to prompt me. – Stephane – 2013-09-17T14:12:02.547

158

There is an excellent answer explaining the use of the ProxyCommand configuration directive for SSH:

Add this to your ~/.ssh/config (see man 5 ssh_config for details):

Host host2
  ProxyCommand ssh host1 -W %h:%p

Then ssh host2 will automatically tunnel through host1 (also works with X11 forwarding etc.).

This also works for an entire class of hosts e.g. identified by domain:

Host *.mycompany.com
  ProxyCommand ssh gateway.mycompany.com -W %h:%p

Update

OpenSSH 7.3 introduces a ProxyJump directive, simplifying the first example to

Host host2
  ProxyJump host1

kynan

Posted 2010-01-16T05:58:48.590

Reputation: 2 646

Has anyone had any luck making this work using the openssh for windows distro here: http://www.mls-software.com/opensshd.html? It seems like I need to give it a full cygwin path to ssh but I attempted using the following andstill had no luck:

ProxyCommand "/cygdrive/c/Program Files/OpenSSH/bin/ssh" ...

– mockobject – 2015-01-16T18:39:05.927

ProxyJump is amazing! – Aaron McMillin – 2017-06-04T03:25:24.563

1Easier than using ProxyJump is -J switch. – Martin Prikryl – 2018-04-16T07:29:08.330

@MartinPrikryl Depends on your use case: for one-off use -J is certainly easier than modifying your SSH config. However if you always need the proxy to access a certain host I find it easier to only change SSH config once. – kynan – 2018-08-05T11:22:30.610

Is there an elegant way to solve this if host1's public key is encrypted? (elegant = without having remove the encryption?) – Alois Mahdal – 2019-01-17T10:19:41.947

@AloisMahdal Why would the host key be encrypted? It's a public key for a reason. – kynan – 2019-01-20T16:36:07.953

@kynan, my bad, I meant private key there. – Alois Mahdal – 2019-01-20T17:21:32.983

@AloisMahdal I don't understand how that is related. Your SSH client needs to be able to read your, the host's SSHD needs to be able to read the host's private key - irrespective of using ProxyJump or not. – kynan – 2019-01-27T15:32:56.597

@kynan I'm at host0, and want to connect to host2, which IP-wise will only talk to host1. I can already do ssh host1, and from the interactive shell just do ssh host2, answer the passphrase, and I'm there. Now: if I say ssh host1 -J host2 it fails because it won't forward the password prompt necessary to unlock the key on host1. (IIRC I've been able to do that the other day with the key on host1 being unencrypted.) – Alois Mahdal – 2019-02-01T23:46:11.830

I don't quite understand your setup, but would recommend using SSH keys for authentication, SSH agent and agent forwarding (ssh -A). – kynan – 2019-02-02T21:22:33.210

3Is there a way to do this conditionally? I only want to do this sometimes. Also, this is specifically for commands, but I'm looking for something for all of port 22 (ssh, sftp, etc). – Stephane – 2013-09-11T15:08:23.430

1@Stephane what do you mean by specifically for commands? Your SSH config is used by anything using ssh, including git, sftp etc. afaik. – kynan – 2013-09-11T20:58:19.287

1@Stephane I'm not aware of a way of enabling this conditionally (e.g. only when you're outside the network of the target host). I set this option for all hosts in question in a configuration block and then (un)comment the line as needed. Not perfect, but it works. – kynan – 2013-09-11T20:58:46.133

Hmmm can I cause ssh to use a different config file if I want it to? Thanks for these replies! – Stephane – 2013-09-12T00:46:37.640

2@Stephane sure: ssh -F /path/to/altconfig. Beware this will ignore the system wide /etc/ssh/ssh_config. – kynan – 2013-09-12T11:39:35.197

19An easy way to make settings "conditional" is to define two different hosts in .ssh/config, that have the same HostName. Connect to host2-tunnel when you want the tunnel, and host2 when you don't. – Steve Bennett – 2013-09-23T06:55:18.333

This is awesome answer !! good job ! – Meabed – 2014-04-06T23:08:41.363

35

OpenSSH v7.3 onward supports a -J switch and a ProxyJump option, which allow one or more comma-separated jump hosts, so, you can simply do this now:

ssh -J jumpuser1@jumphost1,jumpuser2@jumphost2,...,jumpuserN@jumphostN user@host

nikolay

Posted 2010-01-16T05:58:48.590

Reputation: 453

ssh -J user1@host1 -YC4c arcfour,blowfish-cbc user2@host2 firefox -no-remote This will speed up getting firefox from host2 to localhost. – Jaur – 2018-05-21T16:28:39.560

I had no idea you could do it like this. Thanks for sharing! – Stephen Quan – 2019-12-11T23:35:50.043

20

We have one ssh gateway into our private network. If I'm outside and want a remote shell on a machine inside the private network, I would have to ssh into the gateway and from there to the private machine.

