How to Ssh Multiple Hops Without Putting the Local Rsa Key Everywhere

Single line bash command/function for multihop scp without ProxyCommand

POST 1

The function requires a slight change when not created in a script. You must add a ";" before the last "}". I would also remove the internal brackets as they're not really needed in this case.

For example:

scpzx() { scp root@192.0.44.4:/disk1/"$1" ./ ;sshpass -p root123 scp "$1" root@1.2.60.4:/aaa/bbb/ ;}

POST 2

If you are looking to cycle through the command line variables this will allow you to do that. $@ references all command line variables passed to the function.

fTest() { for i in $@; do echo "$i"; done  ;}

For your script it would be something like:

scpxz() { for i in $@; do sshpass -p root123 scp root@1.2.60.4:/aaa/bbb/"$i" ./ ;scp ./"$i" root@192.0.44.4:/disk1/; done ;}

SSH Tunnel through Ubuntu bastion to EC2 instance in private subnet

Ok, it's easy. Hope my answer will help somebody.

1. You need to use ssh -J option to connect through your bastion virtual machine:

 -J [user@]host[:port]
         Connect to the target host by first making a ssh connection to
         the jump host and then establishing a TCP forwarding to the ulti‐
         mate destination from there.  Multiple jump hops may be specified
         separated by comma characters.  This is a shortcut to specify a
         ProxyJump configuration directive.

2. Then you need to forward traffic from your destination virtual machine port (:8000) where the app (or database) started to your localhost port (:5001) using ssh -L:

 -L [bind_address:]port:host:hostport
 -L [bind_address:]port:remote_socket
 -L local_socket:host:hostport
 -L local_socket:remote_socket
         Specifies that connections to the given TCP port or Unix socket
         on the local (client) host are to be forwarded to the given host
         and port, or Unix socket, on the remote side.  This works by
         allocating a socket to listen to either a TCP port on the local
         side, optionally bound to the specified bind_address, or to a
         Unix socket.  Whenever a connection is made to the local port or
         socket, the connection is forwarded over the secure channel, and
         a connection is made to either host port hostport, or the Unix
         socket remote_socket, from the remote machine.

        Port forwardings can also be specified in the configuration file.
         Only the superuser can forward privileged ports.  IPv6 addresses
         can be specified by enclosing the address in square brackets.

        By default, the local port is bound in accordance with the
         GatewayPorts setting.  However, an explicit bind_address may be
         used to bind the connection to a specific address.  The
         bind_address of “localhost” indicates that the listening port be
         bound for local use only, while an empty address or ‘*’ indicates
         that the port should be available from all interfaces.

3. Full ssh command will look like:

matterai@homepc: ssh -v -N -A -J ubuntu@3.121.46.99 -L 5001:localhost:8000 ubuntu@10.0.1.112

UPD: Also you can simplify a bit your command. In ~/.ssh/config you can add your jumphost (bastion) and your final destination VM IP:

Host bastion
        HostName 3.121.46.99
        User ubuntu
        Port 22
        IdentityFile ~/.ssh/secret.pem
        ForwardAgent yes

Host server
        HostName 10.0.1.112
        User ubuntu
        Port 22
        IdentityFile ~/.ssh/secret.pem
        ProxyJump bastion

Now, you can run command:

ssh -v -N -A -J bastion -L 80:localhost:8000 server

Looks much better. Also you can just simply connect via ssh using ssh server.

scp between two terminal windows (or multihop scp)

It's not quite what you're asking for, but there are some tricks you can play with SSH proxying that simplify this sort of thing enormously. The first thing to get familiar with is proxying multihop SSH connections over netcat. If you have OpenSSH version 5.4 or later on the various hosts, add something like this to your ~/.ssh/config:

Host B
    ProxyCommand ssh A -W %h:%p

Host C
    ProxyCommand ssh B -W %h:%p

Host D
    ProxyCommand ssh D -W %h:%p

If any of the intermediates don't have a new enough version, but do have netcat (nc), you can use something like this instead:

Host D
    ProxyCommand ssh C nc %h %p

This'll make ssh D automatically open a tunnel to C to run the connection over, which will automatically open a tunnel to B, ... You'll have to authenticate 4 times (to A, then B, etc) (unless you have public-key authentication set up), but other than that it's transparent. Which means you can use it with sftp D, scp D:/path/to/file, etc.

Now, there's one significant limitation on this for what you describe. You can certainly copy files from e.g. A to D like this:

scp A:/path/to/file D:/path/to/file

...but the file's contents will travel the path A -> your computer -> A -> B -> C -> D. They won't be stored anywhere on that path, but if the network link between you and A is slow (e.g. you're working from home), this'll be a bottleneck. In this case, it'd be best to copy the ~/.ssh/config entries for C and D onto computer A, ssh into A normally, then use scp /path/to/file D:/path/to/file and cut out the extra hops.

BTW, if you want to get fancy, you can add this to your ~/.ssh/config:

Host */* 
    ProxyCommand ssh $(dirname %h) -W $(basename %h):%p

And then use ssh A/B/C/D etc to built the tunnel path on the spot. See the OpenSSH cookbook for details.

MySQL connection over SSH tunnel - how to specify other MySQL server?

Solved it! The thing was to connect to the correct server when creating the tunnel itself - should've seen that one coming.

ssh -f user@ssh.example.com -L 3307:mysql1.example.com:3306 -N

Then mysql -h 127.0.0.1 -P 3307 worked as intended. :)

---

Related Topics