17

Here is the scenario

I am trying to get scp access to server3, but there is only public ssh access to server 1. To ssh to server3, I have to ssh to server1, ssh to server2, then ssh to server3.

My hopeful end result would be that I could WinSCP to localhost:8022 and it will give me file access to server3.

I am trying to use ssh tunnels, but through all the tutorials and questions I have read none seem to work for this scenario.

I am using putty on Windows.

Any suggestions would be truly helpful. Thank you.

nik
  • 13,254
  • 3
  • 41
  • 57

6 Answers6

20

In OpenSSH, I use this setup when I need tunnels. This allows me to directly type sftp server3 without having to worry about manually starting the server2 and server1 tunnels first.

# ~/.ssh/config

# to connect to server2, tunnel through server1
Host server2
ProxyCommand ssh server1 nc %h %p

# to connect to server3, tunnel through server2
Host server3
ProxyCommand ssh server2 nc %h %p

To be more complete, I usually use ssh -oCiphers=arcfour128,arcfour256,arcfour,blowfish-cbc -oControlMaster=no -oForwardX11=no -oForwardAgent=no -oPermitLocalCommand=no -oClearAllForwardings=yes server1 nc %h %p as the ProxyCommand.

  • The ssh connection being tunneled is already encrypted, so there's no point in using the heavier aes/3des for the outer layer; arcfour and blowfish are faster.
  • The rest of the -o**** settings are out of paranoia, so that nothing breaks even if a Host server1 stanza with really odd settings is added to ssh_config.

Similarly, you can configure PuTTY to use the proxy command plink -P %proxyport -pw %pass %user@%proxyhost nc %host %port, and set the proxy hostname/port/user/password in the Connection/Proxy configuration pane accordingly. plink and the rest of the PuTTY suite (pscp, psftp, etc.) load anything saved in PuTTY's graphical configuration; hopefully WinSCP does too. (I don't use it, so I'm not too familiar with its features.)

Jeff Atwood
  • 63,320
  • 48
  • 150
  • 153
ephemient
  • 198,619
  • 38
  • 280
  • 391
  • When I try to do this, I get "bash: nc: command not found" -- did I misunderstand how this works? Do I need to put the command and the ports in the places where you have "nc %h %p"? – Zak Nov 28 '15 at 18:53
10

The first solution that leaps to mind is to tunnel one local port to each of your servers. Since SSH uses port 22, we'll use each SSH connection to tunnel a local port to the next server's port 22.

When you open PuTTY, you're met with the PuTTY Configuration dialog. The two categories you'll need to edit are "Session" and "Connection→SSH→Tunnels".

  1. Open a copy of PuTTY. Use these settings:

    • Connect to host

      • Host name: server1
      • Port: 22

    • Tunnel a port

      • Local mode
      • Source port: 15500

      • Destination: server2:22 (the secure shell port)

        PuTTY Configuration window before pressing Add PuTTY Configuration window after pressing Add

    Now, every time you connect to port 15500 on your local machine, your connection is being tunneled to port 22 on server2.

  2. Open a copy of PuTTY. Use these settings:

    • Connect to host
      • Host name: localhost
      • Port: 15500
    • Tunnel a port
      • Local mode
      • Source port: 15501
      • Destination: server3:22 (the secure shell port)

  3. Open a copy of PuTTY. Use these settings:

    • Connect to host
      • Host name: localhost
      • Port: 15501
    • Tunnel a port
      • Local mode
      • Source port: 15502
      • Destination: server3:22 (the secure shell port)

  4. Use WinSCP to connect to localhost on port 15502. Your connection will be tunneled as if you're connecting to server3 directly.

Let me know in the comments whether this works for you. Good luck!

Jeff Atwood
  • 63,320
  • 48
  • 150
  • 153
Wesley
  • 10,652
  • 4
  • 37
  • 52
6

This method is similar to the way you can use proxycommand in the open ssh config file.

A prerequisites for this method is that Pageant must be used with public key authentication by all intermediate (proxy) hosts otherwise you will end up with a flashing cursor and nothing else. To learn more about Pageant, PuTTYgen and public keys see:
http://the.earth.li/~sgtatham/putty/0.62/htmldoc/Chapter8.html#pubkey
http://the.earth.li/~sgtatham/putty/0.62/htmldoc/Chapter9.html#pageant

We have four machines accessible in this order
PuttyPC -> server01 -> server02 -> server03

For server01 we have a Putty saved session as:
Main Window: user1@server01 // port 22 // SSH
Save this session as server01

For server02 we have a Putty saved session as:
Main Window: user2@server02 // port 22 // SSH
Proxy config window: type local // proxy command plink -load server01 -nc %host:%port
Save this session as server02

For server03 we have a Putty saved session as:
Main window: user3@pc3 // port 22 // SSH
Proxy config panel: type local // proxy command plink -load server02 -nc %host:%port
Save this session as server03

This means that the saved session for server03 will call the saved session for server02 and server02 saved session will call the server01 session.

Tim
  • 61
  • 1
  • 1
0

There is nicely described perl script solution here. Do read the comments on the posting too.

Read up more on SSH Agent Forwarding (referred in the perl script post comments).

nik
  • 13,254
  • 3
  • 41
  • 57
0

The answer was to reverse tunnel from server3

0

If you only need to overstep one server I found it easier to do this setup i WinSCP directly.

scenario: computer->server1->server2

1: Setup the connection to server2

2: Click advanced->Connection->Tunnel

3: enable the SSH tunnel and set the host to server1

Joakim Palmkvist
  • 540
  • 2
  • 11