To automate this procedure, I use the following script:

#!/bin/bash
ssh -f -L some_port:private_machine:22 user@gateway "sleep 10" && ssh -p some_port private_user@localhost

What is happening:

  1. Establish a tunnel for the ssh protocol (port 22) to the private machine.
  2. Only if this is successful, ssh into the private machine using the tunnel. (the && operater ensures this).
  3. After closing the private ssh session, I want the ssh tunnel to close, too. This is done via the "sleep 10" trick. Usually, the first ssh command would close after 10 seconds, but during this time, the second ssh command will have established a connection using the tunnel. As a result, the first ssh command keeps the tunnel open until the following two conditions are satisfied: sleep 10 is finished and the tunnel is no longer used.

Bernhard Kausler

Posted 2010-01-16T05:58:48.590

Reputation: 353

1Very clever!!! LOVE IT! – Hendy Irawan – 2012-05-06T06:37:04.070

18

After reading the above and glueing everything together, I've created the following Perl script (save it as mssh in /usr/bin and make it executable):

#!/usr/bin/perl

$iport = 13021;
$first = 1;

foreach (@ARGV) {
  if (/^-/) {
    $args .= " $_";
  }
  elsif (/^((.+)@)?([^:]+):?(\d+)?$/) {
    $user = $1;
    $host = $3;
    $port = $4 || 22;
    if ($first) {
      $cmd = "ssh ${user}${host} -p $port -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no";
      $args = '';
      $first = 0;
    }
    else {
      $cmd .= " -L $iport:$host:$port";
      push @cmds, "$cmd -f sleep 10 $args";
      $cmd = "ssh ${user}localhost -p $iport -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no";
      $args = '';
      $iport ++;
    }
  }
}
push @cmds, "$cmd $args";

foreach (@cmds) {
  print "$_\n";
  system($_);
}

Usage:

To access HOSTC via HOSTA and HOSTB (same user):

mssh HOSTA HOSTB HOSTC

To access HOSTC via HOSTA and HOSTB and use non-default SSH-portnumbers and different users:

mssh user1@HOSTA:1234 user2@HOSTB:1222 user3@HOSTC:78231

To access HOSTC via HOSTA and HOSTB and use X-forwarding:

mssh HOSTA HOSTB HOSTC -X

To access port 8080 on HOSTC via HOSTA and HOSTB:

mssh HOSTA HOSTB -L8080:HOSTC:8080

Bob Muller

Posted 2010-01-16T05:58:48.590

Reputation: 181

1this is awesome – Mala – 2012-03-25T01:20:01.370

1I seriously cannot thank you enough, this script makes my life easier on a daily basis. The only thing I changed was to add int(rand(1000)) to iport, to allow multiple instances to run at the same time. I definitely owe you a beer. – Mala – 2012-05-03T07:20:55.470

This works really well. A further improvement would be to resolve HOSTB, HOSTC etc using localhost's /etc/hosts and ~/.ssh/config – Steve Bennett – 2013-09-23T07:03:51.827

Also I second Mala's comment. Without the randomized port, if you then try to mssh HOSTA HOSTD you'll actually end up at HOSTB (and maybe won't realise..) – Steve Bennett – 2013-09-24T02:39:35.157

8

This answer is similar to kynan, as it involves the use of ProxyCommand. But it's more convenient to use IMO.

If you have netcat installed in your hop machines you can add this snippet to your ~/.ssh/config:

Host *+*
    ProxyCommand ssh $(echo %h | sed 's/+[^+]*$//;s/\([^+%%]*\)%%\([^+]*\)$/\2 -l \1/;s/:/ -p /') nc $(echo %h | sed 's/^.*+//;/:/!s/$/ %p/;s/:/ /')

Then

ssh -D9999 host1+host2 -l username

will do what you asked.

