Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

scp via a intermediate computer

5 views
Skip to first unread message

Peng Yu

unread,
May 24, 2008, 6:18:13 PM5/24/08
to
Hi,

For some reason, I can only access computer A through computer B. That
is, suppose my computer is C, I can ssh to B from C, but I can not ssh
to A from C. Once I login computer B, I can ssh to A from B.

I'm wondering how to use port forwarding on B such that I can scp from
A to C. Otherwise, I'll have to scp files from A to B and then B to C,
which is too annoying.

Would you please let me know the command so that I can scp A to C
without creating any temporary files on B?

Thanks,
Peng

Joachim Gann

unread,
May 25, 2008, 9:16:01 AM5/25/08
to

assuming your ssh daemons listen on port 22

1. choose an unused tcp port on B, say 1111
2. on A: ssh -nR 1111:C:22 B &
this sets up port forwarding from B:1111 to C:22, you need this once.
it tells you the pid on startup, you can kill the process once you
don't need the forwarding anymore
note that B must be able to resolve the hostname "C" to an IP address
3. now on A: scp -P 1111 something B:
your scp now connects to B:1111 which has been forwarded to C:22

step 3 might need an "-o stricthostkeychecking=no" since scp believes it
is connecting to B but through the forwarding is actually talking to C,
which should have a different host key.

Regards
Joachim

Paul Hink

unread,
May 25, 2008, 11:56:25 AM5/25/08
to
Peng Yu <Peng...@gmail.com> wrote:

If there is some kind of netcat/nc available on B:

scp -o 'ProxyCommand ssh B nc -q 0 %h %p' ...

Paul Hink

unread,
May 25, 2008, 11:58:14 AM5/25/08
to
Joachim Gann <joachi...@gmail.com> wrote:

> step 3 might need an "-o stricthostkeychecking=no" since scp believes
> it is connecting to B but through the forwarding is actually talking
> to C, which should have a different host key.

One could also use "-o HostKeyAlias=C". This way the host key of C is
checked regardless of the port forwarding.

Peng Yu

unread,
May 26, 2008, 1:59:45 PM5/26/08
to

Hi Joachim,

I'm confused by your reply. Do you assume that I can connect in the
way A->B->C, where A is the local machine, B is the intermediate
machine, C is the remote machines, A can see B but not C, neither B
nor C can see A, and B can see C?

My assumption is the other way around C->B->A. Therefore, in order to
do step 2, I have to ssh to B first, then ssh to A from B. Is it what
you mean?

Thanks,
Peng

Joachim Gann

unread,
May 26, 2008, 4:28:10 PM5/26/08
to

well, exchange C and A in my recipe above if your order is different
than I assumed.

Unruh

unread,
May 26, 2008, 4:54:03 PM5/26/08
to
Joachim Gann <joachi...@gmail.com> writes:

>Peng Yu wrote:
>> On May 25, 8:16 am, Joachim Gann <joachim.g...@gmail.com> wrote:
>>> Peng Yu wrote:
>>>> Hi,
>>>> For some reason, I can only access computer A through computer B. That
>>>> is, suppose my computer is C, I can ssh to B from C, but I can not ssh
>>>> to A from C. Once I login computer B, I can ssh to A from B.

Why can you not ssh from A to C? Is that outlawed by your organisation? Or
are you responsible for all the machines? Can you look in the logs to see
what the response on C is when you try to log in from A with ssh?

Or are you trying to evade your company's policies?


Peng Yu

unread,
May 26, 2008, 9:37:48 PM5/26/08
to

Hi Joachim,

Assuming, A->B->C, where '->' means "can access". I tried

2. on A: ssh -nR 1111:C:22 B

This would prompt me to type passwd for B but not C.

3. on A: scp -P 1111 something B:
But I got the following error after step 3. Would you please let me
know what is wrong? Do I need to somehow connect B to C some case

ssh: connect to host B 1111: Connection refused
lost connection

Thanks,
Peng

H.K. Kingston-Smith

unread,
May 27, 2008, 1:15:45 AM5/27/08
to

If you are using OpenSSH (and possibly other implementations) on
these three boxes you can do the following:

On C execute

ssh -fngT -L 3022:A:22 -C B ping -i 30 localhost > /dev/null 2>&1

where A is A's IP address as accessible from B, and B is B's IP address as
accessible from A.

Then the command

ssh -p 3022 localhost

executed on C should give you direct access to A. Since scp is built on
top of ssh, your problem is solved. In fact, if you add the following to
your .ssh/config file in C:

Host B_Name
HostName localhost
HostKeyAlias B_Name
User <username on B>
Port 3022

then the ssh and scp commands will have a seamless access B without any
other changes. That is, the command

scp f B_Name:

executed on C would transfer file f to B.

Joachim Gann

unread,
May 27, 2008, 2:28:10 AM5/27/08
to

Now enter the password for B. Leave the connection open. Read up the -R
option in the ssh manual, to give yourself some clue on what you're
doing. Then proceed with 3 in a new terminal session or window.
I am used to using key authentication so I am not being asked for a
password and put the step 2 ssh command in the background with &.

Joachim

Peng Yu

unread,
May 27, 2008, 3:13:38 AM5/27/08
to

Hi Joachim,

I tried 3. But it gave me errors:


ssh: connect to host B 1111: Connection refused
lost connection

During the processes 1, 2, 3, I have never input passwd for C. Shall I
expect to input the passwd for C in step 3?

Thanks,
Peng

Joachim Gann

unread,
May 27, 2008, 3:28:23 AM5/27/08
to

what do you think why was the connection refused?
Because you did not complete step 2. have you entered the password for B
and left the connection open as I suggested?

Peng Yu

unread,
May 27, 2008, 8:20:42 PM5/27/08
to

Hi Joachim,

I did enter password for B and let the connection open. But I never
enter passwd for C. So I get rejected by C.

Thanks,
Peng

0 new messages