3

I have an interesting problem I'm trying to solve. I have a JumpBox server that I have in order to securely ssh into client's servers. This is the only server my clients ever open up port 22 to. However, this JumpBox server is very small and does not have enough space to hold large files (bigger than 5GB).

So, I've set up another server with larger disks for this purpose, but I don't want the clients to then have to open up port 22 to yet another IP address.

Server T = Transferbox

Server J = Jumpbox

Server C = Clientbox

From Server J, can I transfer a file on Server T to Server C?

Thanks, and let me know if I need to clarify anything

wrangler
  • 3,080
  • 5
  • 24
  • 20
  • If you want to get sketchy with it, you could do a series of cat and redirects for stdin/out across these servers to, using something like (ssh t-user@t-server -c "cat /some/file") | (cat c-user@c-server -c "cat - > /path/to/new/copy/of/file") – andyortlieb Sep 13 '11 at 19:54
  • Did you [try with `scp -3 Tserver Cserver`](https://serverfault.com/a/561033/407820)? – Pablo A Feb 06 '18 at 17:15

6 Answers6

2

From "T", you should open up an ssh tunnel on "J" that forwards to SSH on "C". From there you can hop through J from T to do anything on C via SSH. See SSH Tunneling Made Easy for more information

So from your "T" server, you might do something like this:

ssh -f J-user@addr-of-J-server -L 2000:addr-of-C-server:22 -N

ssh C-user@localhost -p 2000
andyortlieb
  • 1,092
  • 1
  • 12
  • 25
1

Sadly scp does not currently support this. But you could use sshfs on J, mount T and C and then copy (using cp) on J from mountpoint T to mountpoint C.

If you combine autofs and sshfs the way that /net (with an executable automount-map) works you propably will get a working automatic solution.

I`ve seen a sshfs solution for CentOS using fuse somewhere.

Nils
  • 7,695
  • 3
  • 34
  • 73
  • 1
    Nils, this worked perfectly and was exactly what I needed. Here is the page I used to set this up: http://embraceubuntu.com/2005/10/28/how-to-mount-a-remote-ssh-filesystem-using-sshfs/ FYI - This solution works well in this situation for a few reason. 1) I am only trying to push files to clients. They do not have access to these servers. 2) The purpose of the JumpBox is to be ultimately secure. It does not allow password authentication. If it did, I would just use it to transfer files. This allows me to have a server that has password authentication where I can move files around. Thanks! – wrangler Sep 14 '11 at 18:46
  • Interesting link. The solution looks like the authors don`t trust fuse too much - this might be another reason to run it via autofs. Then you don`t need the special fuse-group mentioned. – Nils Sep 14 '11 at 20:52
1

On host where you need data just open port say 22222 for tcp connections from host that will be sending data.

on host receiving data you can use something like 

$ nc -l -p 22222 | tar xf -

and on host sending the data once listener above is in place

$ tar cf - files directories | nc -w1 ip.of.host.listening 2222

once data is transfered simply close the firewall hole; of if you're afraid you might forget to close it you can open it for say 30 min with something like 

# (iptables -I INPUT -p tcp -s ip.of.host.sending.data --dport 22222 -j ACCEPT; sleep 30m;iptables -D INPUT -p tcp -s ip.of.host.sending.data --dport 22222 -j ACCEPT) &

If you are worried about someone snooping your data; you can use cryptcat rather than netcat (nc) .

Hrvoje Špoljar
  • 5,245
  • 26
  • 42
  • Though I ultimately went the sshfs route, this was my second solution. Clever user of sleep. I should have thought of that. – wrangler Sep 14 '11 at 18:50
0

Why don't use you the split, tar, or zip utilities to gather your files into smaller pieces, and then transfer each piece individually through J. When all the pieces are on C, just expand the tar/zip archive.

Your other option would be to create a VPN of some kind between T and J. You can then try mounting a file share/export from T like it's a local file system (NFS, FUSE, etc.).

The other options is to have your clients SSH into J and set up a tunnel (-L, -R), and then from J allow them to log into T. So they create a tunnel C->J->T, and on T have a file transfer system available (FTP, HTTP). The SSH tunnelling will send the packets around as needed.

Your best solution will be to get more resources on your JumpBox. If your clients are giving you money you should invest some of it into proper infrastructure so you/they don't have to waste time jumping through hoops.

DAM
  • 1
  • I kind of got the impression that he was going to push the files to his clients. Also, it's not unreasonable to have a locked down dedicated SSH server, given certain security policies. However if clients are coming in to grab files, then I would tend to agree, mounting a remote filesystem or synchronizing a mirror on J may be preferable. – andyortlieb Sep 13 '11 at 20:01
  • That breaking files into smaller pieces idea is bonkers though ;) – andyortlieb Sep 13 '11 at 20:01
  • As andyyortlieb says, I'm looking to push files to client, and not vice versa. Thanks for the suggestion though. – wrangler Sep 14 '11 at 18:45
0

An historical note, this is precisely the type of situation that FTP Protocol Passive mode was created for. However, being that the account information is sent in cleartext, it is far less likely to be used anymore.

mdpc
  • 11,856
  • 28
  • 53
  • 67
0

Simpiest way here is to mount server T's drive on jumpbox using nfs or sshfs: http://fuse.sourceforge.net/sshfs.html Not sure if you want to keep permissions, but I believe you can even mount sshfs folder on users' login.

Dmitry Alexeyev
  • 396
  • 1
  • 5