I came here looking for the original place where I read this trick. I'll post a link when I find it.

silviot

Posted 2010-01-16T05:58:48.590

Reputation: 313

2

I believe this is the origination of the trick: https://wiki.gentoo.org/wiki/SSH_jump_host

– slm – 2014-03-28T21:00:56.063

6

I did what I think you wanted to do with

ssh -D 9999 -J host1 host2

I'm prompted for both passwords, then I can use localhost:9999 for a SOCKS proxy to host2. It's the nearest I can think of to the example you showed in the first place.

Cheryl

Posted 2010-01-16T05:58:48.590

Reputation: 61

This worked perfectly! – Arthur Silva – 2019-06-28T11:03:45.503

Didn't work for three hosts – Vladimir Iashin – 2020-02-22T06:44:30.183

4

ssh -L 9999:host2:80 -R 9999:localhost:9999 host1

-L 9999:host2:80

Means bind to localhost:9999 and any packet sent to localhost:9999 forward it to host2:80

-R 9999:localhost:9999

Means any packet received by host1:9999 forward it back to localhost:9999

chinmaya

Posted 2010-01-16T05:58:48.590

Reputation: 311

Brilliant, most simple answer to make a tunnel so you can access the application on host2 directly from localhost:9999 – dvtoever – 2016-07-08T15:45:25.607

Following this answer, I get a channel 3: open failed: administratively prohibited: open failed error message. – Franck Dernoncourt – 2017-03-18T18:16:02.747

2

you should be able to use port forwarding to access a service on host2 from localhost. A good guide is located here. Excerpt:

There are two kinds of port forwarding: local and remote forwarding. They are also called outgoing and incoming tunnels, respectively. Local port forwarding forwards traffic coming to a local port to a specified remote port.

For example, if you issue the command

ssh2 -L 1234:localhost:23 username@host

all traffic coming to port 1234 on the client will be forwarded to port 23 on the server (host). Note that localhost will be resolved by the sshdserver after the connection is established. In this case localhost therefore refers to the server (host) itself.

Remote port forwarding does the opposite: it forwards traffic coming to a remote port to a specified local port.

For example, if you issue the command

ssh2 -R 1234:localhost:23 username@host

all traffic which comes to port 1234 on the server (host) will be forwarded to port 23 on the client (localhost).

In your cast, replace localhost in the example with host2 and host with host1.

fideli

Posted 2010-01-16T05:58:48.590

Reputation: 13 618

according to that article, the connection will only be secured until the middle machine (host1). Is there a way to make sure the whole thing stays secure? – Mala – 2010-01-16T07:21:29.063

I've never tried this, but if host1 and host2 are both ssh servers, you might be able to set up a tunnel from host1 to host2, then set up a tunnel from localhost to host1 for the same service (getting your local and remote ports right). I don't know if that's possible in one command from localhost. – fideli – 2010-01-16T16:13:36.613

1

In this answer I will go through a concrete example. You just need to replace computers' hostnames, usernames and passwords by yours.

Problem statement

Let's assume we have the following network topology:

our local computer <---> server 1 <---> server 2

For the sake of concreteness, let's assume we have the following computers' hostnames, usernames and passwords:

LocalPC            <--->  hostname: mit.edu         <---> hec.edu
                          username: bob                   username: john 
                          password: dylan123              password: doe456

Goal: we want to set up a SOCKS proxy that listens on port 9991 of LocalPC so that each time a connection on LocalPC is initiated from port 9991 it goes through mit.edu then hec.edu.

Example of use case: hec.edu has an HTTP server that is only accessible on http://127.0.0.1:8001, for security reasons. We would like to be able to visit http://127.0.0.1:8001 by opening a web browser on LocalPC.


Configuration

In LocalPC, add in ~/.ssh/config:

Host HEC
    HostName hec.edu
    User john
    ProxyCommand ssh bob@mit.edu -W %h:%p

Then in the terminal of LocalPC, run:

ssh -D9991 HEC

It will ask you the password of bob on mit.edu (i.e., dylan123), then it will ask you the password of john on hec.edu (i.e., doe456).

At that point, the SOCKS proxy is now running on port 9991 of LocalPC.

For example, if you want to visit a webpage on LocalPC using the SOCKS proxy, you can do in Firefox:

enter image description here

Some remarks:

  • in ~/.ssh/config, HEC is the connection name: you may change it to anything you want.
  • The -D9991 tells ssh to set up a SOCKS4 proxy on port 9991.

Franck Dernoncourt

Posted 2010-01-16T05:58:48.590

Reputation: 13 518

1

My answer is really the same as all the other answers here, but, I wanted to clarify the usefulness of ~/.ssh/config and ProxyJump.

