There are three machines A, B and C running linux. I have root access to machines A and B but not to C. A is my local machine and I want to connect to C. C is only reachable through ssh over VPN. I can not connect directly from A to C because VPN traffic is blocked in A. I can connect from A to B through ssh using shared keys. I'm running openvpn in B and then I can connect to C through ssh but C does not accept shared keys. I want to scp files directly and passwordless from C to A and from A to C so I created an ssh master connection in B and an ssh tunnel in A. However I can not make the tunnel to use the master connection in B. My question is how can I setup ssh in order to connect from A to C using the existing master connection in B?
Asked
Active
Viewed 917 times
0
-
You can't do this without storing the password for machine C on machine A if you want A to initiate the connection. Otherwise you will have to write a custom sftp handler to run on B which will forward it over the connection. Why doesn't machine C accept ssh keys? Ask the admin of that system to configure it for your user. Even freeftpd for windows can do pubkey authentication and all of the common linux/unix sshds support it. – Andrew Domaszek Nov 27 '14 at 00:43
1 Answers
3
I can see three ways to achieve this:
1. You can run scp on A and instead of having it just ssh to another host and run scp there, you have it ssh to B and on B run another ssh command to connect to C and run the server side scp there.
It appears scp does not have an option to specify how to invoke scp on the remote side, however it does have an option to specify how to invoke ssh locally. That is the -S option intended to tell it where to find ssh.
What you can do is to run scp with the -S option pointing to a script. That script will then ssh to B and run ssh there, the ssh command on B will have to be invoked with all the options that scp on A gave to the script.
2. If you can manage to configure an authorized_keys file on C, you can have A authenticate directly towards C. It might be that all you are missing is proper permissions on the authorized_keys file on C. Since A cannot connect directly to C, you will instead specify a ProxyCommand that will run ssh -W to connect from A to B. Sounds like in your case that needs to go in ~/.ssh/config on A. The value to use would be ssh -W %h:%p B
3. Run the scp command on C and have C connect back to A. If C cannot connect directly to A, then the connection can instead be opened either by using ProxyCommand as suggested above or by setting up an ssh reverse port forwarding between A and B or between B and C.
kasperd
- 30,455
- 17
- 76
- 124
-
the common name for #2 is [a jump host](http://wiki.gentoo.org/wiki/SSH_jump_host) – Andrew Domaszek Nov 27 '14 at 01:33
-
Actually my current solution is based on 2 combined with the ControlMaster option. This allows me to directly scp from A to C without a password except for the only time the master connection is created. However there are other users that also connect to C (all of them sharing the same account on B and C) but I don't want to setup every single machine each user wants to connect to C. So I tried to setup the master connection on B but when I connect to B either with a tunnel or with ProxyCommand it creates a new connection to C instead of using the existing master connection. – Manuel Nov 27 '14 at 02:30
-
Mi final goal is to somehow run an "ssh tunnel" on B such that it redirects each incoming connection (in an special user account) to the existing master connection (connected to C). This way other users would not need to do anythin special to connect directly to C. – Manuel Nov 27 '14 at 02:33
-
Could you use something like sshfs mount on B and allow other users to write to that? – Andrew Domaszek Nov 27 '14 at 04:52