SFTP over double server hop
I'm trying to work out a method to allow me to access files on an SFTP server than I cannot access from my local machine. Currently, I have to SSH to a remote server (it is in a certain IP block that the final SFTP server will accept from), then from there SFTP to the destination server. From there, I get
the files I am interested in, thereby dropping them onto the middleman server, from which I can get the files either over a Samba share or with a direct scp
. I also work in the reverse, where I drop the files onto the middleman, SSH to it then SFTP to the destination and put
them into the appropriate folders.
My goal is to shorten this. The unfortunate restrictions are that my machine is Windows (I use KiTTy and/or Cygwin) and I cannot modify the middleman server (or destination server) in any way. I am willing to use command line or GUI programs so long as it works and is free.
Any ideas?
In essence, without the GUI or other conveniences:
ssh -o ProxyCommand='ssh myfirsthop nc -w 10 %h %p' mydestination
You can make this default by editing the config file, by default ~/.ssh/config
Host mydestination, mydest2, mydest3
ProxyCommand ssh myfirsthop nc -w 10 %h %p
This then allows you to do
ssh mydestination
scp mydest2:file.txt ./
scp file.txt mydest3:/tmp/
Of course, with that kind of magic you can easily
mkdir -pv /tmp/mydest3tmp # create mountpoint
sshfs mydest3:/tmp /tmp/dest3tmp/ # mount :)
On windows, you'd use WinSCP which comes with (I think IIRC) PLINK (from Putty suite). I suppose the default location for the ssh config
file is different (I'd have to google for it), but I'm sure it works more or less the same.
Note that the only thing you need for this to work is 'netcat (nc
)' on the middle server (first hop). It is an ubiquitous tool on linux/UNIX[1]; It is quite easy to build a statically linked version that should work if you can copy it there in the first place.
[1] note that there are some flavours, so the -w option might need to be dropped/spelled differently
I'm not going to set this as the accepted answer because I never would have found it without @sehe and @Jakub, but here is what I found that simplifies everything...
WinSCP has the ability to use an SSH tunnel built-in. I don't know when this feature arrived, but I never noticed it before somehow.