Let say I need to get to a destination in 3 hops, and, for each hop, I needed a specific username, host, port and identity. Because of the identity criteria, this can only be done with the ~/.ssh/config config file:

Host hop1
    User user1
    HostName host1
    Port 22
    IdentityFile ~/.ssh/pem/identity1.pem

Host hop2
    User user2
    HostName host2
    Port 22
    IdentityFile ~/.ssh/pem/identity2.pem
    ProxyJump hop1

Host hop3
    User user3
    HostName host3
    Port 22
    IdentityFile ~/.ssh/pem/identity3.pem
    ProxyJump hop2

From your computer, you can test each jump individually, i.e.

$ ssh hop1 # will go from your PC to the host1 in a single step
$ ssh hop2 # will go from your PC to host1, then from host1 to host2, i.e. in two steps
$ ssh hop3 # will go from your PC to host1, then to host2, then to host3, i.e. in three steps

Another cool thing about the ~/.ssh/config file is that this will also enable sftp file transfers, e.g.

$ sftp hop1 # will connect your PC to host1 (i.e. file transfer between your PC and host1)
$ sftp hop2 # will connect your PC to host1 to host2 (i.e. file transfer between your PC and host2)
$ sftp hop3 # will connect your PC to host1 to host2 to host3 (i.e. file transfer between your PC and host3)

Stephen Quan

Posted 2010-01-16T05:58:48.590

Reputation: 226

0

The option 2 of the best answer could be used with different ssh users than the current one aka : user@host

    export local_host_port=30000
    export host1_user=xyz
    export host1=mac-host
    export host1_port=30000
    export host2=192.168.56.115
    export host2_user=ysg
    export host2_port=13306

    # Tunnel from localhost to host1 and from host1 to host2
    # you could chain those as well to host3 ... hostn
    ssh -tt -L $local_host_port:localhost:$host1_port $host1_user@$host1 \
    ssh -tt -L $host1_port:localhost:$host2_port $host2_user@$host2

Yordan Georgiev

Posted 2010-01-16T05:58:48.590

Reputation: 133

0

In my case I did

localhost$ ssh -D 9999 host1
host1$ ssh -L 8890:localhost:8890 host2

where host2:8890 is running on a Jupyter Notebook.

Then I configured Firefox to use localhost:9999 as a SOCKS host.

So now I've got the notebook running on host2 accessible by Firefox at localhost:8890 on my machine.

amarion

Posted 2010-01-16T05:58:48.590

Reputation: 1

0

The three options mentioned in the accepted answer didn't work for me at all. Since I don't have much permission over both hosts, and seem like our DevOps team has a pretty strict rules when comes to authentication and are doing MFA. Somehow the commands above cannot play well with our authentication.

The context is really similar to answers above though: I cannot ssh into production server directly, and have to do 1 hop using a jump server.

Yet Another Solution - a naive one

I ended up doing it by a very naive way: instead of trying to run all the commands on my laptop, I run the commands on each of the machine, as below:

  1. SSH into your jump server, then run ssh -v -L 6969:localhost:2222 -N your-protected.dest.server. If you're prompted with any password input, type it.
  2. Now on your laptop, run ssh -v -L 6969:localhost:6969 -N your-jump-server.host.name. This will forward any of your request on port 6969 on your laptop, to the jump server. Then by turn, since we configured in our previous step, the jump server will again forward requests of port 6969 to port 2222 on the protected destination server.

You should see the command "hangs" there after printing some message - it means they're working! One exception - you should not see error message like Could not request local forwarding., if you see that, then it's still not working :(. You can now try to fire request on port 6969 from your laptop, and see if it's working.

Hopefully if you are someone who failed all the methods above, perhaps you can try this.

Shaung Cheng

Posted 2010-01-16T05:58:48.590

Reputation: 1

0

Only this helped me on more than two hosts:

ssh -L 6010:localhost:6010 user1@host1 \
-t ssh -L 6010:localhost:6010 user2@host2 \
-t ssh -L 6010:localhost:6010 user3@host3

It will prompt you with three passwords.

Inspired by this answer

Vladimir Iashin

Posted 2010-01-16T05:58:48.590

Reputation: 101

0

If you can SSH into both machines, take a look at ssh's ProxyCommand directive. This will let you go straight from localhost into host2 (in one easy command if you use public keys!!). Then you can do whatever you want with host2.

http://www.statusq.org/archives/2008/07/03/1916/

Andrew

Posted 2010-01-16T05:58:48.590

Reputation: