Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

ssh over several hops

20 views
Skip to first unread message

Thomas Güttler

unread,
Jul 10, 2003, 7:02:44 AM7/10/03
to
Hi!

There are three computers:

A --> B --> C

I want to login from A at C over B.
I would like to do it with a script.

"ssh -A B ssh -A C" does not work.

Any hints?

Thomas


Thomas Güttler

unread,
Jul 10, 2003, 7:06:05 AM7/10/03
to
Thomas Güttler wrote:

> Hi!
>
> There are three computers:
>
> A --> B --> C
>
> I want to login from A at C over B.
> I would like to do it with a script.
>
> "ssh -A B ssh -A C" does not work.

Sorry, it does work. But there is no prompt:

ssh B ssh C:
2549: Pseudo-terminal will not be allocated because stdin is not a terminal.
uname -a
Linux C 2.4.20-4GB #1 Mon Mar 17 17:54:44 UTC 2003 i686 unknown unknown

Richard E Silverman

unread,
Jul 10, 2003, 1:53:51 PM7/10/03
to
>>>>> "TG" == Thomas Güttler <guet...@thomas-guettler.de> writes:

>> There are three computers:
>>
>> A --> B --> C
>>
>> I want to login from A at C over B. I would like to do it with a
>> script.
>>
>> "ssh -A B ssh -A C" does not work.

TG> Sorry, it does work. But there is no prompt:

TG> ssh B ssh C: 2549: Pseudo-terminal will not be allocated because
TG> stdin is not a terminal. uname -a Linux C 2.4.20-4GB #1 Mon Mar
TG> 17 17:54:44 UTC 2003 i686 unknown unknown

ssh -A -t B ssh -A C

--
Richard Silverman
r...@qoxp.net

Thomas Güttler

unread,
Jul 11, 2003, 2:33:16 AM7/11/03
to
Richard E Silverman wrote:

Thank you Richard!

Next question: How can I scp over hops without storing the data
in the middle?

thomas


Thomas Binder

unread,
Jul 11, 2003, 8:30:03 AM7/11/03
to
Hi!

Thomas Güttler <guet...@thomas-guettler.de> wrote:
> Next question: How can I scp over hops without storing the data
> in the middle?

Open a tunnel and scp from/to localhost:

(Example assumes port 2222 is not used on any of the systems in
the chain)

ssh -n -L 2222:localhost:2222 A ssh 2222:localhost:2222 B ssh 2222:localhost:22 C 'echo ready && /bin/sleep 30'&

Within 30s after you see "ready" on the console, issue

scp -P 2222 destuser@localhost:remote-filespec local-dir

or

scp -P 2222 local-filespec destuser@localhost:remote-dir

Maybe I should really publish my scripts that do exactly this
automatically (goto, a script to connect to remote machines over
several hops, and copyfrom/copyto, scripts to copy files from and
to remote machines over several hops).


Ciao

Thomas


--
Thomas Binder (Gryf @ IRCNet) gryf+...@hrzpub.tu-darmstadt.de
PGP-key available on request!
Vote against SPAM: http://www.politik-digital.de/spam/

Richard E Silverman

unread,
Jul 11, 2003, 12:38:42 PM7/11/03
to

You can also use a technique like the following (assuming OpenSSH).
Suppose client C and servers S,T, with T not directly reachable from C.

[~/.ssh/config]
host T
ProxyCommand ssh S nc T 22

C% scp foo T:bar

This has the advantage of being simpler, avoiding the fragility of timing
and ephemeral ports that might be in use. It also allows for correct host
key verification C->T. The disadvantage is that it will be slower for
multiple transfers, since it will make the intermediate SSH connection
every time you run scp.

--
Richard Silverman
r...@qoxp.net

Thomas Binder

unread,
Jul 11, 2003, 5:58:45 PM7/11/03
to
Hi!

