TransWikia.com

Multistep ssh - is it possible?

Super User Asked by Vahagn Tumanyan on December 22, 2020

Let’s say there are 3 computers A B and C. B and C are remote computers but in the same local network.

I SSH into computer B from computer A. Is it now possible to ssh into C from B?

ssh

3 Answers

It is entirely possible. Not only that but there are ways to automate this process within SSH (more then 1 in fact).

Many "secure" systems use this approach where server C only trust server B, and everyone needs to SSH through it. The name for this kind of host is called a bastion.

  • As mentioned, you can SSH to B, then from B you can SSH to C.

You can also set up B to authenticate and forward a connection to C without even getting a shell on B - either by using SSH forwarding or by having SSHon B recognise the log in and immediately log in to C.

Correct answer by davidgo on December 22, 2020

Yes, this is not only possible but also quite common, and therefore a supported use case; the correct search terms for this are bastion host, jump host, or ssh proxy.

  • The best way is to use the ProxyJump option of ssh, specified with the -J flag, which will establish a connection to hostC through hostB: 
    # on host A
ssh -J userB@hostB userC@hostC
  • A more flexible option is the ProxyCommand option, which can use any command to connect to the target host using stdin/stdout of the command: 
    ssh -o ProxyCommand "ssh userB@hostB -W %h:%p" userC@hostC
    This will first start a second ssh client connecting to hostB and -W will connect its stdin/stdout to hostC [%h] on the ssh port [%p].
  • For more convenience, you can specify all these options in your .ssh/config, allowing you to connect with just ssh hostC: 
    Host hostC
  User userC
  ProxyJump userB@HostB
  # alternatively using ProxyCommand:
  #ProxyCommand ssh -W %h:%p userB@hostB

If for some reason both ProxyJump and ProxyCommand/ssh -W %h:%p are not available to you, you could setup tunneled port forwarding yourself:

# start a ssh process in the background to forward
# from localhost (host A) port 2222 to port 22 on hostC from hostB
ssh -f -N -L localhost:2222:hostC:22 userB@hostB

# connect to localhost:2222 which is tunneled to hostC:22
ssh -p 2222 userC@localhost

Answered by acran on December 22, 2020

Well, if system B can reach system C via tcp port 22 and there is an SSH daemon running on C where you have a valid user for - yes!

Answered by fratester on December 22, 2020

Add your own answers!

Ask a Question

Get help from others!

Recent Questions

Recent Answers

© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP