How do I do Multihop SCP transfers between machines?

ssh scp files copying

You can add -o options to scp instead of .ssh/config.

scp -o ProxyCommand="ssh $jump_host nc $host 22" $local_path $host:$destination_path

$jump_host is your "server B" in this case.


Assuming OpenSSH, add to your SSH configuration in .ssh/config

Host distant
ProxyCommand ssh near nc distant 22

This will cause SSH to be able to connect "directly" to the machine named distant by proxying through the machine named near. It can then use applications like scp and sftp to the distant machine.

For this to work you need 'nc' aka netcat installed on the machine named near. But a lot of modern systems will have it already.

towo's tar solution is more effective for one-shot problems, assuming you've memorised tar's syntax and rules of operation.


With more recent versions of ssh on the server near (B) machine the following will work without netcat:

Host distant
    ProxyCommand ssh near -W distant:22

It will however require AllowTcpForwarding to be yes (the default) on the near (B) machine

edit: requires OpenSSH 5.4+ on B


You can ssh to server B using something like

ssh -L 5022:<server C IP>:22 <user_serverB>@<server B IP>

Then you can ssh to server C using 

ssh -p 5022 <user_serverC>@localhost

Similarly scp would work using

scp -P 5022 foo.txt <user_serverc>@localhost:

Remember to use correct case of p with scp and ssh


It's possible and relatively easy, even when you need to use certificates for authentication (typical in AWS environments).

The command below will copy files from a remotePath on server2 directly into your machine at localPath. Internally the scp request is proxied via server1.

scp -i user2-cert.pem -o ProxyCommand="ssh -i user1-cert.pem -W %h:%p user1@server1" user2@server2:/<remotePath> <localpath>

The other way around also works (upload file):

scp -i user2-cert.pem -o ProxyCommand="ssh -i user1-cert.pem -W %h:%p user1@server1" <localpath> user2@server2:/<remotePath>

If you use password authentication instead, try with

scp -o ProxyCommand="ssh -W %h:%p user1@server1" user2@server2:/<remotePath> <localpath>

If you use the same user credentials in both servers:

scp -o ProxyCommand="ssh -W %h:%p commonuser@server1" commonuser@server2:/<remotePath> <localpath>

The -W option is built into new(er) versions of OpenSSH, so this will only work on machines that have the minimum version (5.4, unless your distro back-ported any features; e.g., RHEL6 OpenSSH 5.3p1 includes this feature). Per the release notes: http://www.openssh.com/txt/release-5.4

Added a 'netcat mode' to ssh(1): "ssh -W host:port ..." This connects stdio on the client to a single port forward on the server. This allows, for example, using ssh as a ProxyCommand to route connections via intermediate servers.

%h and %p are placeholders for the host and port.

Related

GPG does not have enough entropy
How to fix PuTTY showing garbled characters? [closed]
How to recover from "Too many Authentication Failures for user root"
How do I clear Chrome's SSL cache?
High load average, low CPU usage - why?
Is there a directory equivalent of /dev/null in Linux?
How to set default Ansible username/password for SSH connection?
Look-behind requires fixed-width pattern issue
The "wants to make changes" dialog
Drag and drop only going one folder deep in Finder
How To Turn Off Keyboard Backlight on MacBook Pro 2021?
Cannot access GitHub on MacBook using personal hotspot from iPhone