Richard E Silverman <r...@qoxp.net> wrote:
> You can also use a technique like the following (assuming
> OpenSSH). Suppose client C and servers S,T, with T not directly
> reachable from C.
>
> [~/.ssh/config]
> host T
> ProxyCommand ssh S nc T 22
>
> C% scp foo T:bar
>
> This has the advantage of being simpler, avoiding the fragility of timing
> and ephemeral ports that might be in use.

But it has the big disadvantage that it needs netcat on the last
but one host in the chain, which isn't a standard tool and
therefore you may not be allowed to install it on the machine(s)
in question.

Host authentication also works with the tunnel method, simply add

-o "Hostname localhost" -o "HostKeyAlias T"

to the scp options.

Richard E Silverman

unread,
Jul 11, 2003, 11:25:24 PM7/11/03
to
>>>>> "TB" == Thomas Binder <gryf> writes:


TB> But it has the big disadvantage that it needs netcat on the last
TB> but one host in the chain, which isn't a standard tool and
TB> therefore you may not be allowed to install it on the machine(s)
TB> in question.

It does not "need netcat;" that was just an example. Any tool that can
make a TCP connection will do, and most Unix systems will have something
that will do: socket, telnet. If you, you can write a 10 line Perl script
that will do the job. Even if you absolutely needed netcat, this wouldn't
be much of a deterrent, as it doesn't need to be "installed;" just compile
a copy in your own directory and use it, if you don't own the box. A
situation in which none of these approaches are available would be the
exception rather than the rule, thus I don't see this as a "big
disadvantage."

TB> Host authentication also works with the tunnel method, simply add
TB> -o "Hostname localhost" -o "HostKeyAlias T"
TB> to the scp options.

This is true. OpenSSH used to always ignore host authentication to
localhost, but I see that they've now made this an option which is off by
default.

--
Richard Silverman
r...@qoxp.net

Darren Tucker

unread,
Jul 12, 2003, 4:00:45 AM7/12/03
to
In article <benbul$bfr$1...@news.tu-darmstadt.de>,

Thomas Binder <gryf+...@hrzpub.tu-darmstadt.de> wrote:
>But it has the big disadvantage that it needs netcat on the last
>but one host in the chain, which isn't a standard tool

Since all of the functionality needed for this is in the server, it
should be possible to add an option to ssh to do what the combination
of sshd and netcat would do, eg "ssh -N -L stdio:remotehost:22".

Then that would be just like a local port forward but with the traffic
at the local end on stdin/stdout rather than a TCP socket, ie the
inverse of a ProxyCommand.

The only special functionality would be at the initiating end. And it
would be stackable.

--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

Richard E Silverman

unread,
Jul 12, 2003, 2:07:31 PM7/12/03
to
>>>>> "DT" == Darren Tucker <dtu...@dodgy.net.au> writes:

DT> Since all of the functionality needed for this is in the server,
DT> it should be possible to add an option to ssh to do what the
DT> combination of sshd and netcat would do, eg "ssh -N -L
DT> stdio:remotehost:22".

Yes, that would be very useful. I've wanted to see this feature for a
long time, and have mentioned it to both the OpenSSH and ssh.com folks.

--
Richard Silverman
r...@qoxp.net

Thomas Binder

unread,
Jul 12, 2003, 6:33:23 PM7/12/03
to
Hi!

Richard E Silverman <r...@qoxp.net> wrote:

> It does not "need netcat;" that was just an example.

Of course, but it will need _something_. Some customers do not
allow anything but a stripped down system, i.e. everything that's
not absolutely necessary on the machine must not be installed.
That's what I meant - I was talking about adminstrative access,
not about user accounts with a $HOME (I should have mentioned
that).

> A situation in which none of these approaches are available
> would be the exception rather than the rule, thus I don't see
> this as a "big disadvantage."

That depends on your point of view. I prefer doing everything with
the least possible additional software, so that it runs (almost)
out-of-the-box on any Unix-system - YMMV.

Thomas Güttler

unread,
Jul 14, 2003, 8:57:08 AM7/14/03
to
Richard E Silverman wrote:

Yes, this would be nice. I have netcat here, so it is no problem.
Thank you Richard und Thomas B. for your answers!

thomas

0 new messages